Remote Access MEP want to add preference to specific gateway.

Ants — Sun, 19 Apr 2020 11:11:08 GMT

Hi All,

This customer has VPN remote users using multiple gateways to connect to company network..

The goal is to have SiteB to handle >80% of the VPN users as the hardware on SiteA is struggling with more than 500 users at a time (constant 85%+ cpu util)

                        --------FW_A------
                         |    |
VPN home users --------(WWW)-----                                   --------Company_LAN/WAN
                                                                 |                                  |
                                                                  -------FW_B--------

FWs are running 80.10 and manager on 80.30

FW_A and FW_B each is has separate Internet breakout with a different provider..
3k VPN users working from home due to the covid-19 pandemic.

so what cust is finding is using the E80 clients it appears to connect to siteA then will use SiteB when SiteA has reached IP Pool capacity(i suspect) - but always explicitly uses SIteA first.. (SiteB was added recently to handle the growing list of users from home and has a separate Internet breakout to SiteA)

So we have configured MEP loadsharing for now.. will see how that works this week
This was done as per below and pretty straight forward:
- amend global config and enable loadsharing on remote access under global proerties on manager
- Amended the trac_client_1.ttm on the manager and changed mep_mode to 'load_sharing' with (SiteB_IP&#SiteA_IP&#) in the ips_of_gateways_in_mep section.

Result - this appears to do a round robin load balancing on the E80 client connections as expected - will see if this make a difference when the users comes online this week again.

however what we really want to do is have the users connect to SiteB first and flow over to SiteA when SiteB's ip pool is maxed or load is too high
FW_A has a /22 and FW_B a /21 vpn ip pool
The Encr domain on both Sites varies slightly but still both contains 10/8 and 192.168/16 subnets - do they have to be the exact same for both?

Any ideas if this is doable? perhaps some preference that can be set on FW_B perhaps?
Alternatively another option is to force E80 to connect to FW_B but doesn't seem to be able to do so.. it still defaults to FW_A for some odd reason that i cannot figure out.
(this works using capsule.. but 90% of users uses the E80 clients)

thanks in adv

Re: Remote Access MEP want to add preference to specific gateway.

PhoneBoy — Mon, 20 Apr 2020 01:18:59 GMT

MEP requires either both sites to have the exact same encryption domain or one to be a "proper subset" of the other.
Sounds like the latter might be the case for you.
In any case, I don't think there's a way to do an 80/20 split but you can set Site_B as the first one.
See: https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_RemoteAccessVPN_AdminGuide/html_frameset.htm

topic Remote Access MEP want to add preference to specific gateway. in SASE and Remote Access

Remote Access MEP want to add preference to specific gateway.

Re: Remote Access MEP want to add preference to specific gateway.