Paul Joslin

VSX/ VS - Remote VPN clients connecting to 'other' VS in cluster

Discussion created by Paul Joslin on Jun 25, 2018
Latest reply on Nov 27, 2018 by Maarten Sjouw

remote access vpn

vsx cluster

virtual systems




We have issue with our Checkpoint remote VPN VSX environment, R77.30.


VPN1-CTR VSX Cluster ‘VPN concentrator’ 

Member =1= VPN1

Member =2= VPN2




Mysteriously, we have Checkpoint VPN Endpoint Security*clients E80.64 (both Windows & Mac) configured by IP address to connect remote VPN to the VS VPN1-REMOTE-TELEWORKER x.x.x.1 but are intermittently connecting instead to the VS VPN1-REMOTE-ADMIN x.x.x.2.  VPN1-REMOTE-ADMIN is configured with a different head-end IP address & sits separately on the other VSX member.  This happens only some of the time, but I can’t work out what is the trigger for this.  I suspect an underlying problem with the system, but this is not desirable behaviour.  I have been able to replicate this with the Endpoint Security Client, but I just haven’t been able to connect the dots…


In the clients this happens with, when looking at the client connection settings it seems to change the VPN server IP address from x.x.x.1 to x.x.x.2.  The only way to fix this & get the client reconnecting to VPN1-REMOTE-TELEWORKER, is to delete the connection in the client & recreate it.  Sometimes it just fixes itself after repeated connection attempts.


I’ve double checked the NAT & routing between our external ASA firewall & the Checkpoint VSX VPN Concentrator, but I can see no NAT translation, or routing issues.  I suspect if there was, I would see this behaviour happening all of the time, & not intermittently as is the case.


To me there might be some internal communication going on between the Endpoint Security client & TELEWORKER & ADMIN VPN VS’s & therefore VPN setup traffic between Client & VPN head-end & the connection is being redirected sometimes?  Unfortunately we don’t have enough users to see this issue going the other way i.e. configured to connect to VPN1-REMOTE-ADMIN, but connecting to VPN1-REMOTE-TELEWORKER instead.  


When I enabled logging on my Endpoint Security VPN client I saw something in the helpdesk.log about MEP resolving to x.x.x.2.  Something to do with Multiple Entry Point VPN’s?  The trac.log file spoke of [CONFIG_MANAGER gw_ipaddr return value x.x.x.2 because it is the Gateway config variable.  On the Checkpoint SMS, I’ve looked through the ALL_Remote_Users community but I don’t see anything about MEP.  I looked on the VPN VS’s VPN1-REMOTE-ADMIN & VPN1-REMOTE-TELEWORKER, but I didn’t see anything about MEP.  I looked in Global Properties, & under Remote Access > VPN Advanced I see an option under Office Mode for Load Distribution > “Enable load distribution for Multiple Entry Points  configurations (Remote Access Connections), but this is un-ticked  anyway.  I think perhaps this is a configuration option somewhere that needs to be disabled?


The long & the short is, we don’t want this behaviour to occur.  The rulebase on VPN1-REMOTE-TELEWORKER & VPN1-REMOTE-ADMIN is different, & meant for different user-purposes.  I’ve attached network diagrams of our VPN setup & some logs from the Endpoint Security client.

Some help would really be appreciated.  TIA.


* Endpoint Security Clients , but no endpoint security enabled