Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Subscribers 7 subscribers
  • Views 6230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM2UTM RED redundancy

rbremer

We use UTM2UTM red tunnels for many years and they are working very well. Recently our datacenters have upgraded to multi-homing and with multiple external transfer nets (one for each provider) we would like to have some fail-overs for the RED tunnels. They connect to the external IP address of the UTM, so in case an ISP link goes down the tunnel is also lost. For hardware REDs you can configure a secondary UTM uplink address, which somehow does not exist for UTM2UTM connections.

I tried an availability group, but thats also not supposed as the UTM peer address.

Of course, we could have two tunnels running at all times, one to each ISPs address space and then use OSPF on top of that, but it sounds a bit like overkill.

Any ideas on how that might be possible?

Thank you,

Ronny



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    If you multiple ISP connections at both UTM, I would advise you to create an IPsec tunnel using an availability group. 

    Check out the following KBA for more info: Sophos UTM: How to configure IPsec Site-to-Site VPN with multipath uplink

    Thanks,

  • 0 in reply to FormerMember

    Thank you for your reply and your suggestion, however, this ain’t working for us as we need Layer 2 connectivity, as we are running OSPF across it. RED is the only way to go.

  • +1

    Hi!


    You create a 2nd RED connection. Give the newly created interfaces IP addresses from a different range than the 1st tunnel. Then set up dynamic routing via OSPF. I have been working successfully with several customers

  • 0 in reply to Thomas Friedrich

    Hi Thomas

    Yeah, thats what I thought. In a mesh like ours its not pretty and will generate considerable overhead, it would have been so much easier to have a second IP as a redundant uplink connection point.

  • 0

    Hallo Ronny,

    At first, I thought this might work with with Uplink Balancing and Multipath rules with two (four?) RED tunnels - have you tried that?  A1-B1, A2-B1, A1-B2, A2-B2?  Don't know how much overhead it adds with each additional tunnel.

    Thomas Friedrich's suggestion to use OSPF is one I like.  You can get an idea of how to do this in Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) - I know the fact that it's in German will not be a problem for you.Wink

    It just seems like there is an elegant way to solve this problem if only we can put our finger on it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    As usual, thank you for your insight. Uplink Balancing will not probably not work for us, as the REDs are site2site connections and not used for Internet access. I also tried LAGging them, but that doesn't work for virtual interfaces.

    So OSPF seems to be the only option right now, as Thomas suggested too and I had this as a fall back on my list. As I stated before, I would very much prefer the UTM to have a "alternate IP/Host" setting for the RED client, but - very unfortunately - I do not see this coming.

    Yours,

    Ronny

  • 0 in reply to rbremer

    You may try two tunnels and set up a setting with Availability Groups, but i got to know them as unreliable under certain circumstances. OSPF is the way to go, i had to learn it, but now i love it, since routing is much easer with it. ;)

    Kind regards,

    Alex

  • 0 in reply to BAlfson

    Hi Bob

    Well, not so much good news about that yet.

    Tunnel 1 from FW A to FW B (IP 1) created and up.

    Tunnel 2 form FW A to FW B (iP 2) created and up.

    Tunnel 3 from FW B to FW A created leads to a disconnect of Tunnel 1 and 2, because the connection between both firewalls has already been established. Tunnel 3 will disconnect too, in an endless loop.

    So it looks like you cannot have a RED tunnel from FW A to FW B and FW B to FW A.

    I tried to bind the Host definition of FW A on FW B to each interface and create two tunnels to FW A, works great, but ignores the interface binding. When I bring down IP 2 the second tunnel still connects via IP 1. When I bring down IP 1 both tunnels die.

    ...

  • 0 in reply to rbremer

    Hi Ronny,

    your intent to have two reds in site one and two reds in site to initiate the connections from both sites? Two Datacenters with Servers?

    You have to work with multipath rules on the RED Client Firewall to control the flow of the RED Traffic through the two or more IPs.

    Check the "Skip rule on interface error" in the rules.

    I defined RED Traffic in a Group, containing two members:

    Kind regards,

    Alex

  • 0 in reply to Admin Team

    Hi Alex

    Very interesting, I will give it a try and get back to you.

    The real intent is to be able to fail-over when one of the ISP links goes down, which for the client is not a problem, but for the server is, as we cannot specify two IP addresses on the client UTM.

    Yours,

    Ronny

Unfiltered HTML