Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 1338 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fail over to remote site WAN connection

BRCIT BRC

Dear  Experts

I need some direction on below WAN fail over scenario

 

We have 2 sites links VIA Ubiquity Air Fibre (PTP) the main site is consist with 2xXG330 (SFOS 17.5.8 MR-8) with HA ,and the second site has Mikrotick CCR  all the routing occurred at SOPHOS end, the Mikrotik mange local VLANS/Subnets/DHCP on the 2nd site .

Currently there is no WAN connection at the 2nd Site all the WAN request comeback to SOPHOS via PTP link (and yes we do have asymmetric routing)

 

On the Main site we have 1Gbps as our Main WAN link on SOPHOS interface and have 20mbps EFM as the backup WAN. The PTP Bridge is connected to the SOPHOS LAN interface same as other devices on the main site (IP alias)

Recently we did installed a another WAN connection (400mbps) at the 2nd Site as a backup, the connection is configured at Mikrotik Router interface and we can ping the IP and the Gateway from the Main site.

We would like to use this 2nd WAN connection as our fail-over connection for both the sites now, We would like to route all the traffic via SOPHOS hence what is the best way to route traffic from SOPHOS to 2nd wan connection on remote site on Mikrotik interface . Hope this make sense .

Have attached a network diagram that simulate the site

 

Thanks in Advanced

Andy

 

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    With your existing setup it would be bit difficult to fulfill your requirement for "2nd WAN connection as our fail-over connection for both the sites".

    As AIRFIBRE is P2P ( which is terminated on switch) so if both the WAN of XG  will be down then XG has nothing to do fail over under DGD condition.

    If you may terminate "AIRFIBRE" as in 3rd WAN with gateway type backup on XG ( with fail over rule/ condition set if all active ISP went down then switch this as in active) then it will became active when your Sophos XG end both the ISP goes down and XG will forward traffic to AIRFIBRE for further routing decision. 

    This will help to achieve redundancy at XG end via "Secondary WAN" of another location in case both the WAN of XG has been down.

    However at MICROTIK end I am not aware how it will do fail over between 2 WAN link.( AIRFIBRE and "Secondary WAN" ).

    If you can do any settings on MICROTIK as well for the fail over between 2 ISP then that will help you to achieve redundancy at MICROTIK end as well. ( Like "Secondary WAN" goes down then traffic at MICROTIK  shoud shift to AIRFIBRE  by MICROTIK  router).

    Note: As this required changes in setup and removal of advance bypass ( if it is added in XG CLI due to asymmetric routing present with current setup) it would be suggested to perform this with your convenient time and preferable down time and by taking the required configuration backup of all devices which are part of topology.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal

    Thank you for your response , currently the  WAN connection on Mikrotik not in use (no routing ) all the WAN requests ffrom Site 2 go VIA SOPHOS , which I would like to maintain going forward . The current Backup WAN (20mbps) will become redundant and the New WAN connection will be the new fail over.

     

    I do have another scenario which I would like you to check , We could create VLAN for 2nd WAN connection and send across the bridged (PTP) then we can untagged that VLAN traffic and feed directly in to the SOPHOS interface ?  yes in this scenario i have by pass the Mikrotik router .

     

Reply
  • 0 in reply to Vishal_R

    Hi Vishal

    Thank you for your response , currently the  WAN connection on Mikrotik not in use (no routing ) all the WAN requests ffrom Site 2 go VIA SOPHOS , which I would like to maintain going forward . The current Backup WAN (20mbps) will become redundant and the New WAN connection will be the new fail over.

     

    I do have another scenario which I would like you to check , We could create VLAN for 2nd WAN connection and send across the bridged (PTP) then we can untagged that VLAN traffic and feed directly in to the SOPHOS interface ?  yes in this scenario i have by pass the Mikrotik router .

     

Children
No Data
Unfiltered HTML