This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath rules not working as expected

 Hello community, 

 

I have two WANs setup this way:

All users are on one signle subnet, including some servers. Now these server hosts are included in a Network group "Servers" that i created. 

I have Two multipath rules set-up this way (both by "Interface Persistence"):

- The First one specifies that the "Servers" group uses the secondary WAN to get out, and i have the "Skip rule on interface error" option checked for WAN failover.

- The second rule is for the rest of the users which specifies for them to ONLY use the primary WAN with no failover, so i have the "Skip rule on interface error" unchecked.

 

Whenever i unplug the secondary WAN, the "Servers" group switches automatically to using the primary WAN as expected but, when i turn off the primary WAN all the users skip to using the secondary WAN even though i unchecked the "Skip rule on interface error" option. i don't know what am i exactly missing here. Any suggestions?

 

Thanks!



This thread was automatically locked due to age.
  • Hello, 

    It still does not work as i want after doing what you proposed. Users are still switching to the secondary WAN whenever the first one is down. 

     

    Thank you for your patience,

    Kind regards,

    Zak.

  • If you want to continue to pursue this here, Zak, please show pictures of the Edits of the current Web Filtering Profiles.  Also, show a line or two from the Web Filtering log file where traffic from non-servers was handled after "External (WAN)" was disabled.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, thank you for the response. 

     

    I just noticed that whenever web filtering is disabled and "External (WAN)" goes down, users does not switch to the secondary WAN. They do as soon as enable back web filtering. Does this mean that the issue resides in my web filtering profiles/policies? 

     

    I will be posting details of my profiles and log file as soon as possible.

  • Web filtering log: 

    Before:
    * 2019:01:05-11:11:07 utm-bomare-2 httpproxy[24911]: id="0001" severity="info" sys="SecureWeb" sub="http"
    name="http access" action="pass" method="CONNECT" srcip="192.168.2.14" dstip="157.55.134.136" user=""
    group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)"
    filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="23341" request="0x1a722c00"
    url="https://login.live.com/" referer="" error="" authtime="0" dnstime="680001" cattime="96342" avscantime="0" fullreqtime="62738146" device="0"
    auth="0" ua="" exceptions="" category="178" reputation="trusted" categoryname="Internet Services" application="office" app-id="1156"


    After disabling "External (WAN)" and switching to the secondary WAN:
    * 2019:01:05-11:12:13 utm-bomare-2 httpproxy[24911]: id="0001" severity="info" sys="SecureWeb" sub="http" 
    name="http access" action="pass" method="CONNECT" srcip="192.168.1.168" dstip="184.106.2.168" user=""
    group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (VIP_Profile)"
    filteraction="REF_HttCffVipfiltera (VIP_FilterAction)" size="17091" request="0x1a92d600"
    url="https://community.sophos.com/" referer="" error="" authtime="0" dnstime="2" cattime="130" avscantime="0" fullreqtime="120459509" device="0"
    auth="0" ua="" exceptions="application" category="165" reputation="neutral" categoryname="Technical/Business Forums"


    Here are my profile edit:






  • Yes, the problem is in your VIP_Profile, Zak.  The 'Interface for outgoing traffic' should be "SLC (Address)" instead of the same as your Default Profile.  I don't believe that you want "Wireless Network (Network)" in 'Allowed Networks'.  In fact, do you want anything other than "Servers" in there?

    Note that we don't know what the srcip values are in your log lines - servers, non-servers, wireless, ...?  If you don't see the expected behavior after making the changes to the Profile, please identify those IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA