Automatic Relay Selection not Working

mbartosh · May 5, 2022, 11:22pm

Bigfix version 10.0.1.41

As a stop gap to low bandwidth, our network group has started putting VPN circuits in some of our branches which is a separate subnet from the local branch. Workstations on these circuits end up being at least 10 hops away even though they are in the same building as the local relay.

In order to get the VPN clients to affiliate with the local relay, I have increased the setting _BESClient_RelaySelect_MaximumTTLToPing to 40 from the default 20. It seems to work. Clients that were not affiliating are now affiliating with there local relay. However, pulling content is not very efficient since it is going over 10 hops.

I am wondering if this is the best approach? It would be nice if there were a way to give the VPN circuit the same subnet as the branch, but the network group says that is not possible. I don’t want to create relays on these subnets. It will be way to much trouble.

JasonWalker · May 5, 2022, 11:53pm

It depends a lot on the network architecture. If the relay is 10 hops away, that implies the client is tunneling through the VPN, crossing the VPN link to some upstream VPN endpoint, then traversing back to the local site from the VPN endpoint - crossing your WAN twice to reach the relay down the hall. Replies back from the Relay would likewise cross that link twice to get back to the client.

Have your network team look into “split tunneling” on the VPN - only upstream traffic to the central site needs to be inside the VPN tunnel, and the connection to your local relay should be outside the VPN.

Otherwise, might as well get rid of the local relays and put all your relays in the central site. That could actually be faster and use less bandwidth