Support Center > Search Results > SecureKnowledge Details
Outgoing VPN Link Selection on a gateway with multiple external interfaces Technical Level
Symptoms
  • In a scenario where Security Gateway has two or more external interfaces that remote peers (Site to Site or Client to Site) can reach, traffic captures on the Security Gateway show that when a peer initiates a tunnel, they negotiate the tunnel (IKE) on the Interface the peer tried to connect to, but when the tunnel is established the Security Gateway sends encapsulated traffic (ESP) via the external interface that corresponds to the most specific route to the peer's IP.
  • For example, a Remote Access client can connect to the Security Gateway and negotiate a tunnel via one interface, but if the Security Gateway does not have a specific route to the client's IP, it will reply to ESP traffic via the default route which may be on another interface, causing the client to disconnect within 20 seconds (the client will not decrypt the packets as it will not recognize the source IP, so it will see the site as not responding).
Cause

There is a configuration to "reply from the same interface" on the Security Gateway object in SmartDashboard > Link Selection > Outgoing Route Selection > Setup > Link Selection - Responding Traffic window.

However, these settings are only relevant for IKE and RDP sessions.

All other traffic, including IPSec encrypted traffic, will be forwarded using the operating system routing table.
Refer to the section titled "When Responding to a Remotely Initiated Tunnel" in the "Link Selection" chapter of the VPN Administration guides (VPN R77 Versions Administration Guide ).


Solution
Note: To view this solution you need to Sign In .