Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 8621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to UTM LAN interconnect via RED L2 tunnels: how to deploy WAN Uplink Redundancy?

jockyw2001

We implemented a working L2 LAN interconnect with a single UTM9 to UTM9 RED tunnel. The RED server site has 3 WAN uplinks. The RED client site has a single WAN uplink. Is it possible to deploy the WAN Uplink Redundancy? Something like setting up 3 RED tunnels, each using a different WAN uplink on the RED server. If the primary RED tunnel fails, the LAN interconnect automatically  falls back to one of the other two tunnels. Or, perhaps even better, to use all 3 tunnels in parallel. Does this sound feasible?



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to Ben

    Excellent, Ben, I'd forgotten about Michael's blog even though, with his permission, I had put an IPsec version of that piece into the local UTM Wiki about two years ago.

    I believe that his prescription will work, with some adjustments.  Michael's task was to have two redundant tunnels, each on a separate pair of WAN connections.  The Goal here is to have the Client side establish three redundant tunnels, one to each of three WAN connections on the Server.

    Jocky, you won't need the Multipath rules 4 & 5 on the Client side since you have only a single ISP there.  I'm still pessimistic about whether this can work with the LANs bridged over the RED connections.

    It seems like the easier solution would be to have one tunnel with the single-ISP site as the Server and the 3-ISP site as the Client.  Then, just have two Multipath rules in the 3-ISP UTM with one that binds all RED traffic to the primary interface and then a following rule binding all RED traffic to the secondary interface.  If both are down, then traffic will go out the third.  This way, you also get to keep the bridging.  The downside is that an outage would cause a sub-one-minute interruption instead of having instant fail over with Michael's approach.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Ben

    Hi Ben & Bob, that very much sounds like the solution for our problem. Actually we just swapped the red client & server roles between the sites. So now the new site is the red server and has a single wan uplink. The old site, which will be phased out in some months, is the red client and has 3 wan uplinks. I think the multipath combined with ospf routing is what we must go for.

     

    Cheers,

    JockyW

Unfiltered HTML