topic Re: Mobile Access on separate external interface in SASE and Remote Access

Mobile Access on separate external interface

Remi_Richer — Fri, 13 Mar 2020 18:10:13 GMT

Hello Checkmates,

I need some help with a new VPN setup we're trying to implement. I need to be using a second external interface leading to a second distinct ISP (eth1). We're trying to set Mobile Access on that interface for bandwidth reasons. My issue currently is that when we try to reach the portal, traffic comes in on eth1 but the http responses are going outbound on the other external interface/ISP (eth4) because of the default route and makes it impossible to access remotely (the portal works fine when accessing from internal networks).

Is there a way to get around this? So far I've looked at the documentation on ISP-Redundancy which doesn't seem to apply at all for my scenario. I also looked into Policy-Based-Routing but couldn't make it work; I think it's just not meant for what I'm trying to do, unless I'm implementing it wrong.

Any help is greatly appreciated.

Re: Mobile Access on separate external interface

Chris_Atkinson — Sat, 14 Mar 2020 12:01:32 GMT

Do you have the Support connectivity enhancement for gateways with multiple external interfaces option set?

VSX may also be an option depending on your intended use cases for the second ISP link.

Another would be to implement an external router for handling that element.

Re: Mobile Access on separate external interface

Remi_Richer — Mon, 16 Mar 2020 17:42:49 GMT

Hi Chris, thanks for the reply.
We do have the 'Support connectivity enhancement for gateways with multiple external interfaces' option checked but the issue still remains.
Could you elaborate a little on how I could handle this with an external router?
The use case is quite simple, we want the 'Mobile Access' tunneled traffic to be on the second ISP link, to liberate some bandwidth on the main ISP connection where we're already at maximum capacity. There wouldn't be anything other than that VPN traffic on that link.

Re: Mobile Access on separate external interface

PhoneBoy — Tue, 17 Mar 2020 01:42:00 GMT

I'm guessing this is how to solve the issue.
In the Gateway Object, go to IPSec VPN > Link Selection, hit the Setup button under Outgoing Route Selection and select Reply from Same Interface.
Install policy.

Re: Mobile Access on separate external interface

Cesar_Santos — Tue, 17 Mar 2020 11:42:35 GMT

Hi,

I'm having the exact same issue.

Tried your suggestion, but did not worked.

Also, I thing is important to mention sk in https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32229&partition=Basic&product=Endpoint. Also tried that, but no luck.

Anymore ideas?

Regards,

César Sant

Re: Mobile Access on separate external interface

Remi_Richer — Wed, 18 Mar 2020 15:33:24 GMT

That didn't work for me, unfortunately. We are using the SSL network Extender currently so I don't think IPSec Link Selection impacts anything here. Maybe that could work with one of the VPN clients (so far I tried 'Endpoint Security VPN' but it's the same issue, it couldn't even create the site; 'site is not responding). We'll probably deploy a 2200 gateway we have lying around and handle this ISP separately with it. I can't find any built-in settings to make this work otherwise.