Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rafee
Participant

VPN Design Recommendation - Two Datacenters

Hi All,

We are having two datacenters, with a Checkpoint VPN cluster(Active/Standby)  at each house. Users have two IP's configured in their client and it is their choice which DC they want to connect to. However we are facing a load issue some times as most of the users will connect to the single DC.

We have tried to create a single GSLB DNS  and pointed that to the IP's of both the houses, however the VPN client caches the IP when it tries to connect for the first time and always connects to the same DC/IP.

Question: How to make this solution work and have clients not cache the IP  and perform a DNS resolution every time they connect.

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee

With reference to sk75221 are you using MEP currently and which mode?

CCSM R77/R80/ELITE
0 Kudos
Rafee
Participant

It is the default, please see below:

:mep_mode (
:gateway (
:map (
:dns_based (dns_based)
:first_to_respond (first_to_respond)
:primary_backup (primary_backup)
:load_sharing (load_sharing)
:client_decide (client_decide)
)
:default (dns_based)

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Also which client version is used?

Circa E81.10 we improved the first_to_respond logic to improve distribution.

CCSM R77/R80/ELITE
0 Kudos
Rafee
Participant

Version VPN E84.60 Build 986102607

0 Kudos
RS_Daniel
Advisor

Hello,

You have to follow sk103440 to perform DNS resolution every time they connect.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Regards

Rafee
Participant

Thank you much will keep you posted.

One last question - How to add a new site on remote user laptops as it is very difficult to ask them add it manually also most of them do not have admin right's to the system

0 Kudos
Rafee
Participant

Found the steps(attachment) for adding a site to remote users

0 Kudos
Rafee
Participant

I have made the suggested changes and it is performing the DNS resolution, However, everytime i disconnect/connect back the the VPN client it throws an error "Login Option not configured" , Attached snippet

0 Kudos
Duane_Toler
Advisor

Login Options are configured per gateway.

Edit gateway properties - expand VPN Clients on the left, select Authentication on the left

You have two choices:  Allow all clients connect to the one default option, or use multiple login options with customized settings (local firewall users, AD login, MFA, combinations...).  These must be identical on all gateways to prevent that error.  Multiple Login Options method is much nicer, and more preferred, but the user will have to select the correct one at the time of site creation (unless you are able to push out a new trac.config to your clients).  You can have different groups of users using different Login Option methods, if you wish.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events