Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 721 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath "Leaking"

Chris Wood

I implemented a fail over for our Metro Ethernet connection between offices using the following article:

https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/80484/how-to-do-backup-vpn-with-sophos-utm-9-x-more-detailed-than-kb-118975

 

 

I would like Internet IPv4 type traffic to also go over the Metro Ethernet connection and out of the other office's ISP connection should one of the office's ISP connections fail.    I have the following Multipath Rule in place  (It is toggled off right now because of the issues described below):

 

 

It appears to work at first glance but I'm having a bad side effect.  When the Metro E connection is up Internet connections are hit and miss.  Pages load every other refresh.  I toggle off the Metro E interface and all works beautifully.   I have watched the Flow Monitor for the Metro E interface while it was up and I can see TCP/80 and 443 traffic to websites like facebook and outlook.com trying to go over the Metro E when it should be trying to go out of the ISP interface first.   I've messed around with different weights and persistence timeouts but nothing has corrected this behavior yet.  This is what is currently in both firewalls:

Any suggestions?  Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    As I said in that thread, I already had a different solution and had the article in German from Michael Klehr, so I haven't gone through DKKDG's approach.  You might PM him and make him aware of your question here.

    Show us a picture of the "Loopback Internet" Host definition with 'Advanced' open.

    Does anything happen differently if you change the 'Persistence Timeout' to something longer than 5 minutes?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    As I said in that thread, I already had a different solution and had the article in German from Michael Klehr, so I haven't gone through DKKDG's approach.  You might PM him and make him aware of your question here.

    Show us a picture of the "Loopback Internet" Host definition with 'Advanced' open.

    Does anything happen differently if you change the 'Persistence Timeout' to something longer than 5 minutes?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML