![cisco asav azure ha vpn cisco asav azure ha vpn](https://community.cisco.com/legacyfs/online/attachments/blog/nw.png)
Essentially after hours of troubleshooting this turned out to be issues with the interface and link selection causing IKE negotiation issues. When we cutover to the new firewall cluster in a change window, the VPN from On-Prem to the Azure hosted Checkpoint cluster had issues, ranging from SA’s timing out and the VPN being completely down to not all subnets being encrypted, the classic and unhelpful “no valid SA error”. You can clone policies, assuming your old and new cluster are managed by the same Security Manager which makes this process a lot simpler, however the VPN functionality needs to be carefully considered. Checkpoint’s new test script is very useful to ensure you have all this coveredĬheckpoint functionality used, in this instance, FW, VPN, URL and APP Control were used. This meant ensuring that the Checkpoint cluster SPN had contributor rights to all resource groups containing routes to the Cluster.
CISCO ASAV AZURE HA VPN UPGRADE
In the recent in-parallel upgrade we did for a client this change was almost a mini project.Īzure complexities, the client had 10 VNETs with over 20 different routing tables. Wow, ok so while this reduces risk considerably it really depends how complex your Azure and Checkpoint deployment is.
![cisco asav azure ha vpn cisco asav azure ha vpn](https://geekshangout.com/wp-content/uploads/2018/07/azure-vpv-using-asdm-09-1024x723.png)
Checkpoint’s preferred approach is an in-parallel upgrade and migration of services across. In fact, its not even supported in Microsoft Azure (or any public cloud). Ok, if you are reading this, you already know that it is not as simple as running CPUSE to upgrade from Checkpoint R77.30 to R80.10 in Microsoft Azure.