VPN access issue via a dual ISP connected FW

Question

Hi All,Hoping someone can point me in the right direction as I cannot seem to get the following setup working:Equipment: 60DSoftware: 5.6.0Internet: Dual WAN Connectivity to 2 x different ISP's Network SetupThe FW itself currently has two Trusted networks connected locally:[ul]192.168.1.0/24 ---Home Network  (Net A)10.0.0.0/24 --- Security Lab containing a few servers  (Net B)[/ul]I also have a small network range defined for Remote Access Users (10.10.254.0/28) who I would like to remotely access the Security Lab (Net B) via an IPSEC VPN.[ul]ISP A is connected to WAN1 --- Used as the main internet connection for (Net A)ISP B is connected to  WAN2 -- Used as the back up connection for (Net A).[/ul]Both ISP's provide a default route though I have modified the Interface Admin Distance as follows:[ul]ISP A (Distance 1)ISP B (Distance 5)[/ul]I 'do not' want to run these links in a load balancing setup. Problem StatementI would like the remote access users to VPN in to the FW via the secondary ISP connection (ISP B) so they can access the security lab (Net B) over an ISP link which is not really utilized. I have set a specific Policy Route for the security lab (Net B) to utilize and use the secondary ISP connection as follows:Protocol: AnySource Addr: Net BDestination Addr: AnyAction: Forward TrafficOutgoing Interface: WAN2 (ISP B)Gateway Addr: (Next Hop) I can see in the routing table (via the routing monitor)  that a default route is installed for 'ISP A' on the basis I previously configured a better distance so Net A would use this path. All outbound traffic from Net A does appear to correctly ollow the default route via ISP A.All outbound traffic from Net B appears to use the policy route via ISP B (However this route is not shown in the routing monitor) The issue I have is that no users can currently establish an IPSEC VPN via ISP B to the FW.  Running  'diagnose debug application ike -1' appears to show that new IKE sessions arrive via ISP B though all sessions try to return via ISP A. My understanding here is that this is probably the correct behavior as the FW only has a single default route installed back via ISP A. I have previously set both admin distances to the same value and can see both default routes in the routing table, however this caused devices within Net A to use both ISP A & ISP B. I tried to add a separate static route back to the Remote Access User Range directly via NET B though this made no difference. Forum QuestionIs there a way to force all VPN users trying to connect via ISP B to return via the same interface instead of routing via ISP A (which prevents any IPSEC session establishment) ? Apologies if this is long winded though wanted to provide as much info as possible as I am probably overlooking something here. Any help or pointers greatly appreciated ! Cheers Matt

Toshi_Esumi · Accepted Answer

I meant to set static default routes toward both with different priority. I don't think you can change priority on DHCP/PPPoE injected routes.

Toshi_Esumi · Answer

Try the same cost (leave it default) on both and set a lower priority (higher number like 10) on the B side only, which should provide your desirable behaviour.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded