This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enable SD-WAN Zero-impact failover

Hey guys, hope all is going well.

I'd like some guidance on how to enable SD-WAN Zero-impact failover. My setup is pretty basic, with an XGS 2100 and two WAN connections. I have them configured in a fail-over approach (not load balancing), using an SD-WAN profile and route.

Here's the profile:

And the route:

The route precedence is set to "Static route, SD-WAN route, VPN route", with "Policy route doesn’t apply to system-generated and reply traffic".

I don't know if I need to enable or configure something else, but every time there's a route change (primary gateway no longer meets the SLA), there's a drop in WAN connectivity of a few seconds (around 10 or so). When the firewall routes back to the primary gateway, there's another drop.

Did I miss something? Are my settings optimal?

Thanks, everybody.

This thread was automatically locked due to age.

Top Replies

Suporte Braveo over 1 year ago in reply to Vivek Jagad +2 verified

Found why! The WAN gateway set as the primary is behind a NAT, so when I enabled reply traffic routing the firewall started to route through it, but since I don't have port forwarding configured, it failed…

Parents

0 Vivek Jagad over 1 year ago

Hello Suporte Braveo ,

Thank you for reaching out to the community, You can configure SD-WAN routes with SD-WAN profiles to reroute connections dynamically when a gateway becomes unavailable or doesn't meet the SLAs any longer. You can use SD-WAN routes to route system-generated traffic and reply packets. Ref: SD-WAN routing behavior.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Suporte Braveo over 1 year ago in reply to Vivek Jagad

Thank you. I enabled both options to see how it goes. On a side note, after enabling reply packets routing, SSL VPN no longer connects. Do I need to create a specific route for it? Sorry for the dumb questions, but I'm new to Sophos firewalls.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Suporte Braveo

SSL VPN no longer connects meaning not able to establish the tunnel for all the users ?
REF - SSL VPN troubleshooting OR Troubleshoot SSL VPN remote access connectivity and data transfer issues.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Suporte Braveo over 1 year ago in reply to Vivek Jagad

Found why! The WAN gateway set as the primary is behind a NAT, so when I enabled reply traffic routing the firewall started to route through it, but since I don't have port forwarding configured, it failed to.

Everything's working now, and I'll see how the firewall deals with failover from now on.

Thanks!
Cancel
Vote Up +2 Vote Down

Cancel

Reply

+1 Suporte Braveo over 1 year ago in reply to Vivek Jagad

Found why! The WAN gateway set as the primary is behind a NAT, so when I enabled reply traffic routing the firewall started to route through it, but since I don't have port forwarding configured, it failed to.

Everything's working now, and I'll see how the firewall deals with failover from now on.

Thanks!
Cancel
Vote Up +2 Vote Down

Cancel

Children

0 Vivek Jagad over 1 year ago in reply to Suporte Braveo

Thank you Suporte Braveo for the update, we are glad the reported situation is resolved now !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel