Problem with ISP redundancy - sk25152 - Kindly advise

[ankda14]

Hi All,

I configured same scenario but Traffic is not going through backup path when primary ISP is down. I configured same as given in sk25152. Please find below configuration:

Rule:

SRC: 192.168.215.128 DST: 3.3.3.3 SERVICES: ANY ACTION: PERMIT

NAT RULE:
1.
Original Source: 192.168.215.128
Original Dstn: DYN_ISP_A
Original Service: Any
Translated source: 192.168.254.191(ISP_A public IP) - Static NAT
Translated Dstn: Original
Translated service: Original

2.
Original Source: 192.168.215.128
Original Dstn: DYN_ISP_B
Original Service: Any
Translated source: 192.168.229.191(ISP_B public IP) - Static NAT
Translated Dstn: Original
Translated service: Original

Configured dynamic Objects and script as given in sk25152.

Now to test the ISP redundancy feature:

In ping from windows machine(192.168.215.128) to 3.3.3.3

Source packet is translated to 192.168.254.191

now i remove cable from firewall ISP-1 interface and default route points to backup ISP but when i do TCP dump on ISP-2 int and debug packets on router, source packet is still translated to 192.168.254.191. The packet drops on windows machine as return traffic from router points to primary ISP path.

Kindly also let us know what range 0.0.0.0 0.0.0.0 in dynamic object means.

I understand 0.0.0.0 255.255.255.255 means whole network(any).

Kindly advise.

Thanks

[mdjmcnally]

Unfortunately you are falling foul of ICMP not being tcp. The ICMP is virtual session and the way that the Check Point handles is that see's the ICMP as the same session and so continues to NAT etc as before. Try a basic Web or FTP Service on the Server and should see it works correctly.

0.0.0.0 0.0.0.0 in the Dynamic Object means for everything in the same way that a Static Route of 0.0.0.0/0 is your Default Route.

Check Point's ISP Redundancy is something that appears to have started off then seems to have been abandoned in terms of development.

It isn't something that I would recommend to use in anger other then possibly at Branch Offices where litertally everything is just hidden behind the gateway ip and no inbound services.

[ankda14]

Hi,

Thanks for the update. I will try to test it with some TCP traffic and update you.

I have one more question: If 0.0.0.0 0.0.0.0 means everything then what 0.0.0.0 255.255.255.255 stands for.


Thanks

[themadhatterz]

The real problem is not that it is icmp, it's that the NAT decision can only be made one time per connection. So for NAT'd connections, the connection must be re-established. Kill your ping and restart it. This is documented in the SK, under limitations.

[ankda14]

Hi,

Are you talking about nat cache table. i set it to 0 as well and clear the fw connection table and nat table. still NAT is done through first rule that is primary ISP external interface.

I disabled the first NAT rule as well and in rule base there is only one rule hide nat to external interface of ISP-B but still packet get natted to ISP-A external interface.

it seems still there are entries in nat cache table.

I was going through NAT optimization section in max-power book:

Once the first packet of an accepted connection has been NATted, the NAT rulebase and its
fwx_cache table is never consulted again for that particular connection, and as such the
NAT applied to a connection's packets cannot ever change after the connection’s first
packet.

This means NAT rule base and NAT cache table will never be consulted again. Correct? So which table is firewall looking at for existing NAT translations?

If i tired to ping to same destination with different source IP. Source IP get translated to ISP-B external Interface.

Thanks

[ShadowPeak.com]

Hi,

Are you talking about nat cache table. i set it to 0 as well and clear the fw connection table and nat table. still NAT is done through first rule that is primary ISP external interface.

I disabled the first NAT rule as well and in rule base there is only one rule hide nat to external interface of ISP-B but still packet get natted to ISP-A external interface.

it seems still there are entries in nat cache table.

I was going through NAT optimization section in max-power book:

Once the first packet of an accepted connection has been NATted, the NAT rulebase and its
fwx_cache table is never consulted again for that particular connection, and as such the
NAT applied to a connection's packets cannot ever change after the connection’s first
packet.

This means NAT rule base and NAT cache table will never be consulted again. Correct? So which table is firewall looking at for existing NAT translations?

If i tired to ping to same destination with different source IP. Source IP get translated to ISP-B external Interface.

Thanks

No the fwx_cache table simply caches NAT rulebase lookups and is not relevant to your problem. I'm assuming it is cleared when an ISP transition occurs. Let's back up though:

1) Are you configured for Load Sharing or Primary/Backup?

2) What does the output of "cpstat fw" show when both ISP links are up? When one or the other is down? Basically you need to check that the upstream pingable addresses are correct and it is properly detecting ISP failures.

3) Connections are not preserved across an ISP failover and must be restarted. This is expected behavior. Keep in mind when doing a ping test that the default virtual timeout for a ping session on the firewall is 30 seconds. If you are pinging a certain host through a certain ISP and a failover occurs to the other ISP, you need to STOP the continuous ping, WAIT 30+ seconds, then start it again to ensure it is considered a "new" connection and will have the new NAT for the the current ISP applied. Do not test connectivity using a web browser as they are infamous for leaving connections open speculatively that try to persist across a ISP failover and still get NATted to the dead ISP. If you must use a web browser for testing, close ALL instances (not just tabs) of that web browser upon ISP failover, reopen it and try again.

If you want to see what actually happens when an ISP failover occurs you can look at the script yourself: $FWDIR/bin/cpisp_update. You can even add your own commands in here to do whatever you want.