topic Re: Do I need to reconfigure our RAVPN in SASE and Remote Access

Do I need to reconfigure our RAVPN

championc1 — Thu, 08 Feb 2024 16:46:33 GMT

Hi all,

We have a singular DNS name pointing at the public IP of our primary R81.20 Cluster. If this primary clusters' public IP is unavailable, the VPN client re-directs itself to a secondary DR cluster.

But if I understand it correctly, it seems like the secondary address is cached in the client meaning that, when the primary IP is reachable again, the client continues to connect to the secondary cluster gateway until such time as the VPN profile on the users' laptop is deleted and re-created.

Ideally, I would like to have a setup where the endpoint becomes somewhat invisible to the user. If the user connected to the secondary due to the unavailability of the primary, that it would revert back if the primary became availablke again, or if the secondary became unavailable.

Could I implement an active - active setup, where it became pot luck as to which gateway the user connected to ? Would "First to Respond" MEP mode be the way to go ?

Thanks in advance

Re: Do I need to reconfigure our RAVPN

the_rock — Thu, 08 Feb 2024 17:06:07 GMT

Sounds like thats more site to site VPN mep, if this is for remote access vpn clients, you need to follow below

Best,

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/164758

Re: Do I need to reconfigure our RAVPN

championc1 — Fri, 09 Feb 2024 11:07:08 GMT

Yes, I found that previously, and that was why I referenced the question of "First to Respond"

I'm looking for guidance on what is the best way to have RA configured in order that the Client profiles will never have to be deleted and re-created, and where either site can be connected to automatically without the need for a user to select between choosing the Primary or Secondary site

Re: Do I need to reconfigure our RAVPN

the_rock — Fri, 09 Feb 2024 12:11:48 GMT

It also depends on whether its implicit method or not, meaning whether both gateways have overlapping enc. domains. I will tell you, couple of customers I did this for, we used implicit primary-backup, worked like a charm. Reason was also because they did NOT want their users to see list of gateways they can connect to, which definitely made sense to me. So, if one was to ever fail, people would be able to connect to the other one.

Best,

Andy

Re: Do I need to reconfigure our RAVPN

championc1 — Fri, 09 Feb 2024 17:43:00 GMT

Does it sound correct that the Client caches the secondary ip accress in the event of a primary unavailability, and that when the primary returns, that connections continue to the secondary, and the only way that you can reconnect back to the primary is by recreating the profile pointing at the primary ip address

This appears to be the way that our is functioning. If this is so, what can I do to make it so that all always work

Re: Do I need to reconfigure our RAVPN

the_rock — Fri, 09 Feb 2024 17:48:43 GMT

Correct. Put it this way...I know this may sound like a stupid comparisino, but its sort of like how you need a browser on windows to open web pages, this is the same philisophy (if you will), client will "fetch" the information from the gateway side, so whatever is configured there, client would have that cashed.

Best,

Andy

Re: Do I need to reconfigure our RAVPN

championc1 — Fri, 09 Feb 2024 19:09:32 GMT

So is there any way to set it up where it won't cache (and we need two DNS entries (one for each gateway), or where it will go seamlessly between either at any point ?

Re: Do I need to reconfigure our RAVPN

the_rock — Fri, 09 Feb 2024 19:15:34 GMT

You may want to confirm with TAC, but I believe those things can be manipulated in trac ttm file.

Andy

Re: Do I need to reconfigure our RAVPN

_Val_ — Mon, 12 Feb 2024 07:58:02 GMT

In the "first to respond" case the client always try to connect to the last known GW, as it will be probed first. You need to configure primary / backup option in MEP settings.

See more details in the Multiple Entry Point (MEP) > Manual MEP admin guide section for RAS VPN