Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 1705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uplink balancing with monitoring on uplink interfaces with VLANs

Frank Fiene

I am trying this setup and ran into troubles regarding uplink balancing and I am not sure if it was a good idea using a tagged und untagged Interface at the same time.
We need this because also SD-WAN routers are in the same transfer network connected to the switches. On smaller hardware (SG125) we are running out of interfaces. :-)

We have been running failover tests, the top Firewall was Master.
Both eth4 and eth4.20 are active interfaces in uplink balancing section.

Switching off the top switch initiates the HA failover to the second Firewall, perfect.
The status of eth4 changed to error, which is also fine.
But no Internet access was possible, the proxy for example says "no route to host" for any access.

I am not sure how uplink monitoring works, because I see the traffic (with tcpdump) running on eth4.20 also on eth4.
We have tried the native VLAN 10, too. But simply changing eth4 to eth4.10 was not working. I don't know if this is just CISCO naming convention und does not work on Linux.

Does somebody have an idea how to fix that, before we try all native interfaces only? I know that HA interface must be native, so maybe there is the same problem here.

Or does somebody know, how uplink balancing works technically? Is there a process for that which looks at the traffic or is it just ping -I?



This thread was automatically locked due to age.
  • 0

    Mistake on the sketch, because of the trunk between the switches, the Firewalls only connect to their own switch and do not cross connect.

  • 0 in reply to Frank Fiene

    Hallo Frank and welcome to the UTM Community!

    I'm a little confused about how you have things configured.  For maximal redundancy, I would have connected both routers to both switches and both switches to both UTMs.  In any case, the two UTMs, both Master and Slave, should have identical cabling.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hey Bob, thanks for your answer.

    Yes, you are right, but this is only possible with routers with more than one port.

    And we have setups with two server rooms / data centers. There is only the switch port trunk between the switches.

    Of course the labeling is the same.

    What is funny: when the Interface connected to the switched of switch is going to status error, Internet access seems to bo not routed to the other Interface only. But when I shutdown the "error" Interface, everything is working as expected.

    Like the Firewalls do not register that the first Internet links is down.

    By the way, one setup is a SG125 HA Cluster, the other is a SG230 one. All latest UTM9.

  • 0 in reply to Frank Fiene

    "only possible with routers with more than one port"

    In that case, I would have configured as in your original diagram.

    "What is funny: when the Interface connected to the switched of switch is going to status error, Internet access seems to bo not routed to the other Interface only. But when I shutdown the "error" Interface, everything is working as expected."

    Please insert a picture of the 'Uplink Balancing' settings and one of the Edit of each active Multipath rule

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Multipath rules are empty.

    Cheers!

  • 0 in reply to Frank Fiene

    Damn, I should deactivate my other account. :-D Sorry for that!

  • 0 in reply to FrankFiene

    Ah, it's the "old" Frank back again! ;-)  One of the administrators can merge your accounts.

    What happens if you disable 'Automatic monitoring' and use one of the Google DNS servers as a monitoring host?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Not yet, that would be the next step.

    Problem is: in the smaller location there is no IT staff. ;-)

    So we have to schedule something.

Unfiltered HTML