This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
heavysoul
Participant
‎2021-01-13 11:00 AM

Endpoint Connect client behaviour changes

Hi Guys

 

I am experiencing strange vpn client (E82.40) behaviour recently, following the addition of a new interface in my topology.

I have 2 x 5600 (R80.20) gateway clusters - primary and backup site

I have single vpn domain across both sites

Endpoint Connect VPN clients (on W10)  have been connecting to primary site fine, all good

Following above change, clients:-

1) started connecting to the backup site at random

2) proxy settings on the client machines overwritten

3) certificate warning when connecting to backup site 

 

I have disabled MEP via dbedit, but still connections to backup site continue

I have checked the MEP settings in each of the 4 gateway TTM files - all are configured as follows: -

A)

:automatic_mep_topology (
   :gateway (
      :map (
         :false (false)
         :true (true)
         :client_decide (client_decide)
)
      :default (true)

B)

:mep_mode (
   :gateway (
      :map (
         :dns_based (dns_based)
         :first_to_respond (first_to_respond)
         :primary_backup (primary_backup)
         :load_sharing (load_sharing)
         :client_decide (client_decide)
)
      :default (client_decide)
)
C)
:ips_of_gws_in_mep (
   :gateway (
      :default (client_decide)

 

I have checked the proxy settings for each TTM file and see my primary site gateway is configured: -

:do_proxy_replacement (
   :gateway (
     :default (false)

However my backup site gateway is configured: -

:do_proxy_replacement (
   :gateway (
      :default (client_decide)

 

Q- From the MEP config above am I correct in assuming the client is deciding upon which gateway to connect to?

Q - From the proxy config above am I correct to assume once clients connect to the backup site gateway, proxy settings are being overwritten/changed?

Q - Can someone confirm is there further config I require to create a primary/backup VPN solution where clients will connect only to the primary site as long as it is available, with the backup site available to make connections should primary fail?

 

Any help greatly appreciated!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-01-13 12:02 PM

Client decide means exactly what it says: the client decides.
Yes, when you connect to the backup gateway with a different configuration, that configuration will apply.
Not sure you can “force” a configuration where the client can connect to the backup only when the primary is not available.

0 Kudos
heavysoul
Participant
‎2021-01-14 04:32 AM
In response to PhoneBoy

many thanks - can i also please query the MEP settings in dbedit

i currently have MEP disabled  - does this completely turn off MEP?

what is the effect to the vpn clients - should they now only connect to the gateway configured on the client 'site' ?

heavysoul_0-1610627362568.png

thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-14 05:08 PM
In response to heavysoul

Offhand, I don't know how to query that in dbedit, but assume it is (assuming it's a gateway parameter).
I believe it disables MEP, yes, and next time your clients connect, they should only connect to the primary site. 
If the secondary site is still configured for Remote Access, they may be able to manually add that as a site and connect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events