topic Re: Endpoint Connect client behaviour changes in SASE and Remote Access

Endpoint Connect client behaviour changes

heavysoul — Wed, 13 Jan 2021 19:00:03 GMT

Hi Guys

I am experiencing strange vpn client (E82.40) behaviour recently, following the addition of a new interface in my topology.

I have 2 x 5600 (R80.20) gateway clusters - primary and backup site

I have single vpn domain across both sites

Endpoint Connect VPN clients (on W10) have been connecting to primary site fine, all good

Following above change, clients:-

1) started connecting to the backup site at random

2) proxy settings on the client machines overwritten

3) certificate warning when connecting to backup site

I have disabled MEP via dbedit, but still connections to backup site continue

I have checked the MEP settings in each of the 4 gateway TTM files - all are configured as follows: -

:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (true)

:mep_mode (
:gateway (
:map (
:dns_based (dns_based)
:first_to_respond (first_to_respond)
:primary_backup (primary_backup)
:load_sharing (load_sharing)
:client_decide (client_decide)
)
:default (client_decide)
)
C)
:ips_of_gws_in_mep (
:gateway (
:default (client_decide)

I have checked the proxy settings for each TTM file and see my primary site gateway is configured: -

:do_proxy_replacement (
:gateway (
:default (false)

However my backup site gateway is configured: -

:do_proxy_replacement (
:gateway (
:default (client_decide)

Q- From the MEP config above am I correct in assuming the client is deciding upon which gateway to connect to?

Q - From the proxy config above am I correct to assume once clients connect to the backup site gateway, proxy settings are being overwritten/changed?

Q - Can someone confirm is there further config I require to create a primary/backup VPN solution where clients will connect only to the primary site as long as it is available, with the backup site available to make connections should primary fail?

Any help greatly appreciated!

Re: Endpoint Connect client behaviour changes

PhoneBoy — Wed, 13 Jan 2021 20:02:27 GMT

Client decide means exactly what it says: the client decides.
Yes, when you connect to the backup gateway with a different configuration, that configuration will apply.
Not sure you can “force” a configuration where the client can connect to the backup only when the primary is not available.

Re: Endpoint Connect client behaviour changes

heavysoul — Thu, 14 Jan 2021 12:32:03 GMT

many thanks - can i also please query the MEP settings in dbedit

i currently have MEP disabled - does this completely turn off MEP?

what is the effect to the vpn clients - should they now only connect to the gateway configured on the client 'site' ?

thanks

Re: Endpoint Connect client behaviour changes

PhoneBoy — Fri, 15 Jan 2021 01:08:00 GMT

Offhand, I don't know how to query that in dbedit, but assume it is (assuming it's a gateway parameter).
I believe it disables MEP, yes, and next time your clients connect, they should only connect to the primary site.
If the secondary site is still configured for Remote Access, they may be able to manually add that as a site and connect.