Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 4025 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internet Failover

viso2
I have 2 SSG320's on the latest 9.x code.  I have 2 internet connections 1 to fios and one to Comcast.  I would like to load balance both connections outbound.

Issue: With both connections up and running i do not have an issue.  The firewall picks a link and then traffic flows correctly. However when i test the fail-over i do not get the results i want.  I tried these tests with both Automatic monitoring as well as hosts i put in with the same results.  Below are the tests:

Both links up and host using Comcast for internet:

  • fail the Comcast link and the traffic seamlessly fails to fios (Perfect)
  • turn the Comcast back on host stays on fios (Perfect)


Both links up and host using fios for internet:

  • fail the fios link and the traffic drops and does not fail to Comcast
  • turn the fios back on host comes back up but on the Comcast link
  • if while the fios link is still failed i shut down the fios interface traffic immediately moves to Comcast and traffic flows.


So when i review Interfaces & Routing > Uplink Monitoring during this process i see that the fios link shows as down; but traffic does not switch over.  Again if i shut the interface then traffic immediately goes over the Comcast link.

One other thing to note.  Since i have an active active pair i have both internet connections terminated into a switch and then the firewall interfaces plugged into the switch.  So when i fail the internet connection i unplug it from the switch such that the 320's interfaces don't go down.  The whole reason we monitor upstream hosts... 

Any help would be great.  Thanks


This thread was automatically locked due to age.
  • 0
    Hi, viso, and welcome to the User BB!

    If you unplug the cable, and it still doesn't switch over, it does sound like a configuration error, doesn't it?  Please click on [Go Advanced] and attach pictures of the 'Active interfaces' box on the 'Uplink Balancing' tab and of the active rules on the 'Multipath Rules' tab.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    ok i will have to get that.. but i can tell you that i don't have any multipath rules...  As of now i have put the connections in active passive mode..
  • 0

    In active-passive, the failover takes more than a minute. I would suggest that you put both into 'Active interfaces' and enable the default gateway on the second interface. If you prefer to use the second interface purely as a backup, just make a single Multipath rule:

    Any -> Any -> Any : bind to first interface and select 'Skip rule on interface error' in 'Advanced'

    Cheers - Bob
    PS If you haven't already seen the Rulz thread, check out The Zeroeth Rule there.

    EDIT 2021-05-07: Added the note to select 'Skip rule on interface error' in 'Advanced'.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML