Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

WAN Link Load Balancing in v20

What is everyone's experience with WAN link load balancing in v20? We're a K12 private school with two identical WAN links from different ISPs, Frontier and Comcast. Our goal is to enable WAN link load balancing in an active-active config, weight 1 and 1.

Sophos support claims that the sessions are load balanced and shouldn't cause an issue with students being constantly moved from one ISP to the other. If they were, then this could cause issues with applications staying logged-in.

Has anyone had any success stories in schools using WAN link load balancing? Did it work differently in v19 than in v20? Is it much improved?



Added V20 TAG
[edited by: Erick Jan at 5:46 AM (GMT -7) on 31 Oct 2024]
Parents
  • We are not in a school environment but we have 3 WAN links connected to our firewall. All 3 links are active with a weight of 1 as they all have the same bandwidth. We never touched the wan-load-balacing setting meaning this is set to the default value of "Session Persistence - Source IP Only".

    In all the years we have being using the XG firewall we never had an issue what so ever with load balancing the WAN links. All cloud applications like Office365 are working with no issue.

Reply
  • We are not in a school environment but we have 3 WAN links connected to our firewall. All 3 links are active with a weight of 1 as they all have the same bandwidth. We never touched the wan-load-balacing setting meaning this is set to the default value of "Session Persistence - Source IP Only".

    In all the years we have being using the XG firewall we never had an issue what so ever with load balancing the WAN links. All cloud applications like Office365 are working with no issue.

Children
  • I have heard stories from other schools who tried it out and they had mixed results. The biggest was when a student is logged-in to an app, the firewall would suddenly push them over to the other WAN link which breaks the session and causes them to re-authenticate. My ultimate worry is online tests. They're a huge thing now and any disruption would be catastrophic.

  • The only thing that would come close to online tests for us would be the exams on netexam.com were we did our Sophos exams. As far as I know from others and experience from myself there was never an issue there. As long as the wan-load-balancing setting is set to session persistence the sessions should not break and cause issues. Obviously this can also depend on the apps you use, but I would say any app programmed correctly should not have an issue.

    If you are really worried about specific apps or these online tests, you could also use SD-WAN routing to force these apps via a specific WAN link. SD-WAN routes overwrite the WAN link manager and that for ignore the load balancing depending on what you set in the SD-WAN profile.