CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 2 of 2

Thread: Cisco OTV/LISP for East to West VM Migrations and Checkpoint TCP Stateful Inspection

  1. 2016-08-08 #1
    Peter-L
    Peter-L is offline Member
    Join Date
    2011-08-29
    Posts
    41
    Rep Power
    0

    Default Cisco OTV/LISP for East to West VM Migrations and Checkpoint TCP Stateful Inspection

    Hello,

    We're currently in the process of implementing Cisco OTV/LISP on Nexus 7k devices and ISR 4431's to ensure that traffic follows are symmetric. LISP ensures that traffic destined for the stretched L2 ingresses and egresses on the same site, eliminating asymmetric routing.



    Additional Info: http://yves-louis.com/DCI/?p=785

    However as we are talking about a live migration of a production VM (east to west) and LISP will resolve the routing issue there is a further knock on issue of the TCP connection state table not being synchronized between the East and West DC's. Has anyone here any experience of this?

    Right now the only solution I can see is to switch my 2x active/passive clusters to be active/active and cluster across the DC's to ensure the connection state table is synchronized.

    Anyone else any suggestions (aside from turning off state inspection)?

    Thanks,
    Peter
    Reply With Quote Reply With Quote
  2. 2018-06-18 #2
    Iron Man
    Iron Man is offline Junior Member
    Join Date
    2017-12-15
    Posts
    1
    Rep Power
    0

    Default Re: Cisco OTV/LISP for East to West VM Migrations and Checkpoint TCP Stateful Inspect

    Quote Originally Posted by Peter-L View Post
    Hello,

    We're currently in the process of implementing Cisco OTV/LISP on Nexus 7k devices and ISR 4431's to ensure that traffic follows are symmetric. LISP ensures that traffic destined for the stretched L2 ingresses and egresses on the same site, eliminating asymmetric routing.



    Additional Info: http://yves-louis.com/DCI/?p=785

    However as we are talking about a live migration of a production VM (east to west) and LISP will resolve the routing issue there is a further knock on issue of the TCP connection state table not being synchronized between the East and West DC's. Has anyone here any experience of this?

    Right now the only solution I can see is to switch my 2x active/passive clusters to be active/active and cluster across the DC's to ensure the connection state table is synchronized.

    Anyone else any suggestions (aside from turning off state inspection)?

    Thanks,
    Peter
    Hi Peter,
    I'm currently facing the same challenge where i'm planning to use Cisco OTV for my data center Interconnection, but i've not found a solution yet for for the stateful inspection on my two Checkpoint clusters that are currently working Active/standby on each site. Did you finally opt for the 4 node clusters?

    Herold
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Secret of Stateful Inspection is out
    By varera in forum Off-Topic
    Replies: 1
    Last Post: 2016-04-01, 13:33
  2. UDP Stateful Inspection in R71
    By EJSTL in forum Versions Of Firewall-1/VPN-1
    Replies: 5
    Last Post: 2010-12-03, 20:35
  3. Disable Stateful inspection for a particular destination?
    By twistedmetal in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 6
    Last Post: 2009-06-12, 19:38
  4. ICMP stateful inspection
    By cberns in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2009-04-27, 13:12
  5. connection dropped due stateful inspection
    By jjprieto in forum Check Point SecurePlatform (SPLAT)
    Replies: 4
    Last Post: 2008-05-18, 15:30

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules