Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN Link Failover not working

Hello,

We just added a secondary ISP and I set it up as a new WAN interface. A laptop plugged into it gets an IP address and can get out to the internet, so I know it is working.

I configured WAN failover (active-backup) and initially didn't modify the rules to include another IP address like 8.8.8.8. So it would fail over if it couldn't contact the gateway IP of the main ISP.

When performing a test by removing the cable from the primary WAN port, it did not seem to fail over properly.

Internet connectivity was not restored through the backup gateway. I was unable to ping google.com and eventually got a message saying it couldn't perform a DNS lookup which I thought was odd.

Now that I added the 8.8.8.8 to the rule, will this work? Or are there other things needed? I don't understand how it accounts for NAT, or the VPN gateway, or anything during a failover. Are there routing or firewall rule changes too?



This thread was automatically locked due to age.
Parents
  • What you are referring to ( Active - Backup Gateway ) is called WLM (WAN Link Management) by Sophos.

    Regarding routing decision, WLM has lowest priority. static/dynamic routing or SDwan routing all have higher priorities.

    For example:

    1- If you have only set a static default route 0.0.0.0/0 to specific gateway (let's say gateway A), even with gateway A failure, FW won't use the second gateway because static route has higher priority.

    2- If you have a SDWAN route with only GW A as gateway and with "Route only through specified gateways" enabled, firewall won't use the second gateway.

    These are just couple of examples and there could be some issues with NAT also. I recommend contacting sophos support or contacting me over private chat to do a live diagnostic check.

Reply
  • What you are referring to ( Active - Backup Gateway ) is called WLM (WAN Link Management) by Sophos.

    Regarding routing decision, WLM has lowest priority. static/dynamic routing or SDwan routing all have higher priorities.

    For example:

    1- If you have only set a static default route 0.0.0.0/0 to specific gateway (let's say gateway A), even with gateway A failure, FW won't use the second gateway because static route has higher priority.

    2- If you have a SDWAN route with only GW A as gateway and with "Route only through specified gateways" enabled, firewall won't use the second gateway.

    These are just couple of examples and there could be some issues with NAT also. I recommend contacting sophos support or contacting me over private chat to do a live diagnostic check.

Children
  • Thank you - I actually had a couple of migrated SD-WAN route that didn't have the backup gateway specified. No 0.0.0.0/0 statics in the configuration. I'm going to review the documentation and see if I missed anything, and then get back to you. Thank you!