Group default IP address networks for Access Server


This document explains how the group default IP address network functionality works in Access Server and tips for setting it up with your network.

How the group default IP address network works on Access Server

A user assigned to a group will be assigned an IP address from the group default IP address network. If a subnet is defined on the group that will be used instead. If neither are defined it will result in an error message.

Note: The first and last IP address of a subnet are reserved for use by the Access Server itself.

For example: Suppose you have the subnet,; then you might have four connected clients and Access Server assigns these IP addresses:


Group Default IP Address Network on Standalone Access Servers

The process for a user looks like this:

  1. Create the user in the Admin Web UI.
  2. Assign the user to a group that doesn't have its own group subnet defined.
  3. When the user connects, Access Server assigns an IP address from the group default IP address network subnet.

Suppose you then define access for that user to other subnets using routing or NAT. Then Access Server grants access without issue. Because there is only one Access Server using this subnet, one route can ensure routing functions properly.

One server = one group address pool.

Group Default IP Address Network on a Cluster of Access Servers

Access Server 2.12 and newer handles the group default IP address network differently in a cluster setup. On older Access Server versions, the group default IP address network was assigned to all nodes. That means if you assigned the subnet,, all nodes used it: Alpha, Beta, and Gamma. The same subnet cannot be routed to all three nodes which makes routing impossible.

The new behavior with Access Server 2.12 and newer allows the administrator to assign unique group default address subnets to each node. That way, routing can now be set up to direct packets to the correct subnets.

This table helps provide an example:

NodeUserGroupSubnetIP address
Alpha nodeUser AGroup 1192.168.1.0/24192.168.1.2
Beta nodeUser BGroup 1192.168.2.0/24192.168.2.2
Gamma nodeUser CGroup 1192.168.3.0/24192.168.3.2

Now, each cluster has its own VPN network and VPN clients. A subnet is no longer assigned to all clusters. This allows routing on cluster configurations where only NAT worked previously because it uses unique node subnets.

Clustering group address pool setting comparison by version

Access Server 2.11 and older

The group address poll setting is cluster-wide and inherited by each node.

Access Server 2.12 and newer

The group address pool setting starts with the inherited pool (one subnet for all nodes), but you can override that on the node level. Each node can have a unique pool.