This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath rules not working as expected

Hello community,

I have two WANs setup this way:

All users are on one signle subnet, including some servers. Now these server hosts are included in a Network group "Servers" that i created.

I have Two multipath rules set-up this way (both by "Interface Persistence"):

- The First one specifies that the "Servers" group uses the secondary WAN to get out, and i have the "Skip rule on interface error" option checked for WAN failover.

- The second rule is for the rest of the users which specifies for them to ONLY use the primary WAN with no failover, so i have the "Skip rule on interface error" unchecked.

Whenever i unplug the secondary WAN, the "Servers" group switches automatically to using the primary WAN as expected but, when i turn off the primary WAN all the users skip to using the secondary WAN even though i unchecked the "Skip rule on interface error" option. i don't know what am i exactly missing here. Any suggestions?

Thanks!

This thread was automatically locked due to age.

Parents

0 Zak_B18 DZ over 5 years ago

Any more suggestions?
Cancel
Vote Up 0 Vote Down

Cancel
0 DKKDG over 5 years ago in reply to Zak_B18 DZ

Try this for the transparent proxy profile
https://community.sophos.com/kb/en-us/126892

Best Regards
DKKDG
Cancel
Vote Up 0 Vote Down

Cancel
0 Zak_B18 DZ over 5 years ago in reply to DKKDG

I will look into it. Thank you.
Cancel
Vote Up 0 Vote Down

Cancel
0 Zak_B18 DZ over 5 years ago in reply to DKKDG

That didn't solve the issue. Users still switch to the secondary WAN whenever the first one is down..
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Zak_B18 DZ

Please show pictures of the Edits of your Multipath rule and of the 'Allowed Networks' for the both the default and additional Profile.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 5 years ago in reply to Zak_B18 DZ

Please show pictures of the Edits of your Multipath rule and of the 'Allowed Networks' for the both the default and additional Profile.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Zak_B18 DZ over 5 years ago in reply to BAlfson

Hi, sorry for the delayed response.

Here's my edits on my multi path rules:

- 1st Rule: Servers group go out using the "SLC" WAN and i have the "Skip rule..." option checked for failover.

-2nd Rule: This one is for the rest of the users which are bound to the primary WAN "External", no "Skip rule ..." check for them which is supposed to mean no failover.

- Default profile:

- Additional profile:

I don't understand though what does filtering options have to do with the fact that failover is still happening for my users even though the "Skip rule.." option in unchecked. I'm thinking maybe some kind of conflict between the "Internal" interface and the "Servers" group as the latter is technically included in the former.

Best Regards;
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Zak_B18 DZ

If you had followed the KB article that DKKDG linked to above, you would have had an additional selection in your Profiles:

When you do that, do things work like you want?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Zak_B18 DZ over 5 years ago in reply to BAlfson

Hi, thank you for your response.

I will try that again and get back to you as soon as i can.
Cancel
Vote Up 0 Vote Down

Cancel
0 Zak_B18 DZ over 5 years ago in reply to BAlfson

Hello,

It still does not work as i want after doing what you proposed. Users are still switching to the secondary WAN whenever the first one is down.

Thank you for your patience,

Kind regards,

Zak.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Zak_B18 DZ

If you want to continue to pursue this here, Zak, please show pictures of the Edits of the current Web Filtering Profiles. Also, show a line or two from the Web Filtering log file where traffic from non-servers was handled after "External (WAN)" was disabled.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Zak_B18 DZ over 5 years ago in reply to BAlfson

Hello, thank you for the response.

I just noticed that whenever web filtering is disabled and "External (WAN)" goes down, users does not switch to the secondary WAN. They do as soon as enable back web filtering. Does this mean that the issue resides in my web filtering profiles/policies?

I will be posting details of my profiles and log file as soon as possible.
Cancel
Vote Up 0 Vote Down

Cancel

0 Zak_B18 DZ over 5 years ago in reply to Zak_B18 DZ

Web filtering log: 

Before: 
* 2019:01:05-11:11:07 utm-bomare-2 httpproxy[24911]: id="0001" severity="info" sys="SecureWeb" sub="http" 
name="http access" action="pass" method="CONNECT" srcip="192.168.2.14" dstip="157.55.134.136" user="" 
group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" 
filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="23341" request="0x1a722c00"
url="https://login.live.com/" referer="" error="" authtime="0" dnstime="680001" cattime="96342" avscantime="0" fullreqtime="62738146" device="0" 
auth="0" ua="" exceptions="" category="178" reputation="trusted" categoryname="Internet Services" application="office" app-id="1156"


After disabling "External (WAN)" and switching to the secondary WAN:

* 2019:01:05-11:12:13 utm-bomare-2 httpproxy[24911]: id="0001" severity="info" sys="SecureWeb" sub="http" 
name="http access" action="pass" method="CONNECT" srcip="192.168.1.168" dstip="184.106.2.168" user="" 
group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (VIP_Profile)" 
filteraction="REF_HttCffVipfiltera (VIP_FilterAction)" size="17091" request="0x1a92d600"
url="https://community.sophos.com/" referer="" error="" authtime="0" dnstime="2" cattime="130" avscantime="0" fullreqtime="120459509" device="0"
auth="0" ua="" exceptions="application" category="165" reputation="neutral" categoryname="Technical/Business Forums"


Here are my profile edit:

0 BAlfson over 5 years ago in reply to Zak_B18 DZ

Yes, the problem is in your VIP_Profile, Zak. The 'Interface for outgoing traffic' should be "SLC (Address)" instead of the same as your Default Profile. I don't believe that you want "Wireless Network (Network)" in 'Allowed Networks'. In fact, do you want anything other than "Servers" in there?

Note that we don't know what the srcip values are in your log lines - servers, non-servers, wireless, ...? If you don't see the expected behavior after making the changes to the Profile, please identify those IPs.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel