topic Re: RAVPN Routing Issue in SASE and Remote Access

RAVPN Routing Issue

tropicanaslim — Mon, 13 Mar 2023 18:02:33 GMT

Hi Checkmates,

so currently my cust on cluster mode and enable RAVPN. but i facing an issue when remote user connect vpn they are cant reach to internal network.

for office mode if we use x.x.x.x/24 do we need to add this segment for routing table on each gateway? or routing for office mode will automatically enable?

since user could connect to vpn i think there is no issue for vpn configuration, or do i need to check something in remote access config?

then, does users when they connect to vpn automatically get full tunnel config by default? or need to config manually for this?

Thankyou..

Re: RAVPN Routing Issue

the_rock — Mon, 13 Mar 2023 18:09:54 GMT

Yes, you need routing, its not automatic for RA. Also, verify output of route print on the client from cmd.

Re: RAVPN Routing Issue

girisht — Fri, 24 Mar 2023 11:06:03 GMT

Here are the few things you need to check while configuring the RA VPN:

Configuration:
++ IPSEC blade enabled.
++ GW object --> VPN client --> Office mode:
> Allow Office Mode to all users.
> Select the Manual Office Pool. If cluster then GW object --> Cluster Member --> Edit GW object --> VPN --> Check the Office Manual Office Mode.
++ GW object --> VPN client --> Remote Access --> Check Support Mode.
++ Ensure Gateway is added in the Remote Access community.
++ "All users*" should be allowed under the same Remote Access community.
++ Encryption domains should be defined then only you all access destination resources over RA VPN.

GW object --> Expand Network Management --> VPN domain --> Set specific domain for community --> Remote access and set the Network group.
++ Access which allows traffic from the Office Mode pool towards the destination which you want to access.

Basic T-shoot/Check:
++ Once the user has authenticated check "cmd> route print".
This output should show the destination IP route towards Office Mode IP, which destination IP traffic will go over the VPN towards the gateway.
++ Check Smart console logs for the same connection. It should be allowed on the access rule and under the same you can get an interface where this traffic is handled.
++ Usually you do not need any routing changes but ensure the gateway should be reached destination resources than on RAVPN client can access the resources.