Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 19252 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

routing with metric

quartino
Hi,
we need to configure 2 gateway routes to the same destination network (10.1.1.0/24) using 2 different gateways and different priority.
we configured the routes with different metric but when we try to activate them we get the following error
"The network '10.1.1.0/24' is already in use by the destination network attribute of the static route object 'to test net (2)'.
what we're doing wrong?
best would be to activate the second route only in case a monitoring process on the first route failed like the cisco route track.
thank you.
andy


This thread was automatically locked due to age.
Parents
  • 0
    if i use the availability group the route will always try to use the first host and only in case this is not available the second, right?

    Right.

     just as a curiosity do you know why is not possible to activate the route with different metric?  what is the sense ot this field if it's not possible to set it?

    I don't think it's allowed to have two routes for the same subnet.  I think Cisco route track does essentially the same thing as what the UTM does under the covers.  You might have a subnet with a special route, but others near it that all should use a different one.  For example:
    Subnet           Gateway      Metric
    10.10.10.0/24    10.11.1.1     5
    10.10.0.0/16     10.11.1.2     50


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Right.


    I don't think it's allowed to have two routes for the same subnet.  I think Cisco route track does essentially the same thing as what the UTM does under the covers.  You might have a subnet with a special route, but others near it that all should use a different one.  For example: 
    Subnet           Gateway      Metric

    10.10.10.0/24    10.11.1.1     5

    10.10.0.0/16     10.11.1.2     50


    Cheers - Bob


    i work on different routing devices and normally the most specific route take precedence so when you have you have to setup two route for the same subnet you need to use metric, the online help in effect describe the field metric exactly for that purpose but in effect is not possible to setup it. [:S]
    cheers
Reply
  • 0 in reply to BAlfson
    Right.


    I don't think it's allowed to have two routes for the same subnet.  I think Cisco route track does essentially the same thing as what the UTM does under the covers.  You might have a subnet with a special route, but others near it that all should use a different one.  For example: 
    Subnet           Gateway      Metric

    10.10.10.0/24    10.11.1.1     5

    10.10.0.0/16     10.11.1.2     50


    Cheers - Bob


    i work on different routing devices and normally the most specific route take precedence so when you have you have to setup two route for the same subnet you need to use metric, the online help in effect describe the field metric exactly for that purpose but in effect is not possible to setup it. [:S]
    cheers
Children
  • 0 in reply to quartino

    You are right, in routing devices, more specific routes have priority over broader ones regardless of metric. The sole purpose of Metric is to handle route priority so this behavior on the UTM makes absolutely no sense.

  • 0 in reply to Thiago Palmeira

    Just to add some interesting information:

    I've figured out a way around the stupid GUI of Sophos UTM regarding Static Routes. It's completely retarded.

    I was enabling the same configuration on my other end hoping to test the priority and stumbled into this behavior.

     

    Check this out:

    In this end, I have a Network Group (instead of a normal Network object), which contains the multiple remote networks I want to add a fallback route to. Notice the Network Group is exactly the same on both rules.

    Note the group is EXACTLY THE SAME in both rules, thus hey contain the exact same networks.

    Now you just enable both and... voilà! Stupid GUI lets you do it without complaining with that unbelievably idiotic error message.

     

     

    Now, back to reality, if you try to do so with a normal Network Object...

    Again, same object, but now they are of 'Network' type (not a group with multiple, identical ones). Then, you get the stupid message that doesn't know what a goddam 'Metric' stands for.

    Then, to work around this, I've created a Network Group object, inserted some stupid single address object (WHICH IS ALREADY INSIDE OF THIS SAME NETWORK RANGE!!!!) and

    Voilà!

     

    Seriously.... this....


    Now I need only to check if the system will abide by those. Under these circumstances, I'm curious about what it'll do.

  • 0 in reply to Thiago Palmeira

    Note that you can use an Availability Group as the Gateway with a single Static Route.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    ,

    I've read that but it just doesn't feel right to use Availability Groups for routing when metrics are a standard that exists solely for that reason. It's like trying to re-invent the wheel.

    The KB 120239 states the following behaviour:

    If that gateway is no longer reachable, but the next one is, the route will automatically switch over to the interface associated with the next gateway. If the first gateway on the list becomes reachable again, the route will switch back to utilize the first interface.

    The amount of time it takes for the UTM to switch the route from one link to the next if the first one fails is controlled by the Interval setting in the Availability Group > Advanced section. If you set the interval to 15, then the UTM will attempt to contact the first host on the list every 15 seconds. If that host does not respond in the time period specified under Timeout, the UTM will then attempt to contact the next host on the list, and so on.

    It says Sophos swaps to the next entry on the Availability Group when he can't reach the previous, higher-priority value for the timeout period, and so on. If the higher-priority values are found to come back online, Sophos will move back the priority-line in order to satisfy route preference.

    Even though it can be okay in the majority of fallback scenarios, this is still way below that working with Metrics can do for you in regards of overall routing.

    Do Sophos has any statement about why the its product cannot work with routing standards? Better, what is the positioning of Sophos regarding this matter? Do they see it as a 'bug' that needs to be fixed or a 'normal UTM behavior' that they consider righteous above all?

  • 0 in reply to Thiago Palmeira

    As I commented in the other thread, Thiago, I think it's worth opening a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML