Configuring Implicit First to Respond

When more than one Security Gateway leads to the same (overlapping) VPN domain, they are in a MEP configuration. The first Security Gateway to respond is selected. To configure First to Respond, define the part of the network that is shared by all the gateways as one group and assign that group as the VPN domain.

Before you start, make sure that Load Distribution is not selected in SmartConsole > Global Properties > Remote Access > VPN Advanced.

To configure First to Respond MEP:

1. Find out which gateways are in the VPN domain. In the VPN CLI, run:
   
   vpn overlap_encdom

2. Create a host group and assign all of these gateways to it.

3. In the Properties window of each Security Gateway network object > Topology page > VPN Domain section, select Manually defined and then select the host group of MEP gateways.

4. Click OK.

5. Install the policy.

When you work with First to Respond, you can give preference to the Security Gateway that you selected to connect to. To do this, configure a grace period. The Remote Access Client waits the length of the grace period for a response from the selected Security Gateway. If the selected Security Gateway does not respond in the configured time, the first Security Gateway that responded gets the connection.

Configure the same grace period on each Security Gateway.

To give preference to the selected Security Gateway:

1. Edit the $FWDIR/conf/trac_client_1.ttm file on each Security Gateway.

2. Find the mep_prefer_chosen_gw_grace_period parameter.

3. Set the required grace period in milliseconds.

4. Save the file.

5. Install the policy.