topic RA to a topology with 2xCP clusters in the same VPN domain in SASE and Remote Access

RA to a topology with 2xCP clusters in the same VPN domain

MartinTzvetanov — Mon, 04 Apr 2022 13:25:05 GMT

Hello,

I have the following situation. The customer has 2 Data centers with a pair of gateways in each forming 2 clusters (R80.30 JHF 237, one is kernel 2.16, the other 3.10) managed by the same CP management (also R80.30 but not sure the HF). Both clusters face Internet from different ISPs and has different VPN pools and receives the same security policy.

The customer's demand is their workers to use cluster1 as their RA cluster and cluster2 to be used for mobile access portal for their end clients' access. Of course when one of the clusters fails all will use the healthy one and the infrastructure in both DCs must be accessible.

Right now we are testing the following: vpn client is connecting to cluster2 but in the Smart Monitor we see connected to cluster2's IP, received an IP from the cluster2's pool, but in Gateway - cluster1. Using vpn tu in cli we see the customer's IP (from cluster2's pool) in both clusters. When doing test traffic we see it entering in cluster1 (doesn't matter the client is connected to cluster2), reaching the destination device, but trying to exit via cluster2 and of course it's dropped because of an asymmetric route.

In the infrastructure there is no dynamic routing. Right now there are configured static routes for the cluster1's and cluster2's pools to point to the respected device.

Cant' find any documentation explaining why the vpn connects to cluster2 but the traffic arrives at cluster1. MEP and Secondary connect are not configured.

Is this an expected behavior? Should we split the common policy in two for every cluster? We are aware of that if we change the static route in the internal infrastructure to point to only one of the clusters all will work but this is not the goal here.

Thanks in advance.

Re: RA to a topology with 2xCP clusters in the same VPN domain

the_rock — Mon, 04 Apr 2022 14:19:05 GMT

Is it possible backup gateway option is enabled in global properties under vpn advanced?

Re: RA to a topology with 2xCP clusters in the same VPN domain

Ruan_Kotze — Mon, 04 Apr 2022 16:03:55 GMT

Hey Martin,

The behavior sounds like secondary connect. Just want to clarify - you said MEP and SC are not configured - do you mean you left everything on defaults or did you specifically disable them, because there are a couple of steps to take if you want it disabled (edit $FWDIR/conf/trac_client_1.ttm and set the :default value of enable_secondary_connect to false.).

Re: RA to a topology with 2xCP clusters in the same VPN domain

MartinTzvetanov — Tue, 05 Apr 2022 06:15:45 GMT

Everything is by default, nothing explicitly disabled editing this file

Re: RA to a topology with 2xCP clusters in the same VPN domain

MartinTzvetanov — Wed, 06 Apr 2022 09:12:08 GMT

Following this SK https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk78180&partition=Advanced&product=Endpoint

I got the first symptom.

Following the SK the problem is solved.