CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: ISP Redundancy works during testing but fails if cable is unplugged

  1. #1
    Join Date
    2015-05-27
    Posts
    3
    Rep Power
    0

    Default ISP Redundancy works during testing but fails if cable is unplugged

    I am trying to setup ISP Redundancy in Primary/Backup mode for one of our sites that has frequent internet outages with their current ISP. This firewall has R77.10 Gaia running on it.

    When I use the "fw isp_link <link name> up/down" command to test the links everything seems to work. I have verified that the default route is being updated on the firewall. I have verified that I get the right speedtest results on each ISP link. The problem is that if I disconnect the cable for the primary ISP all internet traffic stops. This happens even if I already have that link set to down with the isp_link command. I think this may be a NAT issue but I'm not sure. I have our internal network set to hide behind the gateway as specified in the guide.

    We do not have any DMZ or publicly accessible servers to worry about in this case, just the outgoing traffic from inside. My firewall object is using the external IP from ISP1 as its IP address, could this be messing up the NAT? Any help would be appreciated. Thanks.
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	Object.png 
Views:	108 
Size:	4.0 KB 
ID:	955   Click image for larger version. 

Name:	NAT.png 
Views:	98 
Size:	5.1 KB 
ID:	953  
    Last edited by JRCNetworks; 2015-05-28 at 14:18.

  2. #2
    Join Date
    2014-09-02
    Posts
    353
    Rep Power
    10

    Default Re: ISP Redundancy works during testing but fails if cable is unplugged

    First, what do your logs tell you? You should see indications of the primary ISP failure, and the outbound traffic should indicate the correct Hide NAT (behind the secondary IP address). Is either not the case?

    -E
    Last edited by EricAnderson; 2015-05-28 at 14:40.

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: ISP Redundancy works during testing but fails if cable is unplugged

    Are your firewall's licenses bound to the IP address of the interface you are unplugging? Use "cplic print" on the firewall to check.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2015-05-27
    Posts
    3
    Rep Power
    0

    Default Re: ISP Redundancy works during testing but fails if cable is unplugged

    I do see messages in the logs when either link goes up or down. The Hide NAT address is not changing. It remains set to the IP address of the interface for the primary ISP.

    Yes, the firewall licenses are tied to the IP of the interface used by the primary ISP

  5. #5
    Join Date
    2014-09-02
    Posts
    353
    Rep Power
    10

    Default Re: ISP Redundancy works during testing but fails if cable is unplugged

    Quote Originally Posted by JRCNetworks View Post
    I do see messages in the logs when either link goes up or down. The Hide NAT address is not changing. It remains set to the IP address of the interface for the primary ISP.
    What's the message? Is it from ISP Redundancy? Is the gateway/hide address coded into the NAT settings, or is it set to "Hide behind gateway"?

    -E

  6. #6
    Join Date
    2015-05-27
    Posts
    3
    Rep Power
    0

    Default Re: ISP Redundancy works during testing but fails if cable is unplugged

    I am attaching screen shots of the messages and an example of one of the down and up message details. They are coming from the ISP Redundancy function. These were generated by unplugging / plugging the backup then primary ISP cables from the firewall interfaces. I see the same messages when I use the isp_link command to change their state. In case this helps, I have set both interfaces to use 8.8.8.8 for up/down testing instead of using the default next hop as the target.

    I'm afraid I don't know exactly what you mean by "coded into the NAT settings". I believe the answer is that it is set to Hide Behind Gateway, you can see the hide NAT rule screenshot in my original post.
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	LinkChangeLogs.png 
Views:	109 
Size:	37.6 KB 
ID:	958   Click image for larger version. 

Name:	ComcastUp.png 
Views:	92 
Size:	26.2 KB 
ID:	957   Click image for larger version. 

Name:	ComcastDown.png 
Views:	85 
Size:	28.3 KB 
ID:	956  

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,249
    Rep Power
    14

    Default Re: ISP Redundancy works during testing but fails if cable is unplugged

    Quote Originally Posted by JRCNetworks View Post

    Yes, the firewall licenses are tied to the IP of the interface used by the primary ISP
    When the primary ISP interface goes down, pretty sure all your firewall licenses will become invalid since they are bound to the IP address of that interface and it is now dead. ISP Redundancy is a licensed feature of the Advanced Networking blade which may be why it stops working and does not fail over when you unplug.

    Get a 30-day eval license from your reseller bound to the internal IP address of the firewall and apply it. I bet the problem with unplugging that interface will go away and ISP Redundancy will work properly. If this proves out obviously next step would be to reissue all firewall licenses against the firewall's internal IP address. There is a common misconception that the IP address for license binding must be an Internet-routable address which is simply not true. Just needs to be the IP address of a valid configured interface that is up.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Replies: 3
    Last Post: 2012-10-10, 02:32
  2. Cluster Interface - Crossover Cable vs Straight Cable using Dedicated Switch / Vlan
    By manuadoor in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 12
    Last Post: 2010-04-26, 10:45
  3. cluster works on one interface, but fails on another interface
    By shmilyh in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2009-08-20, 02:22
  4. Site to site VPN fails with DIAP works when external ip specified
    By GarerthW in forum Check Point UTM-1 Edge Appliances
    Replies: 6
    Last Post: 2008-12-18, 02:23
  5. Sbox & Telstra BPA Cable
    By evango@ozemail.com.au in forum Check Point UTM-1 Edge Appliances
    Replies: 0
    Last Post: 2006-05-22, 11:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •