Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paul_Joslin
Explorer

VSX/ VS - Remote VPN clients connecting to 'other' VS in cluster

remote access vpn‌

vsx cluster‌

virtual systems‌

mep‌

We have issue with our Checkpoint remote VPN VSX environment, R77.30.

VPN1-CTR VSX Cluster ‘VPN concentrator’ 

Member =1= VPN1

Member =2= VPN2

VS VPN1-REMOTE-TELEWORKER x.x.x.1

VS VPN1-REMOTE-ADMIN x.x.x.2

 

Mysteriously, we have Checkpoint VPN Endpoint Security*clients E80.64 (both Windows & Mac) configured by IP address to connect remote VPN to the VS VPN1-REMOTE-TELEWORKER x.x.x.1 but are intermittently connecting instead to the VS VPN1-REMOTE-ADMIN x.x.x.2.  VPN1-REMOTE-ADMIN is configured with a different head-end IP address & sits separately on the other VSX member.  This happens only some of the time, but I can’t work out what is the trigger for this.  I suspect an underlying problem with the system, but this is not desirable behaviour.  I have been able to replicate this with the Endpoint Security Client, but I just haven’t been able to connect the dots…

In the clients this happens with, when looking at the client connection settings it seems to change the VPN server IP address from x.x.x.1 to x.x.x.2.  The only way to fix this & get the client reconnecting to VPN1-REMOTE-TELEWORKER, is to delete the connection in the client & recreate it.  Sometimes it just fixes itself after repeated connection attempts.

I’ve double checked the NAT & routing between our external ASA firewall & the Checkpoint VSX VPN Concentrator, but I can see no NAT translation, or routing issues.  I suspect if there was, I would see this behaviour happening all of the time, & not intermittently as is the case.

To me there might be some internal communication going on between the Endpoint Security client & TELEWORKER & ADMIN VPN VS’s & therefore VPN setup traffic between Client & VPN head-end & the connection is being redirected sometimes?  Unfortunately we don’t have enough users to see this issue going the other way i.e. configured to connect to VPN1-REMOTE-ADMIN, but connecting to VPN1-REMOTE-TELEWORKER instead.  

When I enabled logging on my Endpoint Security VPN client I saw something in the helpdesk.log about MEP resolving to x.x.x.2.  Something to do with Multiple Entry Point VPN’s?  The trac.log file spoke of [CONFIG_MANAGER gw_ipaddr return value x.x.x.2 because it is the Gateway config variable.  On the Checkpoint SMS, I’ve looked through the ALL_Remote_Users community but I don’t see anything about MEP.  I looked on the VPN VS’s VPN1-REMOTE-ADMIN & VPN1-REMOTE-TELEWORKER, but I didn’t see anything about MEP.  I looked in Global Properties, & under Remote Access > VPN Advanced I see an option under Office Mode for Load Distribution > “Enable load distribution for Multiple Entry Points  configurations (Remote Access Connections), but this is un-ticked  anyway.  I think perhaps this is a configuration option somewhere that needs to be disabled?

The long & the short is, we don’t want this behaviour to occur.  The rulebase on VPN1-REMOTE-TELEWORKER & VPN1-REMOTE-ADMIN is different, & meant for different user-purposes.  I’ve attached network diagrams of our VPN setup & some logs from the Endpoint Security client.

Some help would really be appreciated.  TIA.


* Endpoint Security Clients , but no endpoint security enabled

4 Replies
Houssameddine_1
Collaborator

Joslin,

you might have a mep issue. whenever you configure remote access vpn community for checkpoint. The managment server is considered site and all the gateways configured in that community are part of that one site.

To override this behavior you have to follow steps on sk (Make sure to edit the file on each gateway or VS and list its IP only and delete a recreate the site again for each gateway. The file is secretive becarefull when you edit it)

Disabling MEP for Endpoint VPN Client 

Thanks

Paul_Joslin
Explorer

Brilliant.  That looks like what I'll need to do.  I'll update this thread again once I've applied the changes (in the middle of a change freeze at the moment).

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Do you have any newsvonverning the issue yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maarten_Sjouw
Champion
Champion

In the same file you can also set the secondary_connect to false.

This will prevent you from connecting to VPN GW-1 and underwater connecting to the admin env on VPN GW-2, unless you want this behaviour.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events