I've got a conundrum that, unfortunately, Sophos support has been unhelpful in solving.
We have a large number of Sophos UTMs with RED tunnels set up at sites with dual ISPs. We use multipathing to put the RED tunnels on the better of the two ISPs, and if / when that ISP goes down, the tunnels fail over to the lesser ISP. This works fine.
The only issue with this configuration is that because the Sophos tries to keep active connections on their current interface, when the primary ISP comes back up the tunnels never fail back over. The RED tunnels sit on the 'bad' isp for days or weeks until we manually disable and re-enable them or we reboot the device.
I'm trying to figure out a way to resolve this, either by:
1) Setting up some kind of monitoring that alerts us when tunnels are on the 'wrong' interface, via SNMP or some built in Sophos function if possible.
2) Somehow reset the tunnels daily so that, at most, they'll sit on the wrong ISP for 24 hours.
3) Force the tunnels to re-check the availability of the primary interface.
Has anyone dealt with this? I'm unsure even how to tell which interface the tunnels are bound to at any given point without looking at the other end of the tunnel (in which case I can see the source IP).
Any suggestions are welcome. Thanks!
This thread was automatically locked due to age.