The ISP Redundancy feature:
ISP redundancy enables a script on the Check Point Security Gateway to switch the default gateway and routes automatically. This will take place once a link failure was detected on the primary external link.
The feature uses port 259 for probing the external links and to determine the state of the link, once a link has been detected as down the mechanism will switch to the next available link configured under the "ISP Links".
The feature is only supported between managed Check Point Security Gateways.
Link Selection with non-Check Point Devices:
RDP probing, the probing method used for certain Link Selection features, is proprietary to Check Point and only works between Check Point entities. It is not supported with non-Check Point devices.
Since RDP probing is not active on non-Check Point gateways, the following results apply if a Check Point Security Gateway sends VPN traffic to a non-Check Point gateway:
- Use probing cannot be used by locally managed Check Point Security Gateways to determine the IP address of non-Check Point devices. Any of the other methods available from the IP Selection by Remote Peer section can be used.
- Load Sharing and Service Based Link Selection do not work with non-Check Point gateways. If Load Sharing or Service Based Link Selection is enabled on the local Security Gateway, but the peer is a non-Check Point device, the local Security Gateway will only use one link to the non-Check Point device: the best match (highest prefix length) link with the lowest metric.
- If Route based probing is selected as the Outgoing Route Selection method, for VPN traffic to a non-Check Point device, the local Security Gateways will always use the best match (highest prefix length) link with the lowest metric."
ISP Redundancy over VPN:
When enabling the ISP redundancy over VPN the Link selection tab will be grayed out and the probing method will be selected automatically.
Probing is not supported with 3rd party vendors thus the feature will not work in this type of design.
No fix is required; the system is functioning as designed.
Refer to the "Visual Guide" below for validating a basic configuration of the feature:
ISP Redundancy(With "Apply settings to VPN traffic") configuration:
Link selection state, after applying the settings to VPN traffic:
Example for probing(UDP port 259) packets when tunnel is created:
For more information see R77 Security Gateway Technical Administration Guide.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
- It is important to differentiate between "ISP Redundancy" feature and the "Link Selection" mechanism.
- The ISP redundancy uses Check Point proprietary probing method in order to determine the link state and to enable the redundancy feature.
- Probing is one of the optional modes of Link selection and the same method is used for VPN when Apply settings to VPN traffic option is enabled on the ISP Redundancy feature.
From the Administration Guide:
When more than one IP address is available on a Security Gateway for VPN, Link Selection may employ the RDP probing method to determine which link will be used. The RDP probing method is implemented using a proprietary protocol that uses UDP port 259. This protocol is proprietary to Check Point and works only between Check Point entities. (Note that it does not comply with RDP as specified in RFC 908/1151). IP addresses you do not want to be probed (i.e., internal IP addresses) may be removed from the list of IPs to be probed. Once a Security Gateway maps the links' availability, a link selection per connection can be made according to the following redundancy modes:
High Availability (default setting)
In High Availability mode the VPN tunnel uses the first IP address to respond, or the primary IP address if a primary IP is configured and active. If the chosen IP address stops responding, the connection fails over to another responding IP address. If a primary IP address is configured, the VPN tunnel will stay on the backup IP address until the primary one becomes available again.
Note that if one time probing is configured, the VPN tunnel will stay on the first chosen IP address until the next time policy is installed".