topic Re: SSL-VPN fails during HA Failover in SASE and Remote Access

SSL-VPN fails during HA Failover

vlw38 — Mon, 13 Apr 2020 15:23:27 GMT

Topology: (2) CP 5600 2 R80.30 in active/standby HA w/ ISP-Redunancy load-balancing

VPN client: Checkpoint Mobile for Windows

Here is the problem:

Shutdown the Comcast fiber ISP connection. This is NOT the firewall interfaces but the switch port to the Comcast fiber. So the firewall ComCast fiber interfaces stay up. The Comcast fiber ISP side is down.

Create a VPN client connection to the DR Comcast coax connection (173.162.x.x).

Connect to the DR connection – everything AOK. Properties of connection show name and IP address are 173.162.x.x.

Disconnect from DR connection

Reconnect to DR connection. Connection details are updated to include Comcast Fiber IP address.

I think this problem is due to the firewalls serving up the main IP as the VPN gateway.

Any suggestions on how to resolve this?

Re: SSL-VPN fails during HA Failover

PhoneBoy — Tue, 14 Apr 2020 21:10:09 GMT

Is your goal to always use the Comcast address for Remote Access termination?

Re: SSL-VPN fails during HA Failover

vlw38 — Wed, 15 Apr 2020 12:05:23 GMT

Yes we want to always use the Comcast address but, we have two Comcast links – Comcast fiber/ISP#1 and Comcast Coax/ISP#2. We have ISP Redundancy enabled. In Gateway Cluster Properties/IPSEC VPN/LinkSelection we have Comcast fiber/ISP#1 = Always Use This IP Address

The Use Probing /Link Redundancy Mode offers the option to include both the Comcast fiber/ISP#1 and Comcast Coax/ISP#2 ip addresses. We spoke w/CP and they told us that none of the remote clients support/recognize the Probing config as per SK113617. They offered options such as manual failover (type in Comcast Coax/ISP#2 in Gateway Cluster Properties/IPSEC VPN/LinkSelection) or installing another fw an using some type of MEP config. Ridiculous!

Re: SSL-VPN fails during HA Failover

Wolfgang — Wed, 15 Apr 2020 16:13:42 GMT

Dear vlw38,

this is normal behaviour for VPN client connections. Link selection configuration via SmartConsole is used only for site 2 site VPN.

You have to follow Configuring VPN Link Selection for Remote Access client to configure.

Remote Access clients can connect to VPN Gateway only once shows your problem.

Wolfgang

Re: SSL-VPN fails during HA Failover

vlw38 — Wed, 15 Apr 2020 23:40:21 GMT

Thank you for the information. We will test the configs referenced in your provided links in the next 5 days.