Multipath Rules vs Static Routing (Policy Routes) ?

trying to manage a nationwide UTM rollout that happened to coincide right with the disastrous slew of bugs that has been 9.3!

Wes - Oh, man!  The last nine months have been the worst since V5.0 was rolled out (2003?).  It's no wonder that you've been in a bad mood about these problems.  I'm sorry if I was less than cordial at any time!

I know you have a lot of these in place, but if these are RED tunnels instead of RED devices, then I would consider replacing the tunnels with IPsec using AES 128 PFS.  Much faster and much less load on the UTM. You would use Availability Groups in the datacenter UTM and an Interface Group in the sites with more than one WAN connection.  I described this in Auto-Failover IPsec VPN Connections.

You can achieve the same thing with the RED connections using Uplink Balancing in the client sites.  I wouldn't use the weighting tool to achieve this though.  Instead of a thousand words...[;)]



Cheers - Bob
PS  I suspect that your prior post describes what happens under the covers with Uplink Balancing when 'Persistence: by Interface' is specified.

trying to manage a nationwide UTM rollout that happened to coincide right with the disastrous slew of bugs that has been 9.3!

Wes - Oh, man!  The last nine months have been the worst since V5.0 was rolled out (2003?).  It's no wonder that you've been in a bad mood about these problems.  I'm sorry if I was less than cordial at any time!

I know you have a lot of these in place, but if these are RED tunnels instead of RED devices, then I would consider replacing the tunnels with IPsec using AES 128 PFS.  Much faster and much less load on the UTM. You would use Availability Groups in the datacenter UTM and an Interface Group in the sites with more than one WAN connection.  I described this in Auto-Failover IPsec VPN Connections.

You can achieve the same thing with the RED connections using Uplink Balancing in the client sites.  I wouldn't use the weighting tool to achieve this though.  Instead of a thousand words...[;)]



Cheers - Bob
PS  I suspect that your prior post describes what happens under the covers with Uplink Balancing when 'Persistence: by Interface' is specified.

Hi Bob, sorry to resurrect an older thread but we are still battling this and have never gotten anywhere with Sophos support who no longer really seem to know their own product - it's always guesswork and "hey let's see what this does!"  :-(

We ended up moving away from availability groups and using multipath for all our load balancing and failover configuration because AGs had a strange issue where they would not fail over if the interface was in an "error" state but not down.  Very frustrating.

Equally or perhaps even more frustrating is the fact that multipath rules don't seem to have any proper mechanism for failback!!  So if I have an interface go down (or at least have the UTM think it goes down) even just briefly so that its multipath rules fail over to the other interface, once it's back online there's no mechanism for things to fail back to their intended home.  So we end up in a scenario where we think all of our voip and vpn traffic is going over one interface, but it's actually been running over the backup line for who knows how long.

How can we periodically force things back in line with the multipath config?  Is there any option to do so other than rebooting the UTM?  If not, is there a straightforward way to scheduling a reboot (and one that handles HA pairs so the failed over state doesn't persist)?

Thanks!

You say that they "had a strange issue where they would not fail over if the interface was in an "error" state but not down."  I've seen that before.  Try putting fixed settings on such an interface at 100Mbps/Full Duplex and having the router connected to it use the same, fixed settings.  Disable/enable the Interface definition to force a new connection with the fixed settings and ask your ISP to do the same with their router.

The standard fallback time is one hour.  You can set the "Persistence" to another value using the wrench tool at the top of the 'Active Interfaces' box.  The lowest value is one minute.  A connection started on one interface will continue on that interface.  The implication for VoIP is that calls begun on the backup interface won't be dropped and restarted on the primary interface, but new calls will be handled on the primary interface after the Persistence time has passed.

In March, you commented, "Thanks for the screenshots - so are you saying that creating a multipath rule for RED traffic will affect the RED tunnels being initiated by the UTM itself - and not just any RED devices that happen to be sitting behind it?"  A single rule would route all tunnels, including ones for other devices behind the UTM.  You would want a rule above the general one that uses a Traffic Selector like 'Internal (Network) -> RED Traffic -> Any'.

Cheers - Bob

Thanks Bob!

We do already have a multipath rule that sends all traffic destined for our datacenter subnets over a particular ISP...

Sounds like ultimately our issue is that, while other traffic like Skype for Business does indeed fail over based on persistence, the RED tunnels (which follow the same rule as their server target is a datacenter ip) never switch back to the desired ISP because they aren't starting new sessions per se...

Any thoughts on how to get RED tunnels to fail back over (other than a reboot)?

-Wes

Wes, didn't I answer this question to your colleague in https://community.sophos.com/products/unified-threat-management/f/62/p/77479/297708#297708?

Cheers - Bob