This is a new setup, but we have another Appliance, that is not a member of the cluster and not managed centralized - it works there.

The recreation of the site didn't help. The strange thing is, that CLI shows "enc-dom auto" 🤷🏼‍

I dont really work much with SMB appliances, but see in smart console, when you edit the object, is there anything like on regular gaia appliances under network -> vpn domain? If so, you can check to make sure same group is configured for remote access vpn domain.

Andy

VPN Domain is for SiteToSite VPN. This works. I will open a ticket...

Does not sound to me like your case either.

Andy

I found this in the logs on my PC:

[ 3880 4280][9 Apr 11:25:31][CONFIG_MANAGER] ConfigurationManager::addIPRange(): attribute name IP_RANGE, attribute value - list of wrong addresses

[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] is_secondary_connect_enabled_and_supported_on_gw: enter...
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] is_secondary_connect_enabled_and_supported_on_gw return value false, because it is Gateway config variable. Scope: site XXX.XXX.XXX.XXX ,gw NULL ,user USER 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] is_secondary_connect_enabled_and_supported_on_gw: site XXX.XXX.XXX.XXX support 'secondary connect': 0 
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] ConfigurationManager::getIPRangeWithAttrName() inside. Attribute name: IP_RANGE
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] ConfigurationManager::getIPRangeWithAttrName() inside. Attribute name: EXCLUSION_RANGE
[ 3880 4280][9 Apr 11:26:21][CONFIG_MANAGER] ConfigurationManager::getIPRangeWithAttrName() inside. Attribute name: INCLUSION_RANGE
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: enter...
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip0 / yyy.yyy.yyy.0 - ip-range-last-ip0 / yyy.yyy.yyy.255 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip1 / www.www.www.0 - ip-range-last-ip1 / www.www.www.255 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip2 / fff.fff.fff.0 - ip-range-last-ip2 / fff.fff.fff.255 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip3 / ccc.ccc.ccc.0 - ip-range-last-ip3 / ccc.ccc.ccc.255 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip4 / nnn.nnn.nnn.nnn - ip-range-last-ip4 / nnn.nnn.nnn.nnn 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip5 / 192.168.2.0 - ip-range-last-ip5 / 192.168.2.255 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip6 / XXX.XXX.XXX.XXX - ip-range-last-ip6 / XXX.XXX.XXX.XXX 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: (debug added range) ip-range-first-ip7 / ttt.ttt.ttt.ttt - ip-range-last-ip7 / ttt.ttt.ttt.ttt 
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setIpRangesOnConnData: about to set 'allowed-ip-ranges-num' to 8
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setExclusionRangesOnConnData: enter...
[ 3880 4280][9 Apr 11:26:21][TR_CONN_MANAGER] TrConnManager::setExclusionRangesOnConnData: about to set 'exclusion-ranges-num' to 0

Any idea where to configure this?

When you "add a site" you are not only adding the encryption domain of the gateway you are connect to (i.e. to add the site), you are adding the Remote Access encryption domain of every other gateway that is under the same management domain.
Which means the routes that will be set on your Remote Access client will cover more than just the 1900.

As noted above, this is expected behavior.

But I don't have any other gateways that are under the same management domain. If I add a second node to the cluster - will it solve the problem?

I have exactly opposite: the added routes are from 1900 - they belong to all enabled interfaces on the 1900. How can I add more networks to the client?

For now, It looks like the clustered RAS doesn't work out of the box ( 

It is highly unusual to run a cluster with a single node. 
However, I don't believe it will help to add the node to the clusters?
The version of firmware involved on the 1900 as well as the version/JHF on your management will be helpful for context.

For the "more networks" you want to add to the encryption domain, do you have routes for these networks configured on the 1900 already?

"More networks" - they belong to encryption domains of some S2S VPN. So, our users connect to our office and then go to resources located on a supplier site. Typical configuration. 

You say it is unusual. OK, imagine we have classic two-node cluster. Then one node is crushed - is it still two-node cluster? Right now I can't add the second node, because it serves as main router. But tomorrow evening I will try it.

Version will come a bit later, but it is the last one.

Not sure how adding the cluster member will make this work.

Are those S2S VPNs already set up and working correctly on the device?

Yes, the S2S work correctly 

Im with Phoneboy on this one...vpn domain would not have anything to do with the fact whether something is a cluster, single device or standalone.

Andy

The fact is, that RAS works on a standalone FW - a client gets all routes from encryption domain.

Once the FW is added into the cluster - it stop working: no routes from VPN domain are added.

Anyway,  I need to make this work...

Ok, lets take a step back here. So just for the context, can you please make sure that VPN domain used for single fw is exactly the SAME as when its a cluster? Also, if it is the same, can you have someone delete/re-create the site and test?

Andy

Yes, the VPN domain for RAS is the same. I didn't change it, but just added the fw to the cluster.

Yes, I have already recreated the connection (this is the site, right?) on the VPN client - didn't help.

I dont see any screenshots in your response, so cant tell exactly what you meant for the site. If you are allowed to do remote, happy to check it with you. Im good till 9 am est (GMT-5).

Let me know.

Andy

Thank you Andy, unfortunately, remote assistance is not allowed...

This is VPN Domain for the RAS 👇

And this is the Site/Connection 👇

Thats totally fair, my intention is always to try my best to help, but of course everyone has to follow their company's rules, thats 100% expected.

Anywho, that looks right to me, but another question...what does rule look like to access these resources in the policy, can you show that?

Also, from my experience, when this happens, its usually because vpn domain is wrong or something in the needed rule is "missing".

Andy

the rules are quite simple (we have many clients who have such configuration)

- the "office mode Network" is member of "local_networks"

let me try to install policies explicitly for the cluster instead of "Policy Targets"

Also, can you show what below looks like? Just blur out any sensitive data.

Andy

That looks right...ok, just to clarify, you say this ONLY happens in cluster environment, NOT otherwise?

Andy

yes, for some reason it doesn't work when we use cluster environment. When we use standalone FW - everything works 👍 I hope this is related to the number of nodes in the cluster and adding a second node tonight will solve the problem 🙏 I have no other ideas...

Im with you there, I got nothing else either, sorry 😞

Did you end up opening TAC case for this?

Andy

yes, TAC also does their best

Just for the context, can you please list everything tried so far?

Andy

I've check all settings - everything looks good. Also I did this:

sk78180 - Disabling MEP for Endpoint VPN Client

sk92676 - Remote Access client download routes from all gateways in the Remote Access Community