topic Re: Routing table when connected to SNX in Network Mode Only in SASE and Remote Access

Routing table when connected to SNX in Network Mode Only

Oliver_222 — Tue, 27 Sep 2022 09:47:11 GMT

We are trying to switch to Unified Access Policy.
When connecting to SNX in Network Mode Only, third party users, lose their local network.
A lot of routes are prescribed on the PC.
There are no routing problems when working with Legacy Policy, but when switching to UAP, there is a route to two subnets with the gateway specified from the IP Pool of Issued Addresses.
Can you tell me why these routes are created? Maybe we missed something when configuring Unified Access Policy?

Re: Routing table when connected to SNX in Network Mode Only

PhoneBoy — Tue, 27 Sep 2022 16:36:39 GMT

Are the networks in question included in the encryption domain?

Re: Routing table when connected to SNX in Network Mode Only

Oliver_222 — Wed, 28 Sep 2022 07:33:48 GMT

No. Clients are connected via Mobile Access to SNX.
And once connected, they lose their local network.

Re: Routing table when connected to SNX in Network Mode Only

PhoneBoy — Thu, 29 Sep 2022 14:15:59 GMT

Are you saying no because:

The networks aren't in the encryption domain (you've checked and confirmed this)
You believe the encryption domain doesn't apply because you're using MAB and SNX

Whether it's one of the regular Remote Access clients or SNX in Network Mode, the routes received by the client will match what is configured in the Remote Access Encryption Domain.
This may not be the case in legacy mode, but in Unified Access Policy mode, this is definitely the case.

Re: Routing table when connected to SNX in Network Mode Only

Oliver_222 — Mon, 03 Oct 2022 07:55:04 GMT

That is, in order to ensure that users do not lose their local network, network must be added to the remote access encryption domain in the gateway settings?

Re: Routing table when connected to SNX in Network Mode Only

PhoneBoy — Mon, 03 Oct 2022 16:30:59 GMT

The routes injected to the remote access clients should match the Remote Access Encryption Domain settings.
It therefore must be removed, not added.

Re: Routing table when connected to SNX in Network Mode Only

Oliver_222 — Fri, 14 Oct 2022 09:24:17 GMT

In the encryption domain we have the internal subnets 192.168.0.0 and 172.16.0.0.
If we select "All IP Addresses behind Cluster Members based on Topology information" these subnets will also be in the encryption domain.
Do you mean use the encryption domain without any subnets?
Or should we add the subnets to the exception in "Set Specific VPN Domain for Gateway Communities", just like in sk167000?

Re: Routing table when connected to SNX in Network Mode Only

PhoneBoy — Fri, 14 Oct 2022 17:18:13 GMT

You need to modify the encryption domain so the subnets you don't want to inject to your remote clients are not included in the definition.
The approach mentioned in sk167000 should work for this case, though you don't necessarily need to use "any" here.