Failover for route-based VPN with BGP

Question

Hello all -- 
 This is likely an easy question that I'm overthinking. We have two sites, each with dual ISP links and Sophos XG v18. Currently, there are four site-to-site tunnels between them, with a failover group on the branch/initiator side (A1-B1, A1-B2, A2-B1, A2-B2). I'm wondering if the same idea translates to a route-based VPN using BGP, but with the benefit of not needing a failover group. 
 All four route-based tunnels can be activated and connected without worry of routing mess, right? If one link goes down, how long should we expect before traffic re-routes thru an alive-tunnel? 
 Thanks

that guy · Accepted Answer

We also used the route-based "HA VPN" option to connect to a google cloud platform project (in addition to our site-to-site VPNs between home and branch sites). While the weighting I mentioned above works fine for XG-to-XG VPN, we were seeing the ECMP issue you mentioned with our connections to GCP. After weeks of testing with google cloud support, we figured out that Sophos uses a Cisco subsystem (maybe not the right word) for the BGP feature, which uses a proprietary weighting system that non-Cisco systems don't respect. We ended up needing to implement MED values on the GCP-side, with matching route-map metrics on the sophos-side (via command-line). 
 All that said, our current config uses weighting for XG-to-XG VPNs, MED values for GCP VPN, and route-maps to prevent inadvertent subnet routing thru other sites. It's not an easy config, by any means, so I would strongly recommend to get higher-tier AWS and Sophos support involved.

LuCar Toni · Answer

There is a new recommended Read about this topic: https://community.sophos.com/xg-firewall/f/recommended-reads/124625/sophos-xg-firewall-how-to-configure-bgp-over-rbvpn 
 Does this help?

strategytrainer · Answer

I was able to get the weighting set up on the tunnels but it does seem that the ECMP issue is still happening. Thanks for the additional info. I'll need to follow up with AWS support to see if they are compatible with the Cisco weight system for BGP or if we need to do something similar by adding MED values on the AWS side. 
 I am now more familiar with how Sophos implements BGP and currently have a prefix-list to only accept the subnet route in AWS. Would we still need to set up route-maps on the sophos side for the MED values?

strategytrainer · Answer

For the two tunnels for our primary ISP, we are seeing MED values of 100 and 200. The MED values of the two tunnels for the backup ISP are also showing 100 and 200. I just created two separate route-maps: one that sets metric to 300 and one that sets metric to 400. I applied the metric 300 one to the first backup ISP neighbor for outgoing advertisements and did the same with the metric 400 one on the other backup ISP neighbor. 
 Now when I ping a server that is in AWS I am getting consistent pings so this appears to fix the issue. Thanks again!

Failover for route-based VPN with BGP

Top Replies