9.602: WAF does not detect that Real Webserver is offline

Good morning,

i´ve seen that this issue was asked a couple of years before with older UTM Software but I now have the same issue with 9.602.

Lab Environment:

- UTM 9.602
- 3x Exchange 2019 DAG
- OWA published with WAF and all 3 Exchange Servers as Real Webservers

Everything is working as long as all 3 Exchange Servers are available.
When I shut down the Exchange Server that is 1st in List of Real Webservers it takes couple of minutes! until it is tagged with yellow exclamation mark in WebAdmin and during that OWA is not accessible from external through WAF.

I would like to use a "Availability Group Object" as Real Webserver Target but that is not possible there.
If I configure a "Availability Group Object" I can see that UTM "checks" the Webserver on the Exchange in the configured interval.
I cannot see same behaviour for a "Real Webserver" ... seems that this is not checked proactive but only when data is requested by a client and then it takes a lot of timeout time.

Is there a way to improve the "detect dead node" behaviour of WAF Real Webserver or is there a trick to use Availability Group Object as Real Webserver Target?

Thanks!

Best regards

Thomas

  • You can load balance the real webservers or use as active/passive etc under site path routing.

    We do this for our RDS gateway servers in active passive ie SITE A if SITE A RDS GW isn't available, try SITE B RDS GW and vice versa.

    One issue you may come accross is external https failover. If the internal real webserver goes down, WAF will still respond and you won't get failover.

    The only way we could overcome this was to use a 3rd party DNS failover that checked for a specific URL on the real webserver.

  • In reply to Louis-M:

    Thanks for the reply,

    but I am not sure if I understand what you mean.
    That active/passive under site path routing ... can you explain that a bit in detail please?

    Thanks

    Thomas

  • In reply to Buxus:

    It's not strickly active passive but under site path routing, under real webservers, select all the web servers you wan to connect to.

    This will load balance the connection.

    If you want to do them in order ie real web server 1, then realweb server 2 etc, tick "enable hot-standby mode" and adjust the order of the servers by using the arrows.

  • In reply to Louis-M:

    Thanks ...

    but that still does not solve my problem.
    Even if I do so, if the first server is down, it takes minutes before the UTM recognizes it and uses the second ( hot-standby one ).

    And that is definetely not what we can tolerate ...

    Any idea how to "force" UTM to check if the server is alive more often ?!?

  • In reply to Buxus:

    Sorry, can help any further on that. There may be a setting in the CLI that alters the timeouts for this?? anyone?

  • In reply to Buxus:

    Hallo Thomas,

    If this is a paid license, I would open a case with Sophos Support.  Please come back and tell us what you learn.

    Cheers - Bob