2 Replies Latest reply on Apr 16, 2020 10:04 AM by Steve Gibbs

    Coronavirus - DMZ Relay - VPN - Strange behaviour in relay selection mechanism

    Alexis Vilvert
      Share This:

      Hi everyone,

       

      In our environment, we actually have more than 300 vpn connections. These 300 computers should bind to their usual relay thanks to the list mecanism used in our rollouts and because of the VPN.

       

      My problem : these computers bind to our DMZ Relay

       

      log analysis client side : subnet query list provides no result -> use backup relay (DMZ Relay

       

      2020/03/25 14:03:09 Relay I [123145453363200] Entering subnet list mechanism

      2020/03/25 14:03:09 AgentActionDB I [123145453899776] Action IdentityGetGUID returned 0

      2020/03/25 14:03:09 AgentActionDB I [123145453363200] Invoke local action AgentGetTcpIp

      2020/03/25 14:03:09 AgentActionDB I [123145453363200] Action AgentGetTcpIp returned 0

      2020/03/25 14:03:09 AgentActionDB I [123145453363200] Invoke local action AgentGetTcpIp

      2020/03/25 14:03:09 AgentActionDB I [123145453363200] Action AgentGetTcpIp returned 0

      2020/03/25 14:03:09 AgentActionDB I [123145453363200] Invoke action RelayQuerySubnetList on remote host '161.3.155.40:1610' for user 'BMC Client Management Agent', (tunnel '')

      2020/03/25 14:03:09 Relay W [123145453363200] Subnet List query returned no result (161.3.155.40:1610)

       

      log analysis master side

       

      I can see the connection to the list of relay hosted in one of our server with an IP address in our VPN range (161.3.12.152)

       

      2020/03/25 14:03:08 Server I [140453773477632] Processing connection TCP (local: 161.3.155.40:1610, peer: 161.3.12.152:58368)

      2020/03/25 14:03:08 Server I [140453773477632] Connection is secured

      2020/03/25 14:03:09 Server I [140453773477632] Precision Access Control is requested

      2020/03/25 14:03:09 AgentActionDB I [140453773477632] Invoke local action HostAccessCheckAddress

      2020/03/25 14:03:09 HostAccess I [140453773477632] Table contains only one entry with * and 1

      2020/03/25 14:03:09 AgentActionDB I [140453773477632] Action HostAccessCheckAddress returned 0

      2020/03/25 14:03:09 Server D [140453773477632] started on socket ENCRYPTED TCP (local: 161.3.155.40:1610, peer: 161.3.12.152:58368)

      2020/03/25 14:03:09 HttpProtocolHandler D [140453773477632] Communicating with a peer Agent

      2020/03/25 14:03:09 AgentActionDB I [140453773477632] Invoke local action RelayQuerySubnetList

      2020/03/25 14:03:09 Relay I [140453773477632] Number of IP addresses: 1

       

      But the IP address used for comparison with the list is the private IP address of the client (192.168.1.23) instead of the address used by the vpn connection (161.3.12.152)

       

      2020/03/25 14:03:09 Relay I [140453773477632] Processing IP address: 192.168.1.23 with Network Mask: 192.168.1.0

      2020/03/25 14:03:09 Relay I [140453773477632] Query relay candidates for IP Address: 192.168.1.23 and Network Mask: 192.168.1.0

      2020/03/25 14:03:09 Relay I [140453773477632] Subnet XML file found. Running in legacy mode...

      2020/03/25 14:03:09 Relay I [140453773477632] No candidate found...

       

      Thus, by design, the selected relay will be the backup relay -> our client finally used our DMZ relay

       

      There's something I don't understand in the mechanism. I thought the vpn address would be used instead of the private address.

       

       

      gérald

        • 1. Re: Coronavirus - DMZ Relay - VPN - Strange behaviour in relay selection mechanism
          Philipp Ernicke

          Hello Alexis,

           

          the IP address is used as the parent device perceives the device. Your client registers with the "wrong" IP, so your relay lists does not work.
          You could use a detour. You could query the IP address of the VPN network adapter, depending on the subnet you group different device groups and you assign an operating rule to the device group that changes the agent communication as you would like it to be. Every device should have some backup relay in agent communication that every device can reach. Like your DMZ relay. In the case that something goes wrong, you can still get the devices this way.

           

          Otherwise you could check the priorities of the network adapters in Windows, maybe that's enough.

           

          Goodl luck,

           

          Philipp

          • 2. Re: Coronavirus - DMZ Relay - VPN - Strange behaviour in relay selection mechanism
            Steve Gibbs

            Sorry for jumping in on this but I have a question Alexis Vilvert,

             

            Why would you want a client coming in over VPN to bind to the normal site relay unless you have a fairly flat network? Typically they would connect to the CLOSEST relay to the VPN's termination site.  So if you have two VPN termination locations, one in USA and one in Europe you would set up Relay List using the assigned IP Range from each VPN allocated IP Addresses.

             

            USA=10.9.0.0./16 (If USA VPN uses it own class B)

            Europe=10.19.00/16 (if Europe uses its own Class B)

             

            If split tunneling is allowed then client may not jump off DM relay as soon as VPN is established. Must wait for reselection to occur.

             

            You will also need to establish a proper check in your Relay.ini file.  The default configuration does not check to see if a "better" relay is available. If connected to a relay then it is happy staying connected. There is a value for Reselection which is set for "0".  This should be set for some value to force the agent to retry the parent selection to see if a closer relay is now available.

            Caution, do not set reselection too frequently especially if DHCP not used.  Too many devices asking Relay List Server for requests

             

            Typically:

            DHCP (BEST because client does not need to leave subnet to get assigned relay)

            Relay List (For static IPs or networks where DHCP scopes are not easily configured and VPN)

            Static (Failover Relay or use Backup, single entry)

            Backup (Use for Failover Relay and DMZ Relay, multiple entries)

            2 of 2 people found this helpful