This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
championc1
Explorer
‎2024-02-08 08:46 AM
Jump to solution

Do I need to reconfigure our RAVPN

Hi all,

We have a singular DNS name pointing at the public IP of our primary R81.20 Cluster.  If this primary clusters' public IP is unavailable, the VPN client re-directs itself to a secondary DR cluster.

But if I understand it correctly, it seems like the secondary address is cached in the client meaning that, when the primary IP is reachable again, the client continues to connect to the secondary cluster gateway until such time as the VPN profile on the users' laptop is deleted and re-created.

Ideally, I would like to have a setup where the endpoint becomes somewhat invisible to the user.  If the user connected to the secondary due to the unavailability of the primary, that it would revert back if the primary became availablke again, or if the secondary became unavailable.

Could I implement an active - active setup, where it became pot luck as to which gateway the user connected to ?  Would "First to Respond" MEP mode be the way to go ?

Thanks in advance

Labels
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2024-02-11 11:58 PM
In response to championc1
Jump to solution

In the "first to respond" case the client always try to connect to the last known GW, as it will be probed first. You need to configure primary / backup option in MEP settings. 

See more details in the  Multiple Entry Point (MEP) > Manual MEP admin guide section for RAS VPN

View solution in original post

8 Replies
the_rock
Legend
Legend
‎2024-02-08 09:06 AM
Jump to solution

Sounds like thats more site to site VPN mep, if this is for remote access vpn clients, you need to follow below

Best,

Andy

https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

0 Kudos
championc1
Explorer
‎2024-02-09 03:07 AM
In response to the_rock
Jump to solution

Yes, I found that previously, and that was why I referenced the question of "First to Respond"

I'm looking for guidance on what is the best way to have RA configured in order that the Client profiles will never have to be deleted and re-created, and where either site can be connected to automatically without the need for a user to select between choosing the Primary or Secondary site

0 Kudos
the_rock
Legend
Legend
‎2024-02-09 04:11 AM
In response to championc1
Jump to solution

It also depends on whether its implicit method or not, meaning whether both gateways have overlapping enc. domains. I will tell you, couple of customers I did this for, we used implicit primary-backup, worked like a charm. Reason was also because they did NOT want their users to see list of gateways they can connect to, which definitely made sense to me. So, if one was to ever fail, people would be able to connect to the other one.

Best,

Andy

0 Kudos
championc1
Explorer
‎2024-02-09 09:41 AM
In response to the_rock
Jump to solution

Does it sound correct that the Client caches the secondary ip accress in the event of a primary unavailability, and that when the primary returns, that connections continue to the secondary, and the only way that you can reconnect back to the primary is by recreating the profile pointing at the primary ip address 

This appears to be the way that our is functioning.  If this is so, what can I do to make it so that all always work

0 Kudos
the_rock
Legend
Legend
‎2024-02-09 09:48 AM
In response to championc1
Jump to solution

Correct. Put it this way...I know this may sound like a stupid comparisino, but its sort of like how you need a browser on windows to open web pages, this is the same philisophy (if you will), client will "fetch" the information from the gateway side, so whatever is configured there, client would have that cashed.

Best,

Andy

0 Kudos
championc1
Explorer
‎2024-02-09 11:09 AM
In response to the_rock
Jump to solution

So is there any way to set it up where it won't cache (and we need two DNS entries (one for each gateway), or where it will go seamlessly between either at any point ?

0 Kudos
the_rock
Legend
Legend
‎2024-02-09 11:15 AM
In response to championc1
Jump to solution

You may want to confirm with TAC, but I believe those things can be manipulated in trac ttm file.

Andy

_Val_
Admin
Admin
‎2024-02-11 11:58 PM
In response to championc1
Jump to solution

In the "first to respond" case the client always try to connect to the last known GW, as it will be probed first. You need to configure primary / backup option in MEP settings. 

See more details in the  Multiple Entry Point (MEP) > Manual MEP admin guide section for RAS VPN

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events