Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Locked Locked
  • Replies 9 replies
  • Subscribers 40 subscribers
  • Views 18968 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Load Balancing not working with Sophos XG 210 - Sticky Nodes

Sudhir Rao

I have Sophos XG 210 appliance. I have one LAN network connected via a Cisco switch.

I have two WAN Connections  (WAN1 and WAN2) via two different ISPs.

My problem is that Sophos is not doing any load balancing at the individual connection level. There is stickiness associated with each device on the LAN. A device ends up using the same WAN connection always. This used to work before.

Is there somewhere in the configuration where this is set so that I can disable it? 

I looked at my firewall rules and I do not have anything that indicates this is the case. I have only one rule enabled that says "Primary Gateway" - WAN Link Load Balance.

Is there somewhere that this sticky nature is configured so I can remove it?

Addl Notes: There are no Static Routing or Policy Routing Rules.

 



This thread was automatically locked due to age.

  • Hi  

    Verify you second ISP is in active State and green in wan link management?

    Regards, Ronak

  • in reply to Ronak Sheth

    It is Active and Green. I get a mail when either of them goes down. That is not the case. 

    I can refresh http://ip4.me any number of times to get my WAN link ip address from any multiple browsers or via curl and it is always the same ip address. From another computer it is the alternate ip address. 

    It is as if the load balancing occurs at the device level and not at a tcp connection level.

     

    Regards

    Sudhir

  • in reply to Sudhir Rao

    Let me ask a slightly different question.

    Let us say I have two WAN connections, W1 and W2 configured in 1:1 ratio. Both are green and Active.

    I have 4 systems S1, S2, S3 and S4 connected to the LAN.

    Does this mean that Sophos will send all connections from say S1 and S2 on W1

    and all connections from S3 and S4 on W2? What I mean is that two systems get allotted to W1 and two to W2.

    Is the load balancing done at a device level or at the tcp connection level? Per the tech support engineer I talked to today - the load balancing is at the device level.

    Is that right?

    I was expecting load balancing to occur at the tcp connection level. What I mean by that is that if a system S1 on the LAN makes 10 outgoing connections to the internet, 5 of them will go via W1 and 5 will go via W2. This however does not occur. 

    The Sophos device XG 210 is on the latest firmware SFOS 17.0.2 MR-2. 

    [Note: edited to fix incorrect terminology] 

    Regards

    Sudhir

  • in reply to Sudhir Rao

    After reading the documentation,

    Sophos XG used to do "Weighted Round Robin" earlier. Now seems like it has been changed in latest firmware to "Source IP Based".

    Could someone at Sophos explain the reason for this change? (The documentation here refers to the Weighted Round Robin although that is no longer the case)

    Is there a way I can change this back to old policy?

  • in reply to Sudhir Rao

    Hi  

     

    What do you mean by AP, Access Point on your LAN or you ISP WAN modem?

     

    If you are referring AP as ISP WAN Modem then yes, it will load balance on a session that includes TCP, UDP and ICMP. Sophos XG uses the weighted round-robin algorithm for load balancing base on its wastage.

     

    You can refer to the below link on how to configure gateway load balancing.

     

    https://community.sophos.com/kb/en-us/123530

     

    Good Luck!!!

     

    Regards, Ronak.

     

  • in reply to Ronak Sheth

    Uh oh, so that is where I lost everybody.

     

    Sorry for the confusing terminology I ended up using.

    I really meant to say I have two WAN connections (two ISPs). 

    Weighted round robin is what I expect it to use. All I am saying is - it is no longer weighted round robin in latest firmware. It is source IP based from what I can see.

     

     

     

  • in reply to Sudhir Rao

    Hi 

     

    There are no such changes in load balancing. You need to counter question with Sophos support by providing the KBA. At times the T1 has some technical limitation in understanding customer's scenario. You can get this escalated and get it reevaluated. If they still claim they have changed the functionality of the product, please ask for release note for such change.

     

    Regards, Ronak.

  • in reply to Ronak Sheth

    Thank you  . I tried my best to explain to the cyberoam/sophos support. They deny there is any change and it is as expected and so refused to escalate it. I will just let this matter rest here until someone else also confirms it.

    May be it is just a matter of something off in my configuration. (Case ID : 7784574)

  • in reply to Sudhir Rao

    So the solution to this was in the console.

    This is what it was

    console> show routing wan-load-balancing
    IPv4 WAN Link Load Balance method : Session Persistent - Source IP Only
    IPv6 WAN Link Load Balance method : Session Persistent - Source IP Only

    There are multiple options around load balancing

    console> set routing wan-load-balancing <TAB>
    session-persistant weighted-round-robin
    console> set routing wan-load-balancing session-persistant <TAB>
    connection-based source-and-destination
    destination-only source-only

    Tweaking them fixed it finally.

    Thanks much for all help.

    Regards

    Sudhir

Unfiltered HTML