Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Subscribers 7 subscribers
  • Views 6330 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM2UTM RED redundancy

rbremer

We use UTM2UTM red tunnels for many years and they are working very well. Recently our datacenters have upgraded to multi-homing and with multiple external transfer nets (one for each provider) we would like to have some fail-overs for the RED tunnels. They connect to the external IP address of the UTM, so in case an ISP link goes down the tunnel is also lost. For hardware REDs you can configure a secondary UTM uplink address, which somehow does not exist for UTM2UTM connections.

I tried an availability group, but thats also not supposed as the UTM peer address.

Of course, we could have two tunnels running at all times, one to each ISPs address space and then use OSPF on top of that, but it sounds a bit like overkill.

Any ideas on how that might be possible?

Thank you,

Ronny



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Ronny,

    At first, I thought this might work with with Uplink Balancing and Multipath rules with two (four?) RED tunnels - have you tried that?  A1-B1, A2-B1, A1-B2, A2-B2?  Don't know how much overhead it adds with each additional tunnel.

    Thomas Friedrich's suggestion to use OSPF is one I like.  You can get an idea of how to do this in Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) - I know the fact that it's in German will not be a problem for you.Wink

    It just seems like there is an elegant way to solve this problem if only we can put our finger on it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    As usual, thank you for your insight. Uplink Balancing will not probably not work for us, as the REDs are site2site connections and not used for Internet access. I also tried LAGging them, but that doesn't work for virtual interfaces.

    So OSPF seems to be the only option right now, as Thomas suggested too and I had this as a fall back on my list. As I stated before, I would very much prefer the UTM to have a "alternate IP/Host" setting for the RED client, but - very unfortunately - I do not see this coming.

    Yours,

    Ronny

Reply
  • 0 in reply to BAlfson

    Hi Bob

    As usual, thank you for your insight. Uplink Balancing will not probably not work for us, as the REDs are site2site connections and not used for Internet access. I also tried LAGging them, but that doesn't work for virtual interfaces.

    So OSPF seems to be the only option right now, as Thomas suggested too and I had this as a fall back on my list. As I stated before, I would very much prefer the UTM to have a "alternate IP/Host" setting for the RED client, but - very unfortunately - I do not see this coming.

    Yours,

    Ronny

Children
No Data
Unfiltered HTML