Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Disabling MEP

Hi All,

We got 2 gateways (R80.30 Take 191) in the remote access community using the same encryption domain. Each gateway got a different public FQDN -for the sake of it, remote01.customer.com and remote02.customer.com.

The 2 sites are created on the endpoint clients, our aim is to disable MEP, letting the user decide to which site he/she shall connect. Currently, end users chose to connect to remote01.customer.com but they end up on remote02.customer.com.

For this We did disable MEP in Global Properties (the explicit way), and we edited trac_client_1.ttm file -on the gateways- (implicit way) setting:

1- automatic_mep_topology, default (false), it didn't help

2- ips_of_gws_in_mep, default(<ip address of remote01.customer.com>), it didn't help

2- mep_mode, default (dns_based), it didn't help

 

We went through sk75221 and sk78180 but we didn't succeed in enforcing our requirement.

Not sure how things work under the bonnet, we're trying to avoid modifying the trac.default on the end user laptops.

The interesting point we noticed, if the user deletes the site and re-create it, things will behave as expected, though not sure why, we understand this will delete the topology of the site, but does anyone out there know what exactly happening, can we replicate it without asking for user intervention? We're talking about hundreds of non-technical end users and we prefer if we don't get them involved in it.

Or is this not possible by design, i,e. the minute you add more than a gateway to the remote access community, there isn't a way around MEP.

Cheers

10 Replies
Highlighted

Re: Disabling MEP

I would suggest to contact TAC - no use dabbling and trying...

Highlighted

Re: Disabling MEP

What are the settings for mep_mode and ips_of_gws_in_mep in your TTM file? That would explain why they are ending on one specific GW.

Now, If both RA VPN GWs are managed from the same CMA/SMS, there is not much you can do anyway. Each of the GWs reports all other RA VPN GWs belonging to the same community when the clients connect.

You still can control to some extent how and where clients connect, but the options you have are either probing, round-robin, or DNS based resolution.

If you want to have two separate sites, you need two different security domains, each managing a separate VPN GW.

 

May I ask, why do you need users to chose manually? What is the purpose behind this requirement?

 

 

 

 

0 Kudos
Highlighted

Re: Disabling MEP

Another suggestion. With "client_decide" option in the TTM file, you should have a second drop-down menu on the client side with the list of GWs per site. That should work. One site, but ability to chose a particular GW within that site. 

Still, the purpose question remains, I am curious.

0 Kudos
Highlighted
Iron

Re: Disabling MEP

you mean on the mep_mode?
0 Kudos
Highlighted

Re: Disabling MEP

yes

0 Kudos
Highlighted
Iron

Re: Disabling MEP

Thanks Gwendolyn, we're about to raise a new ticket with TAC on the hope to reach a resolution

Hi Val, was hoping R80.40 will introduce the support of more than a single remote community per SMS, but it looks we've to wait for future versions. The settings are as below:

- mep_mode, default (dns_based)

- ips_of_gws_in_mep, default(<ip address of remote01.customer.com>)

 

The reason behind it is pure business requirement, remote02 is a DR DC with a smaller internet feed and a smaller gateway. So customer wants its workforce to use remote01 and if they can't connect choose remote02.

Even not sure ticking "Enable Backup Gateway" would help in our situation, as the customer got a plan to add a new gateway in their international office to the remote community so users in that country would use their local gateway, but based on what we're experiencing, this have the risk of local users connecting to it.

Not sure if CP might not be able to provide these requirements, we might need to socialise with the customer that we need to look at a separate remote access solution down the track.

 

Highlighted

Re: Disabling MEP

Why don't you use mep_mode primary_backup? That should cover your case.

 

Look into sk75221 and "Editing the TTM File" section in the E80.72 and higher Remote Access Clients for Windows Administration Guide

0 Kudos
Highlighted
Iron

Re: Disabling MEP

Thanks Val,

We thought of it, but there'is 2% of users that need to always connect to remote02 -again for business requirements.

 

We were hoping from the TAC case to get where the endpoint client saves the mapping between the FQDN and the ip address so we can delete this info without the need of deleting/creating the site -which as mentioned would solve the issue.

 

All is good, thank you all for your input.

0 Kudos
Highlighted

Re: Disabling MEP

Not sure I understand. Do you have an answer to your own question? If yes, please share with others. Thanks

0 Kudos
Highlighted
Iron

Re: Disabling MEP

Hi Val,

The solution for our initial requirement -send users to remote01- wasn't found, though now and after lot of hours with TAC, it looks we've we've no choice but to delete/create the site.

0 Kudos