Dual ISPs configured in load balancing, SSL VPN and user portal goes down.

We have 2 ISPs that are configured with 100% for both in load balancing. The one at the top of the list is primary right. So it seems that the router reconfigures the load every so often and when the second ISP is primary the user portal and vpn become unreachable. We have tried multipath rules and a round robin in our dns server. Both portal and vpn work well with the primary isp but as soons as we enable both in load balancing several hours later they quit. What settings are we missing?

Parents
  •  I am unsure which settings you want picts. of but I have included a few. The reason I think it is a Sophos setting is because if I use the IP address of the second ISP instead of the domain name I can access both VPN and the user portal. It seems that somehow they are tied to the primary ISP address. 

Reply
  •  I am unsure which settings you want picts. of but I have included a few. The reason I think it is a Sophos setting is because if I use the IP address of the second ISP instead of the domain name I can access both VPN and the user portal. It seems that somehow they are tied to the primary ISP address. 

Children
  • Uplink Balancing only affects outbound requests, Dave, not outbound responses nor inbound requests.

    I'm confused.  Do you have a router in front of the UTM that's doing load balancing?  If it's switching primary between the two ISPs, how does it update DNS?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry I haven't been more clear. We do not having anything in front our Sophos UTMs. Traffic goes thru them first right after the modems from our providers and then onto the router . The reason I think something is happening in the Sophos is because the Cox IP becomes unreachable for the VPN and I can use the Windstream IP to reach the VPN if I put it in manually and then later it switches and becomes reachable again. Any insights you have will be appreciated.

    Thanks,

    Dave

  • What is the purpose of the round-robin in your DNS server, Dave?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In trying to troubleshoot I thought that the new IP could point to the domain name of the Sophos but it did not help.

  • OK, to explain it a little more clear here is our setup. We have 2 ISPs coming into our Sophos UTM firewalls set to uplink balancing.

    We have a GoDaddy domain server with both static IPs of the ISPs pointing to the portal domain name of the Sophos. When uplink balancing is enabled with both ISPs the VPN will become unreachable.With uplink balancing not enabled with the Cox as the connection everything works as normal. We are using the Sophos SSL VPN for our remote access.

  • What do you have in the 'Interface address' box on the 'Settings' tab, Dave?  Insert a picture of the Edit of any relevant Multipath rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In the interface IPv4 address we have the static IP given by the ISP. In the IPv4 Netmask we have what was given by the ISP. We have IPv4 Default GW checked and the gateway address in the gateway field. The multipath rules are currently not active because they did not make any difference, but they are attached. I created number 1 which was to bind both user portal and SSL users to are Cox line. The second was made by our MSP to bind the user portal to Cox. We did not have both active at the same time.

  • As bob say already ... "Uplink Balancing only affects outbound requests ... not outbound responses nor inbound requests"
    So your multipath configuration is not interesting.
    Please post your interface-configuration.
    Which interface do you allow within Portal & SSL-VPN configuration?

    Steps for troubleshooting are (based on the osi layer model) ...
    1st:  Is the interface reachable ... try to ping/telnet the both interfaces from external (enable ping reachability temporary)
    2ng: try to connect SSl-VPN ... configure only one destination IP (not DNS) within the corresponding OVPN-file at the client.


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • OK, I can reach the VPN through both addresses'. The work around I have currently is to modify the OPVN config file on the clients with both IP's and whichever one is currently able to be reached will connect so they both are reachable. I was hoping I would not

    have to modify every user who downloaded the SSL VPN config.

  • If both IP#s work for SSL-VPN, you should check the DNS. Would think the Client can't resolve name to one of this IP's.

    ... or portal.hillcrest.work is an internal name ... not public resolvable?

    What do you use for user-portal?


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.