Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 13689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Standby uplink interface not remaining up

RobertHafner

We have two internet connections- a fiber line and a cable line. Both are connected to the internet.

When both are "active" it breaks everyone's email. For some reason the Apple Mail.app client does not get along with Google when both interfaces are active- it just hangs the mail client.

However, if I put one as active and the other as standby it actually turns the standby interface off. This is a serious problem for us because we're using that second interface (the fiber line) as our AWS VPN gateway. So when we put that interface as the standby interface it breaks our VPN.

What is the best way to set this up so we can keep our AWS VPC VPN on the fiber line but still only use that fiber line as a backup for general internet usage?



This thread was automatically locked due to age.
  • 0
    Hi, Robert, and welcome to the UTM Community!

    This is not a common problem, so some experienced UTM Engineer will need to access your box to see what's happening. The solution is probably a simple configuration change, but I can't divine what questions to ask to find that. My guess at this point would be routing problems caused by overlapping subnets or an inadequate Multipath rule.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    There aren't any overlapping subnets, and I'm not sure what sort of multipath rules would be needed. In theory if I'm using an Active/Fallback setup then multipathing shouldn't be occurring at all.
  • 0 in reply to RobertHafner

    Robert, I have one guess, but if this isn't it, I would get Sophos Support involved...

    Make a Multipath rule binding 'Any -> Any -> Any' to the cable connection, and then put the fiber line into 'Active Interfaces'. Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I don't think you're understanding my problem. When I put the link as a "standby" link it turns the link off, which means traffic I'm manually routing through it stops working.

    At this point I went a different route- they're both in active mode, and I've added a series of multipath rules in that work as I need to.
  • 0 in reply to RobertHafner
    Yup, that's the approach I always use.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Just came across this myself, this has to be the most asinine decision I've come across yet for these UTMs. How can I monitor my backup internet connection if the interface is disabled? Why would you want to wait for the interface to come back up and negotiate once the primary uplink is determined to be down? I'm flabbergasted at the stupidity of this design decision.

  • 0 in reply to JoshuaFreeman

    Yup, it is an utterly stupid decision that defeats the entire point of having an Active/Standby system. The engineers who made this call were clearly not thinking.

  • 0 in reply to RobertHafner

    I believe that design was made in the interest of flexibility. You can setup dual WAN in a couple of different ways. Two of the more popular methods we use are active/active interfaces with weights and active/standby. The active/active can be set like the above comments where you can define multipath rules but weighting seems to be a little easier. Click the wrench icon in the active interfaces box and set the weight of the "primary" to 100 or something 1 or higher and set "secondary" interface to zero. This will cause the secondary to only be used if the primary is not operational.

    Second popular method is active/standby. In this configuration the standby interfaces are taken down and only brought up if all the active interfaces are down. We've used this if, for example, a customer has redundant connections to the same provider but needs to use their static IP on both interfaces. Of course you can't have the same IP on two interfaces, which is where "standby" comes in handy as it will only bring the standby up if active fails. This allows use of the same IP on redundant connections to the same ISP, if that ISP is capable of such a setup. Or perhaps you have a PPPoE setup on both interfaces that can only have one login at a time to the same ISP, the standby interface would allow that to work properly.

Unfiltered HTML