Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

WAN Link Load Balancing in v20

What is everyone's experience with WAN link load balancing in v20? We're a K12 private school with two identical WAN links from different ISPs, Frontier and Comcast. Our goal is to enable WAN link load balancing in an active-active config, weight 1 and 1.

Sophos support claims that the sessions are load balanced and shouldn't cause an issue with students being constantly moved from one ISP to the other. If they were, then this could cause issues with applications staying logged-in.

Has anyone had any success stories in schools using WAN link load balancing? Did it work differently in v19 than in v20? Is it much improved?



Added V20 TAG
[edited by: Erick Jan at 5:46 AM (GMT -7) on 31 Oct 2024]
Parents Reply
  • Hi Mayur, maybe I'm not understanding this correctly, and for that I apologize. You seem to be recommending that we enable session persistence. However, our Sophos support engineer is not recommending it. Please see their response below:

    Situation:
    Handling of browser traffic

    Thank you for sharing the Queries, below is the resolution to the query provided:

    When both WAN links are set as active with equal weights (1:1), the Sophos Firewall automatically handles load balancing based on the number of sessions. The firewall uses a round-robin method to distribute sessions between the gateways—assigning the first session to one gateway (e.g., gw0) and the next to the other (e.g., gw1), and so on. This balancing is purely session-based, and the amount of data transmitted in each session does not influence the decision.

    In this scenario, the round-robin mechanism is already in place with equal weights, so you don't need to explicitly run a round-robin command. Additionally, session persistence, which ties traffic from the same source to the same gateway, is typically not recommended if your goal is to balance the traffic evenly. The firewall’s internal algorithm will hash the source and destination IPs to automatically distribute traffic across the links.

    Please let us know if you require any further assistance from our end.

    Please note once you update we will get back to you within 2 business days.

    Thank you for Choosing Sophos
    Regards

    Zeel Trivedi | Technical Support Engineer | Sophos Support

Children