Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MartinTzvetanov
Collaborator
Jump to solution

RA to a topology with 2xCP clusters in the same VPN domain

Hello,

I have the following situation. The customer has 2 Data centers with a pair of gateways in each forming 2 clusters (R80.30 JHF 237, one is kernel 2.16, the other 3.10) managed by the same CP management (also R80.30 but not sure the HF). Both clusters face Internet from different ISPs and has different VPN pools and receives the same security policy. 

 

Capture.PNG

The customer's demand is their workers to use cluster1 as their RA cluster and cluster2 to be used for mobile access portal for their end clients' access.  Of course when one of the clusters fails all will use the healthy one and the infrastructure in both DCs must be accessible.

Right now we are testing the following: vpn client is connecting to cluster2 but in the Smart Monitor we see connected to cluster2's IP, received an IP from the  cluster2's pool, but in Gateway  - cluster1. Using vpn tu in cli we see the customer's IP (from cluster2's pool) in both clusters. When doing test traffic we see it entering in cluster1 (doesn't matter the client is connected to cluster2), reaching the destination device, but trying to exit via cluster2 and of course it's dropped because of an asymmetric route. 

In the infrastructure there is no dynamic routing. Right now there are configured static routes for the cluster1's and cluster2's pools to point to the respected device.

Cant' find any documentation explaining why the vpn connects to cluster2 but the traffic arrives at cluster1. MEP and Secondary connect are not configured.

Is this an expected behavior? Should we split the common policy in two for every cluster? We are aware of that if we change the static route in the internal infrastructure to point to only one of the clusters all will work but this is not the goal here.

Thanks in advance.

0 Kudos
1 Solution

Accepted Solutions
MartinTzvetanov
Collaborator
0 Kudos
4 Replies
the_rock
Legend
Legend

Is it possible backup gateway option is enabled in global properties under vpn advanced?

0 Kudos
Ruan_Kotze
Advisor

Hey Martin,

The behavior sounds like secondary connect.  Just want to clarify - you said MEP and SC are not configured - do you mean you left everything on defaults or did you specifically disable them, because there are a couple of steps to take if you want it disabled (edit $FWDIR/conf/trac_client_1.ttm and set the :default value of enable_secondary_connect to false.).

0 Kudos
MartinTzvetanov
Collaborator

Everything is by default, nothing explicitly disabled editing this file

0 Kudos
MartinTzvetanov
Collaborator

Following this SK https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I got the first symptom.

Following the SK the problem is solved.

0 Kudos