CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 2 of 2

Thread: OSPF routing take precedence over ISP redundancy feature

  1. 2018-08-06 #1
    ankda14
    ankda14 is offline Junior Member
    Join Date
    2017-04-08
    Posts
    24
    Rep Power
    0

    Default OSPF routing take precedence over ISP redundancy feature

    Hi All,

    I was testing ISP redundancy feature on R77.30 platform. To make configuration less , i ran OSPF protocol between firewall and cisco routers. The firewall routing is as below:

    S 0.0.0.0/0 via 192.168.254.192, eth1, cost 0, age 1787
    O 3.3.3.3/32 via 192.168.229.192, eth2, cost 3, age 1258
    via 192.168.254.192, eth1
    C 127.0.0.0/8 is directly connected, lo
    O 192.168.120.0/24 via 192.168.254.192, eth1, cost 2, age 1320
    O 192.168.121.0/24 via 192.168.229.192, eth2, cost 2, age 1320
    C 192.168.155.0/24 is directly connected, eth0
    C 192.168.215.0/24 is directly connected, eth3
    C 192.168.229.0/24 is directly connected, eth2
    C 192.168.254.0/24 is directly connected, eth1


    I am reaching 3.3.3.3 from my internal machine( 192.168.215.219).

    192.126.254.0/24 is primary ISP link
    192.168.229.0/24 is backup ISP link

    These both links are terminated on firewall.

    When i generate traffic from inside machine, path takes backup ISP and which is totally understandable as cost is high for this route in firewall routing table.

    But in ISP redundancy, I have configured primary ISP first and backup ISP 2nd in order.

    Failover is working properly but it seems this is working through OSPF routing configuration not through ISP redundancy. Please correct me if i am wrong. I tried to bring 192.126.254.0/24 cost to 3 in firewall routing table but didn't worked.

    Kindly let us know if this setup is fine or i need to test through static routes? how another default route will be used in this case if already i have default route pointed to next hop of primary ISP?

    Thanks
    Reply With Quote Reply With Quote
  2. 2018-08-08 #2
    mdjmcnally
    mdjmcnally is offline Junior Member
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: OSPF routing take precedence over ISP redundancy feature

    For ISP Redundancy to work correctly in a HA, ie Primary/Backup process then you configure the NextHop address under the ISP Redundancy in the Gateway Object on the Interfaces.

    Which ever is the Active ISP will be the Default Gateway of the Unit, ie if disconnect the Primary ISP interface then the Check Point will reconfigure itself to make the Default Gateway on the Check Point the Backup NextHop and the Primary NextHop will not show in the Routing Table anymore.

    If you start advertising more explicit routes via OSPF from the two ISP Routers then any traffic for those destinations will take precedence over the Default Gateway.

    By all means peer with OSPF for the INTERNAL interfaces but not the External.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. CheckPoint VPN routing and redundancy
    By blason in forum Advanced Networking & Clustering Blade
    Replies: 1
    Last Post: 2014-01-31, 06:39
  2. R76 - VS, OSPF Routing issue
    By cpguy in forum Dynamic Routing
    Replies: 3
    Last Post: 2013-10-11, 08:40
  3. 21400 - what hardware part controls routing/OSPF???
    By cpguy in forum Check Point 2012 Appliances
    Replies: 3
    Last Post: 2013-08-21, 09:44
  4. Redundancy and policy based routing
    By sheldonl in forum ISP Redundancy
    Replies: 2
    Last Post: 2011-12-06, 05:37
  5. ISP Redundancy routing
    By ilin-anton in forum ISP Redundancy
    Replies: 5
    Last Post: 2011-05-20, 08:34

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules