Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

OSPF Routing how to prioritize interface vs tunnel

1. We have a 2 XGS connected via a private ISP fiber and the interfaces are LAN / GIG.

2. For resiliency we have a IPsec Tunnel interface between the same, using a disparate ISPs at each location VPN/GIG.

We have been using OSPF for all of our routing between multiple offices with Sophos XGS/FW, and it has worked well!

When I enable dynamic routing for the VPN, OSPF uses #2 Tunnel interface as the route in routing table.  #1 above should be faster and more dependable as it is an Enterprise connection w same ISP.  I want OSPF to use #1, LAN interface as primary instead of #2 tunnel.

IE: Where can I say weight of #1 Lan is 1, and weight of #2 tunnel interface is 50, or secondary, similar to how we prioritize gateways?

I realize it could be done with SD routes / policy, but since OSPF is working well I would like to stay with it.

Thanks in advance



Edited TAGs
[edited by: Erick Jan at 12:59 AM (GMT -7) on 23 May 2024]
Parents
  • This can be achieved by setting “cost” associated with the interfaces.  If a route is learned via two interfaces, the path with a lower cost would be preferred.

    Cost of an interface can be set as follows:

    Under OSPF configuration, in the “Override Interface section”, for the relevant interface, disable the “Autocost” and configure the cost values such that the overall cumulative cost of the preferred route is lesser.

    Thanks,

  • Upon testing, I've discovered that the changes that I made have not resulted in the expected outcome.

    Site 1

    prefered interface cost =1

    XFRM interface cost = 5 

    Site 2

    prefered interface cost =1

    XFRM interface cost = 5 

    Our routers still prefer Broadband gig XFRM VPN interface over dedicated fiber GIG.  Not sure how / why it believes that our backup connection is better quality.

    OSFP convergence / route change is taking about 3 min if I turn off one of the active interface.  IE: connectivity goes down, while OSPF decides to switch path.  I changed Hello and Dead intervals from 10 / 40 seconds (default) to 2 and 8.  No significant change in convergence was observed.

    I'm wondering if we should SD WAN, and see if it functions better for us.  I need to figure out if SD wan can be re-distributed to OSPF.

Reply
  • Upon testing, I've discovered that the changes that I made have not resulted in the expected outcome.

    Site 1

    prefered interface cost =1

    XFRM interface cost = 5 

    Site 2

    prefered interface cost =1

    XFRM interface cost = 5 

    Our routers still prefer Broadband gig XFRM VPN interface over dedicated fiber GIG.  Not sure how / why it believes that our backup connection is better quality.

    OSFP convergence / route change is taking about 3 min if I turn off one of the active interface.  IE: connectivity goes down, while OSPF decides to switch path.  I changed Hello and Dead intervals from 10 / 40 seconds (default) to 2 and 8.  No significant change in convergence was observed.

    I'm wondering if we should SD WAN, and see if it functions better for us.  I need to figure out if SD wan can be re-distributed to OSPF.

Children