RA clients not able to access external cluster interface

Ruan_Kotze — Sat, 19 Jul 2025 07:55:34 GMT

Good Day All,

We have a challenge whereby re-authentication fails for our RA VPN clients.

Background:

Our VPN gateways (R81.20 T99 / SMS T105) are NAT'd behind perimeter gateways, so the VPN gateway "public" IP's are actually RFC1918 IP's (10.x.x.x). Furthermore, when connecting to the "internal" LAN you'll need to connect via VPN to access any resources, so external clients resolve vpn.domain.com to a public IP, and internal clients will resolve vpn.domain.com to an internal IP (external cluster interface on VPN gateways).

Both internal and external clients can log into the VPN just fine - as per the SAML login process clients get redirected to https://vpn.domain.com/saml-vpn on either the NAT'd public IP of the perimeter gateways or the internal IP of the VPN gateway, depending on whether the RA client is inside or out.

Clients completes authentication and life is good.

The problem

The problem comes when their authentication expires (ours is set to 8h). The VPN client will attempt to re-auth by hitting https://vpn.domain.com/saml-vpn which now resolves to the internal (10.x.x.x) cluster IP. This is where we run into issues.

Even though our encryption domain includes the entire subnet in which the VPN cluster's physical and cluster interface sit, clients only get offered the physical interfaces via the encryption domain (confirmed via RA client routing table). For example, I can traceroute to the VPN gateway's physical interfaces fine, but the cluster interface breaks out via the client's local gateway.

The checkbox to "Exclude gateway's external IP address from VPN domain" is NOT selected. The VPN domain is User defined, but as mentioned includes the entire subnet on which the VPN gateways external interfaces sit.

Would appreciate any and all ideas on how we can get our RA clients to hit the external IP / SAML portal WHILST connected via VPN.

Thanks,
Ruan

Re: RA clients not able to access external cluster interface

the_rock — Sat, 19 Jul 2025 11:12:00 GMT

So does this ONLY happen when they try to re-authenticate?

Andy

Re: RA clients not able to access external cluster interface

Ruan_Kotze — Sat, 19 Jul 2025 11:59:35 GMT

No - I can reproduce this anytime they're connected to the VPN - see my comments regarding the routes on the client.

Re: RA clients not able to access external cluster interface

the_rock — Sat, 19 Jul 2025 12:05:35 GMT

Gotcha...let me do some testing in the lab later to check.

Andy

Re: RA clients not able to access external cluster interface

the_rock — Sat, 19 Jul 2025 13:01:36 GMT

@Ruan_Kotze

Just did some tests in my R82 lab, no issues. I have same option about external interface unchecked as you do, I simply made sure external interface IP is included in RA vpn domain, thats it.

Andy

topic Re: RA clients not able to access external cluster interface in General Topics

RA clients not able to access external cluster interface

Re: RA clients not able to access external cluster interface

Re: RA clients not able to access external cluster interface

Re: RA clients not able to access external cluster interface

Re: RA clients not able to access external cluster interface