Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bulat
Participant

Routing table when connected to SNX in Network Mode Only

We are trying to switch to Unified Access Policy.
When connecting to SNX in Network Mode Only, third party users, lose their local network. 
A lot of routes are prescribed on the PC. 
There are no routing problems when working with Legacy Policy, but when switching to UAP, there is a route to two subnets with the gateway specified from the IP Pool of Issued Addresses.
Can you tell me why these routes are created? Maybe we missed something when configuring Unified Access Policy?

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Are the networks in question included in the encryption domain?

0 Kudos
bulat
Participant

No. Clients are connected via Mobile Access to SNX.
And once connected, they lose their local network.

0 Kudos
PhoneBoy
Admin
Admin

Are you saying no because:

  • The networks aren't in the encryption domain (you've checked and confirmed this)
  • You believe the encryption domain doesn't apply because you're using MAB and SNX

Whether it's one of the regular Remote Access clients or SNX in Network Mode, the routes received by the client will match what is configured in the Remote Access Encryption Domain.
This may not be the case in legacy mode, but in Unified Access Policy mode, this is definitely the case.

 

0 Kudos
bulat
Participant

That is, in order to ensure that users do not lose their local network, network must be added to the remote access encryption domain in the gateway settings?  

0 Kudos
PhoneBoy
Admin
Admin

The routes injected to the remote access clients should match the Remote Access Encryption Domain settings.
It therefore must be removed, not added.

0 Kudos
bulat
Participant

In the encryption domain we have the internal subnets 192.168.0.0 and 172.16.0.0.
If we select "All IP Addresses behind Cluster Members based on Topology information" these subnets will also be in the encryption domain.
Do you mean use the encryption domain without any subnets?
Or should we add the subnets to the exception in "Set Specific VPN Domain for Gateway Communities", just like in sk167000?

0 Kudos
PhoneBoy
Admin
Admin

You need to modify the encryption domain so the subnets you don't want to inject to your remote clients are not included in the definition.
The approach mentioned in sk167000 should work for this case, though you don't necessarily need to use "any" here.

0 Kudos