Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 5057 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site SSL VPN WAN Failover

Daniel Avrit

Hi guys, I have a site to site ssl vpn connection that is working great. I have an SG105 that captures all traffic (lan or wan) from its clients, and forwards it on to an SG310 at our main office.

When the tunnel fails, I want devices on the SG105 to be allowed to access the internet. For example, lets say the main office burns down. I still want these devices to be able to talk out. 

 

Right now, if I go to SG105-> Site to Site VPN -> SSL and hit the green toggle on/off switch, the rule shuts off and devices can talk out as desired. But if I do that on the SG310 (the SSL-VPN site-to-site server), the SG105 keeps trying to funnel traffic through the (now dead) tunnel rather than letting it talk out. 

 

When the tunnel fails, I want clients to be allowed direct internet access. Seems fairly simple conceptually.  Is it possible?



This thread was automatically locked due to age.
Parents
  • 0

    The easiest way to do this is with a RED tunnel and Multipath rules.  I don't know of a way to do this with an SSL VPN site-to-site, although an astute Linux scripter could probably craft a cron job that would disable the site-to-site if the central site couldn't be reached and then re-enable it when it could.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    hi bob, thanks for the response!

     

    quick question, would Uplink Balancing work in this situation? Thanks

     

  • 0 in reply to Daniel Avrit

    A RED tunnel with Uplink Balancing is indeed the way to go.  Note that your approach with External in Standby might work if this UTM were the Server side of the tunnel.  I would use a Multipath rule with both in Active instead: Bind 'Any -> Any -> Any' to the RED tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Daniel Avrit

    A RED tunnel with Uplink Balancing is indeed the way to go.  Note that your approach with External in Standby might work if this UTM were the Server side of the tunnel.  I would use a Multipath rule with both in Active instead: Bind 'Any -> Any -> Any' to the RED tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML