Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
heavysoul
Participant

Endpoint Connect client behaviour changes

Hi Guys

 

I am experiencing strange vpn client (E82.40) behaviour recently, following the addition of a new interface in my topology.

I have 2 x 5600 (R80.20) gateway clusters - primary and backup site

I have single vpn domain across both sites

Endpoint Connect VPN clients (on W10)  have been connecting to primary site fine, all good

Following above change, clients:-

1) started connecting to the backup site at random

2) proxy settings on the client machines overwritten

3) certificate warning when connecting to backup site 

 

I have disabled MEP via dbedit, but still connections to backup site continue

I have checked the MEP settings in each of the 4 gateway TTM files - all are configured as follows: -

A)

:automatic_mep_topology (
   :gateway (
      :map (
         :false (false)
         :true (true)
         :client_decide (client_decide)
)
      :default (true)

B)

:mep_mode (
   :gateway (
      :map (
         :dns_based (dns_based)
         :first_to_respond (first_to_respond)
         :primary_backup (primary_backup)
         :load_sharing (load_sharing)
         :client_decide (client_decide)
)
      :default (client_decide)
)
C)
:ips_of_gws_in_mep (
   :gateway (
      :default (client_decide)

 

I have checked the proxy settings for each TTM file and see my primary site gateway is configured: -

:do_proxy_replacement (
   :gateway (
     :default (false)

However my backup site gateway is configured: -

:do_proxy_replacement (
   :gateway (
      :default (client_decide)

 

Q- From the MEP config above am I correct in assuming the client is deciding upon which gateway to connect to?

Q - From the proxy config above am I correct to assume once clients connect to the backup site gateway, proxy settings are being overwritten/changed?

Q - Can someone confirm is there further config I require to create a primary/backup VPN solution where clients will connect only to the primary site as long as it is available, with the backup site available to make connections should primary fail?

 

Any help greatly appreciated!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Client decide means exactly what it says: the client decides.
Yes, when you connect to the backup gateway with a different configuration, that configuration will apply.
Not sure you can “force” a configuration where the client can connect to the backup only when the primary is not available.

0 Kudos
heavysoul
Participant

many thanks - can i also please query the MEP settings in dbedit

i currently have MEP disabled  - does this completely turn off MEP?

what is the effect to the vpn clients - should they now only connect to the gateway configured on the client 'site' ?

heavysoul_0-1610627362568.png

thanks

0 Kudos
PhoneBoy
Admin
Admin

Offhand, I don't know how to query that in dbedit, but assume it is (assuming it's a gateway parameter).
I believe it disables MEP, yes, and next time your clients connect, they should only connect to the primary site. 
If the secondary site is still configured for Remote Access, they may be able to manually add that as a site and connect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events