Active sessions don't fail back when primary gateway restored

Hi,

I am not sure about your device configuration. I am sharing some basic idea about a configuration of the backup gateway.

And you have to assign the more weight on the primary gateway (My personal experience) and adjust the Gateway Failover Timeout. 

Regards,

Deepak Kumar

This is exactly the configuration we currently have on the backup gateway.

Hi,

If the Link will restore automatically then are getting the "ACTIVE"  status under the Control Center?

Regards,

Deepak Kumar

Yes.

New flows go out via the correct gateway. Flows which failed over from Gateway 1 to Gateway 2 (or started on Gateway 2) do not failback to Gateway 1 when it comes back up. 

Any update on this?  We are having the same issue with our Sophos XG135 on SFOS 17.1.2 MR-2.  We can't get our IP phones to connect to the primary WAN after a failover.  Rebooting the phones does not solve the issue.  Disconnecting WAN2 or a firewall reboot seem to be the only options.

As far as i know, this is works as designed. 

Basically XG is using and holding active sessions via Conntrack to one WAN Interface. If there would be a fallback to the failure WAN interface, it would cause a conntrack / stateful firewall missmatch and most of the services in the internet would go crazy. 

You need to setup a new connection in order to get the Connections up and running. 

There is something called tcp handshake. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment

So if you perform the Handshake with WAN2 (as failover) and want to switch to WAN1 after failback, it would break the handshake because you are using another IP and not the original source ip of WAN2. So XG is holding the connection on WAN2 and build up all new connections with WAN1. 

As far as i know, this is works as designed. 

Basically XG is using and holding active sessions via Conntrack to one WAN Interface. If there would be a fallback to the failure WAN interface, it would cause a conntrack / stateful firewall missmatch and most of the services in the internet would go crazy. 

You need to setup a new connection in order to get the Connections up and running. 

There is something called tcp handshake. https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment

So if you perform the Handshake with WAN2 (as failover) and want to switch to WAN1 after failback, it would break the handshake because you are using another IP and not the original source ip of WAN2. So XG is holding the connection on WAN2 and build up all new connections with WAN1. 

Many other firewalls allow a forced break of all sessions, or selected sessions, networks, objects, etc when your failback to the primary connection.  We are seeing this issue with IP phones and wireless access points that connect to cloud servers.  Even rebooting the equipment does not start a new session on WAN1.  To make matters worse, there are no way to down the interface in the GUI.  I've got more failover options in a $200 Zywall. 

What you describe is exactly the reason I opened up a ticket with customer support. Long-lived connections will remain on the backup gateway until the connection is broken and a new connection is established. This is especially problematic in cases where the backup connection(s) is/are metered or lower-bandwidth/higher-latency than your primary connection.

I have other WAN gateway products in the network I manage that act like your other devices - after a set period of time, they break the connections by deleting the connection tracking entries to fail the traffic back to the most preferred gateway. 

Hi everyone.

V17.1 MR3 covers a small feature.

Check out your Gateway for the new option in MR3. 

Nice!  How long until they expect this to come out of beta?  And where can I get my hands on the beta?

https://secure2.sophos.com/en-us/mysophos/my-account/network-protection/firmware-updates.aspx 

Hello ManBearPig,

Why this changes are not documented in changelogs / release notes by Sophos?

Regards, Ronak.

I already wrote a notification to the release notes writer.

As well as the new KBA has this information.

https://community.sophos.com/kb/en-us/132792