Follow

Why don't static routes work for remote access VPNs?

Outbound sessions originate from within the network. When an outbound session reaches the Ecessa appliance, it is either intelligently load-balanced over one of the WAN interfaces or is sent out a specific WAN interface if it matches the rules for a static route. Inbound sessions, however, originate outside of the network and are routed in. When an inbound request reaches a WAN interface, the session forms a relationship between the traffic and that interface. All traffic that is returned, regardless of static routing rules, will be sent out the same interface it came in on.

 

For example, a user connects to a remote access VPN over WAN1. A session is created between the user and the IP address for WAN1. Although a routing rule may exist to send all traffic over WAN2, traffic for the remote access VPN will continue to be sent over WAN1. This is because the user's machine is expecting to receive a response from WAN1 and not WAN2.

 

Typically speaking, most clients establish remote access VPNs by connecting to a host name. To ensure these inbound sessions are coming in over the preferred WAN interface, the DNS records for that host name must resolve to the IP address of the preferred WAN interface.

 

In conclusion, static routes are only applied to outbound sessions. Remote access VPNs are, by nature, inbound sessions and therefore are not affected by static routes. DNS can be configured to resolve a hostname to a particular IP address or a preferred order of IP addresses to direct users to connect over certain WAN lines.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.