I configured Safe@office 500 7.5.55 with load balancing. WAN and WAN2 connect to separate ADSL modem. Both ADSL modems are running NAT and have safe@office as DMZ.

I have 2 problems with this config.

1. SecuRemote cannot connect to Safe@office via WAN2 connection. It does not even want to create a site. I tried 'set device behindnat' command with public ip address of adsl router that is connected to WAN2 and didn't work. WAN works fine. I need to get WAN2 connection for VPN as well as WAN for redundancy.

2. HTTPS management protocol is set to ANY but it only works on the first IP address I try after enabling load balancing. If I diable and enable load balancing then try https connection, it works on either ip address I try first then the other ip address won't work. I guess it has something to do with stickiness. If that's the case, how do I diable stickness, and how long do I have to wait until stickness disappear after disconnecting the connection?

Thanks in advance.

Just found that stickiness is set to 1 hour by default. Going through NGX CLI guide showed me how to change the time value.
"set loadbalancing stickiness xxxx" where xxxx are time in seconds.
However this did not fix the problem.

This message has been edited. Last edited by: isaac,

Problem solved. The description below is for those who may have same/similar problems.

1. WAN-2 will only accept vpn when WAN fails. - This is actually exactly opposite of what sofaware helpdesk told me when I first approached them. They suggested replacing ADSL modem connected to WAN-2! Later response from sofaware was what I just mentioned at the beginning.

2. In load-balancing mode, https connection to the safe@office from outside will work on the first WAN port used after load-balancing is activated. If you wish to change the port to the other, load-balancing must be disabled and then enabled. Again the first response from sofaware was something else. (they told me it should work on either connection without having to disable and re-enable LB). Later response was "that's how it's supposed to be".

Isaac thanks for sharing. I've never had much luck with load balancing. it *does* work well when doing http downloads. To be fair, to do VPN or other protocols you either want an Mcast cluster or a VRRP cluster. Even on the Nokia based IP200 and higher boxes the Checkpoint software doesn't do either VRRP or Clustering well, but they do work when handing it off to the IPSO (the Nokia OS) which can handle it quite nicely.

I configured Safe@office 500 7.5.55 for my office with load balancing. I have WAN connected to ADSL router whit PPoA and 1 public IP, WAN2 connected via ethernet to hyperlan wireless connection with 1 public IP.

From lan to internet all seems to go well.

If I try to ping my firewall from my home I can do it only on WAN IP but not on WAN2. I log all ICMP packets and I see that packets pass on WAN and also on WAN2.

Some ideas???

Thanks

Hello Pixra,

activate the packets sniffing onthe safe@ to check that ICMP reply used the same link than the request.

You can also snif on your home PC to check if you receive an answer that is rejected.