Controlling connections configured with ISP Redundancy in Load Shari...

1 of 2

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit...

Welcome Gagan Sugandh | Logout

Support Center > Search Results > SecureKnowledge Details

Expert Access

Search

Live Chat
Print

Email

Favorite

Controlling connections configured with ISP Redundancy in Load Sharing mode

Start Chat Now

Service Requests
Create Service Request

Solution ID:
Product:
Version:
Platform / Model:
Date Created:
Last Modified:

sk42636
Security Gateway, ClusterXL
All
All
24-Aug-2009
19-Mar-2014

Rate this document

[1=Worst,5=Best]

My Service Requests

Contact Us

SYMPTOMS
Connections from the same source pass only through one of the ISP channels and not through both ISP channels per
Round-Robin mechanism when Security gateway is configured with ISP Redundancy in Load Sharing mode.

STAY UP TO
DATE

CAUSE
This behavior is the default design of ISP Redundancy in Load Sharing mode.

SOLUTION

Background:
By default, in ISP Redundancy in Load Sharing mode, connections from the same "Client" located behind the
Gateway/Cluster are sent out the Gateway/Cluster every time over the same ISP channel.
This is a sort of "Client Stickiness" mode. This mode was chosen to be the default, because it is the best way to distribute
connections between two ISP channels without losing communications that use dynamic ports or port redirection (e.g.,
FTP, VoIP, etc).
These are the relevant attributes of the Gateway / Cluster object in the database, which can be changed via GuiDbEdit
Tool:

Get weekly email notifications on

support related updates.

SUGGESTED
SOLUTIONS
People that viewed this solution
also viewed:
1. SSL Network Extender - Java
Availability
2. Error: UUID is not allowed
through the Rule Base for RPC
traffic.
3. Reports generated by Eventia
Reporter show rule UUID instead of
rule number

misp_cache_use_cln - when enabled, controls "Client" stickiness (default value: "true")

misp_cache_use_srv - when enabled, controls "Server" stickiness (default value: "false")

Procedure:
Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc).
Connect to Security Management Server with GuiDbEdit Tool.
In the upper left pane, go to 'Table' - 'Network Objects' - 'network_objects'.
In the upper right pane, select the relevant Gateway object (in Class Name column appears as 'gateway_ckp') /
select the relevant Cluster (in Class Name column appears as 'gateway_cluster').
In the lower pane, in Field Name column - find firewall_settings - scroll down to misp_cache_use_cln and
misp_cache_use_srv parameters.
Right-click on the parameter - choose 'Edit...'.
Change the Value of the parameter - click 'OK':
Since there are 2 parameters and each parameter has 2 possible values, there are 4 possible configurations:
1. (misp_cache_use_cln = true) and (misp_cache_use_srv = false) - all connections from the same
"Client" will be sent out over the same ISP channel (each Source IP address is cached independently from
other Source IP addresses).

2. (misp_cache_use_cln = false) and (misp_cache_use_srv = true) - all connections to the same

"Server" will be sent out over the same ISP channel - not recommended (each Destination IP address is
cached independently from other Destination IP addresses).

12/9/2014 9:27 PM

Controlling connections configured with ISP Redundancy in Load Shari...

2 of 2

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit...

3. (misp_cache_use_cln = true) and (misp_cache_use_srv = true) - all connections from the same
"Client" to the same "Server" will be sent out over the same ISP channel (each Source and Destination IP
addresses are cached independently from other Source and Destination IP addresses).

4. (misp_cache_use_cln = false) and (misp_cache_use_srv = false) - all connections will be sent out
randomly over both ISP channels - not recommended.

Go to 'File' menu - click on 'Save All'.

Close GuiDbEdit Tool.
Connect to Security Management Server with SmartDashboard.
Install the policy onto Gateway / Cluster object.

Related Solutions:
sk23630 (Advanced configuration options for ISP redundancy)
sk25152 (Static (Hide) NAT fails for outgoing connections through gateway with ISP Redundancy in Load Sharing
mode)

Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)

Characters left: 2000

2014 Check Point Software Technologies Ltd. All rights reserved.

Check Point Software Technologies, Inc. is a wholly owned
subsidiary of Check Point Software Technologies Ltd.

12/9/2014 9:27 PM