Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Disabling MEP

Hi All,

We got 2 gateways (R80.30 Take 191) in the remote access community using the same encryption domain. Each gateway got a different public FQDN -for the sake of it, remote01.customer.com and remote02.customer.com.

The 2 sites are created on the endpoint clients, our aim is to disable MEP, letting the user decide to which site he/she shall connect. Currently, end users chose to connect to remote01.customer.com but they end up on remote02.customer.com.

For this We did disable MEP in Global Properties (the explicit way), and we edited trac_client_1.ttm file -on the gateways- (implicit way) setting:

1- automatic_mep_topology, default (false), it didn't help

2- ips_of_gws_in_mep, default(<ip address of remote01.customer.com>), it didn't help

2- mep_mode, default (dns_based), it didn't help

 

We went through sk75221 and sk78180 but we didn't succeed in enforcing our requirement.

Not sure how things work under the bonnet, we're trying to avoid modifying the trac.default on the end user laptops.

The interesting point we noticed, if the user deletes the site and re-create it, things will behave as expected, though not sure why, we understand this will delete the topology of the site, but does anyone out there know what exactly happening, can we replicate it without asking for user intervention? We're talking about hundreds of non-technical end users and we prefer if we don't get them involved in it.

Or is this not possible by design, i,e. the minute you add more than a gateway to the remote access community, there isn't a way around MEP.

Cheers

14 Replies
Highlighted
Champion
Champion

I would suggest to contact TAC - no use dabbling and trying...

Highlighted
Admin
Admin

What are the settings for mep_mode and ips_of_gws_in_mep in your TTM file? That would explain why they are ending on one specific GW.

Now, If both RA VPN GWs are managed from the same CMA/SMS, there is not much you can do anyway. Each of the GWs reports all other RA VPN GWs belonging to the same community when the clients connect.

You still can control to some extent how and where clients connect, but the options you have are either probing, round-robin, or DNS based resolution.

If you want to have two separate sites, you need two different security domains, each managing a separate VPN GW.

 

May I ask, why do you need users to chose manually? What is the purpose behind this requirement?

 

 

 

 

0 Kudos
Highlighted
Admin
Admin

Another suggestion. With "client_decide" option in the TTM file, you should have a second drop-down menu on the client side with the list of GWs per site. That should work. One site, but ability to chose a particular GW within that site. 

Still, the purpose question remains, I am curious.

Highlighted
Contributor

you mean on the mep_mode?
Highlighted
Admin
Admin

yes

Highlighted
Contributor

Thanks Gwendolyn, we're about to raise a new ticket with TAC on the hope to reach a resolution

Hi Val, was hoping R80.40 will introduce the support of more than a single remote community per SMS, but it looks we've to wait for future versions. The settings are as below:

- mep_mode, default (dns_based)

- ips_of_gws_in_mep, default(<ip address of remote01.customer.com>)

 

The reason behind it is pure business requirement, remote02 is a DR DC with a smaller internet feed and a smaller gateway. So customer wants its workforce to use remote01 and if they can't connect choose remote02.

Even not sure ticking "Enable Backup Gateway" would help in our situation, as the customer got a plan to add a new gateway in their international office to the remote community so users in that country would use their local gateway, but based on what we're experiencing, this have the risk of local users connecting to it.

Not sure if CP might not be able to provide these requirements, we might need to socialise with the customer that we need to look at a separate remote access solution down the track.

 

Highlighted
Admin
Admin

Why don't you use mep_mode primary_backup? That should cover your case.

 

Look into sk75221 and "Editing the TTM File" section in the E80.72 and higher Remote Access Clients for Windows Administration Guide

0 Kudos
Highlighted
Contributor

Thanks Val,

We thought of it, but there'is 2% of users that need to always connect to remote02 -again for business requirements.

 

We were hoping from the TAC case to get where the endpoint client saves the mapping between the FQDN and the ip address so we can delete this info without the need of deleting/creating the site -which as mentioned would solve the issue.

 

All is good, thank you all for your input.

0 Kudos
Highlighted
Admin
Admin

Not sure I understand. Do you have an answer to your own question? If yes, please share with others. Thanks

0 Kudos
Highlighted
Contributor

Hi Val,

The solution for our initial requirement -send users to remote01- wasn't found, though now and after lot of hours with TAC, it looks we've we've no choice but to delete/create the site.

0 Kudos
Highlighted
Participant

We have the same issue with MobileAccess EndpointVpn and configured ISP Redundancy(Primary\Backup mode). 

I have tried to apply :

sk78180 (For R77.30 , R80.40)

sk32229 (For R77.30 , R80.40)

sk92383 (for R80.40)

SR in TAC

Still no any results - Endpoint VPN not tried connect to second IP of SG.

 

SK which say that VPN Link selection is unsupportable for Enfpoint VPN :

sk113617

sk114623

0 Kudos
Highlighted
Contributor

My issue is bit different, I trust you need to use link selection with ISP redundancy

As Dameon mentioned in an old post

"You can use Link Selection for Remote Access Clients without ISP Redundancy.

If you have a need for both features, this is not currently supported as mentioned in the SKs."

 

 

Highlighted
Participant

Without ISP Redundancy, manual MEP does not work either. I tried to configure it in my test environment with R80.40 and Endpoint VPN E83.10. For manual MEP, it doesn’t matter if Reduncancy ISP is enabled or not. When manual MEP is enabled for EndpointVPN, there should be a simple choice between two IP addresses to connect, but this does not happen.

0 Kudos
Highlighted
Participant


If the problem is relevant, I found a solution for sk78180. One more step is required for the solution to work properly. You have to change mep_mode. I checked it with Primary_Backup mode and EndpoindVPN(E83.10) switched between GWs perfectly. I mean when main IP is unaccessible the client after several seconds reconnect to backup IP.
I tested this on R77.30 and on R80.40. And yes this is works with ISP_Redundancy(Primary\Backup mode) either.

I see you are trying to use the FQDN, but might be acceptable try use IP addresses?

The main changes with trac_client_1.ttm file:

1. Disable automatic_mep

:automatic_mep_topology (

                        :gateway (

                                :map (

                                        :false (false)

                                        :true (true)

                                        :client_decide (false)

                                )

                                :default (false)

2. Set site topology:

:ips_of_gws_in_mep (

                        :gateway (

                                :default (192.168.1.199&#192.168.2.199&#)

                        )

3. Set MEP mode:

                        :gateway (

                                :map (

                                        :dns_based (dns_based)

                                        :first_to_respond (first_to_respond)

                                        :primary_backup (primary_backup)

                                        :load_sharing (load_sharing)

                                        :client_decide (client_decide)

                                )

                                :default (primary_backup)

                        )

                )