This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM2UTM RED redundancy

We use UTM2UTM red tunnels for many years and they are working very well. Recently our datacenters have upgraded to multi-homing and with multiple external transfer nets (one for each provider) we would like to have some fail-overs for the RED tunnels. They connect to the external IP address of the UTM, so in case an ISP link goes down the tunnel is also lost. For hardware REDs you can configure a secondary UTM uplink address, which somehow does not exist for UTM2UTM connections.

I tried an availability group, but thats also not supposed as the UTM peer address.

Of course, we could have two tunnels running at all times, one to each ISPs address space and then use OSPF on top of that, but it sounds a bit like overkill.

Any ideas on how that might be possible?

Thank you,

Ronny



This thread was automatically locked due to age.
Parents
  • Hallo Ronny,

    At first, I thought this might work with with Uplink Balancing and Multipath rules with two (four?) RED tunnels - have you tried that?  A1-B1, A2-B1, A1-B2, A2-B2?  Don't know how much overhead it adds with each additional tunnel.

    Thomas Friedrich's suggestion to use OSPF is one I like.  You can get an idea of how to do this in Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) - I know the fact that it's in German will not be a problem for you.Wink

    It just seems like there is an elegant way to solve this problem if only we can put our finger on it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

    Well, not so much good news about that yet.

    Tunnel 1 from FW A to FW B (IP 1) created and up.

    Tunnel 2 form FW A to FW B (iP 2) created and up.

    Tunnel 3 from FW B to FW A created leads to a disconnect of Tunnel 1 and 2, because the connection between both firewalls has already been established. Tunnel 3 will disconnect too, in an endless loop.

    So it looks like you cannot have a RED tunnel from FW A to FW B and FW B to FW A.

    I tried to bind the Host definition of FW A on FW B to each interface and create two tunnels to FW A, works great, but ignores the interface binding. When I bring down IP 2 the second tunnel still connects via IP 1. When I bring down IP 1 both tunnels die.

    ...

  • Hi Ronny,

    your intent to have two reds in site one and two reds in site to initiate the connections from both sites? Two Datacenters with Servers?

    You have to work with multipath rules on the RED Client Firewall to control the flow of the RED Traffic through the two or more IPs.

    Check the "Skip rule on interface error" in the rules.

    I defined RED Traffic in a Group, containing two members:

    Kind regards,

    Alex

  • Hi Alex

    Very interesting, I will give it a try and get back to you.

    The real intent is to be able to fail-over when one of the ISP links goes down, which for the client is not a problem, but for the server is, as we cannot specify two IP addresses on the client UTM.

    Yours,

    Ronny

  • Implement the logic layout among the physical, i.e. if you have one client sonnection IP and two server connection IPs create two RED Tunnels. If you have two or more client connections there will be four RED Tunnels and Multipathing Rules, if you like to have every case implemented. The Multipathing rule is needed on the client side, since this one sends traffic to the server and has to decide over which connection the packets flow.

    Since client connections starts, when you activate them (without having traffic on the Interface), there's no need to implement a RED Server in a client Site.

  • Hi Alex,

    more updates. I enabled uplink balancing and two multi path rules, as you suggested. One RED client connection to the other side is configured. Both ISP links are up and I have configured both as active in the balancing configuration, making ISP 1 the first in the list and ISP 2 the second. Now when I create the RED, it uses ISP 2, as this has the better BGP routing info at the moment.

    But I cannot get the RED tunnel to bind to a certain interface. So when I create a second tunnel, it will use the same source IP and therefore the same ISP uplink as the other one. If the ISP fails, it falls over both to the other ISP. Something is still missing there. I tried the idea of Bob to use a different target host definition for both tunnels, each bound to an interface, but that doesn't work.

    What am I missing?

    Connecting to two different IP addresses on the target firewall work fine, by using OSPF.

  • Hi Ronny,

    to get it: You have two links at your client side and two links at your server side, which are all active? You are able to connect to all of your IPs? You mentioned BGB -> You get a subnet via BGP distributed over two different providers/lines? To which IPs do you connect?

    How's your configuration of the multipath rules? In my screenshot were two black fields in every of the rules. The first field defines the target IP (External Interface IP) to which the RED Tunnel should connect. The second one is the Interface, to which the connection should be bound.

Reply
  • Hi Ronny,

    to get it: You have two links at your client side and two links at your server side, which are all active? You are able to connect to all of your IPs? You mentioned BGB -> You get a subnet via BGP distributed over two different providers/lines? To which IPs do you connect?

    How's your configuration of the multipath rules? In my screenshot were two black fields in every of the rules. The first field defines the target IP (External Interface IP) to which the RED Tunnel should connect. The second one is the Interface, to which the connection should be bound.

Children
  • Hi Alex,

    sorry for all the confusion. Current setup is as follows:

    FW A: one ISP uplink, RED server (plan to upgrade to second ISP link later this month)

    FW B: two ISP uplinks, BGP full table, RED client

    internal routing is all done via OSPF, BGP is only used externally (we advertise our own PI networks behind the FWs)

    RED client is connecting to the external IP of FW A (which is provided in a transfer network from the ISP)

    FW B also has two transfer networks, one for each ISP

    This is the FW B setup:

  • Ah, now i got it...

    Do you have another external IP on your Server UTM, since you cannot diffentiate the RED Traffic? In my example i have two Server IPs via two lines.

  • which UTM, the client UTM or the server UTM?

    Edit: ahh wait, you asked for server UTM. I could use one of the additional address from the transfer network, didn't think about that. Nice one :) Thanks, I will try it tomorrow and give an update.

  • You're welcome, looking forward to hear good news. ;)

  • Hi Alex

    I would like to give them to you, but the stickiness to the interface cannot be established. I added a secondary external address to FW A and created a second RED tunnel to this new IP, also changed the first multi patch rule to have the destination pointing to that new IP. Still the connection comes into FW A from the IP of the other ISP, so both REDs are established from the same source IP and therefore going across the same interface.

    Maybe the multi path rules are not honored or my RED group is wrong. I specified 3400/TCP, 3400/UDP, 3401/UDP and 3410/UDP in that group, according to the documentation of Sophos.

  • Hm...

    Why have the Destinations in your Multipath Rules Question Marks?

  • Its a SUM host definition, maybe that's why it doesn't have an icon?

  • Hi Ronny,

    what's your tunnels doing?

    Since my test environment had no license, i had to install one with Network Subscription, i saw the same behavior after one connection was down. Both tunnels came up, although "Skip rule on Interface error" wasn't ticked.

    Kind regards,

    Alex

  • HI Alex

    no change, the multi path definition is completely ignored by the UTM. I raised a ticket with Sophos support but I have to admit, I have been nothing but disappointed by them so far. I asked the question, how can a multi path definition be used for outgoing connections over multiple uplinks and their answer was "works as designed, case closed". Sometimes you have to wonder what you pay support for.

    So unless something magical happens I am left with a crippled setup which is "not working as designed".