Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

WAN Link Load Balancing in v20

What is everyone's experience with WAN link load balancing in v20? We're a K12 private school with two identical WAN links from different ISPs, Frontier and Comcast. Our goal is to enable WAN link load balancing in an active-active config, weight 1 and 1.

Sophos support claims that the sessions are load balanced and shouldn't cause an issue with students being constantly moved from one ISP to the other. If they were, then this could cause issues with applications staying logged-in.

Has anyone had any success stories in schools using WAN link load balancing? Did it work differently in v19 than in v20? Is it much improved?



Added V20 TAG
[edited by: Erick Jan at 5:46 AM (GMT -7) on 31 Oct 2024]
Parents Reply Children
  • 01947356. We dont have load balancing configured now. We're waiting until Thanksgiving break to do so. However, I want to make sure we're doing this properly the first time. And you're telling us different info than Sophos Support so I'm a bit confused.

    Thanks again for all of the help.

  • Hello,

    Thank you for sharing the ticket number.

    I could see the same information shared on the ticket as well. This KBA contains the information about how round robin and session persistence load-balance works.

    https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/Gateways/RoutingLoadBalancingWeights/index.html

    However, if you still have any concern. Please feel free to connect us by dialing the support number.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Hi Mayur, maybe I'm not understanding this correctly, and for that I apologize. You seem to be recommending that we enable session persistence. However, our Sophos support engineer is not recommending it. Please see their response below:

    Situation:
    Handling of browser traffic

    Thank you for sharing the Queries, below is the resolution to the query provided:

    When both WAN links are set as active with equal weights (1:1), the Sophos Firewall automatically handles load balancing based on the number of sessions. The firewall uses a round-robin method to distribute sessions between the gateways—assigning the first session to one gateway (e.g., gw0) and the next to the other (e.g., gw1), and so on. This balancing is purely session-based, and the amount of data transmitted in each session does not influence the decision.

    In this scenario, the round-robin mechanism is already in place with equal weights, so you don't need to explicitly run a round-robin command. Additionally, session persistence, which ties traffic from the same source to the same gateway, is typically not recommended if your goal is to balance the traffic evenly. The firewall’s internal algorithm will hash the source and destination IPs to automatically distribute traffic across the links.

    Please let us know if you require any further assistance from our end.

    Please note once you update we will get back to you within 2 business days.

    Thank you for Choosing Sophos
    Regards

    Zeel Trivedi | Technical Support Engineer | Sophos Support

  • Hello Nathan,

    I believe, we all understood it correctly. 

    Sophos (Community/Ticket), providing an information that session persistent will route the traffic of that session completely via the service provider through which session is established. We are not denying to use the session persistence, this is most effective method for the load-balance hence the traffic which is related any banking or exam does not breaks in between (Round robin, it may route via different public IP and session may break). Also the recommendation was suggested as you mentioned online exams.

    As the traffic load-balance takes place based on session, we may notice minor difference in Internet usage of both the service providers. However, it will not have much difference in the usage.

    Now, it is up to the customer which algorithm suits your requirement. You can opt that. 

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Again, thanks for the attention on this issue. To sum it up, if our biggest concern is the potential for sessions to bouncing back and forth between WAN links, then your recommendation is to enable session persistence as this will lead to the best possible user experience? And to do that, we would run the following command? 

    set routing wan-load-balancing session-persistence source-only ip-family ipv4

  • Hello,

    Yes, you have understood it correctly! 

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.