This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir123
Explorer
‎2023-11-13 05:26 AM

2 Sites with same VPN domain without MEP

Hello team,

 

We have primary VPN site for our VPN clients but we want some of them to use secondary.

Primary site and secondary site is managed by same SMS, they are connected over MPLS. 

Primary site is cluster with 5600 and secondary is open server, they all run on latest R81.20 with HF26. 

 

 

I tried disabling MEP and Secondary Connect but primary site is showing problems. Ill need to remove/add vpn site everytime to work. First time VPN will connect, and second time will immediately drop.

I have read this and pretty much i have same issue.

https://community.checkpoint.com/t5/Remote-Access-VPN/Two-Gateways-Serving-the-Same-Encryption-Domai...

 

 

"trac_client_1.ttm" file edited on all GWs, example bellow is from Site1 GW. 

)
)
:mep_mode (
:gateway (
:map (
:dns_based (dns_based)
:first_to_respond (first_to_respond)
:primary_backup (primary_backup)
:load_sharing (load_sharing)
:client_decide (client_decide)
)
:default (primary_backup)
)
)

)
)
:ips_of_gws_in_mep (
:gateway (
:default (Site1externalIP1&#Site1externalIP2&#)
)
)

)
)
:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (false)
)
:default (false)
)
)

)
)
:enable_secondary_connect (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (false)
)
)

 

Have anyone manage to overcome this problem?

 

Thx

 

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2023-11-13 06:55 AM

You should not disable MEP, since both GWs have the same VPN domain. Use manual selection of the GW to connect, that's it, or Primary/backup option, if you want it to be automatic.

 

No need to edit ttm files.

0 Kudos
Vladimir123
Explorer
‎2023-11-14 11:54 PM
In response to _Val_

Hey Val,

 

Enabled MEP in global/advanced configuration 

Enabled manual MEP in client_1.ttm file on Site1 cluster GWs and Site2 GW 

- automatic_map_topology set to false 

- ips_of_gws_in_mep set to external IPs of each GWs

- mep_mode set to client_decide 

I got same result. First time would connect to Site1 but rest of connection attempts will fail imidiattely.

 

 

 

 

0 Kudos
_Val_
Admin
Admin
‎2023-11-15 12:02 AM
In response to Vladimir123

I suggest you open a TAC request for that. This normally should work out of the box without issues. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events