Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 1591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal gateway failover

ce13

Hi, I have an internal gateway IP which is SSLVPN site-to-site. I have already setup to route some domain/URLs to that internal gateway and it is working fine. I would like to know how to setup failover to WAN if the internal gateway IP is failed to ping.

I have setup the internal IP gateway in "Routing - Gateways", and I have tested the health check is not for the failover usage.

 

Gateway

Name: VPN

Gateway IP: 192.168.20.253

..

..

Health check enabled

Interval: 60

Timeout: 2

Retried: 10

Monitoring condition: PING 192.168.20.253

 

Firewall already setup Primary gateway: VPN and Backup gateway: WAN



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    As per the information provided you have entered Monitoring Condition IP same as Gateway IP, You have to configure different IP which can satisfy the condition to trigger a failover mechanism

    Is the "VPN" gateway configured as a WAN interface on the XG firewall?

    Please refer to the article- https://community.sophos.com/kb/en-us/132792

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    As per the information provided you have entered Monitoring Condition IP same as Gateway IP, You have to configure different IP which can satisfy the condition to trigger a failover mechanism

    -> Not really understand how it works with different IP.

     

    Is the "VPN" gateway configured as a WAN interface on the XG firewall?

    -> No, it is not WAN interface.

     

    I have below interface:

    WAN: DHCP from ISP

    LAN: 192.168.20.1/24

     

    192.168.20.253 is my PfSense gateway, which has SSLVPN site-to-site connect to my another site. In Sophos XG, I have setup firewall rule for routing specific FQDN to 192.168.20.253 (primary) and WAN (Backup). This is working fine for the FQDN routing but I found failover is not working. I would like to setup if 192.168.20.253 is not able to ping within xx tries, then fail over will be triggered to WAN. I understand there is WAN Link Failover Feature, but in my case my gateway is on LAN interface.

Reply
  • 0 in reply to Keyur

    As per the information provided you have entered Monitoring Condition IP same as Gateway IP, You have to configure different IP which can satisfy the condition to trigger a failover mechanism

    -> Not really understand how it works with different IP.

     

    Is the "VPN" gateway configured as a WAN interface on the XG firewall?

    -> No, it is not WAN interface.

     

    I have below interface:

    WAN: DHCP from ISP

    LAN: 192.168.20.1/24

     

    192.168.20.253 is my PfSense gateway, which has SSLVPN site-to-site connect to my another site. In Sophos XG, I have setup firewall rule for routing specific FQDN to 192.168.20.253 (primary) and WAN (Backup). This is working fine for the FQDN routing but I found failover is not working. I would like to setup if 192.168.20.253 is not able to ping within xx tries, then fail over will be triggered to WAN. I understand there is WAN Link Failover Feature, but in my case my gateway is on LAN interface.

Children
Unfiltered HTML