Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 3945 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG as RED client: WAN link manager (active/backup)

scorpionking

I have a self built XG at home and I'm using a RED Tunnel to a Sophos UTM (server) at another Site. The XG is "RED legacy client".

My XG has 2 internet connections: primary is a VDSL 100 (Germany), second is backup with LTE.
I've configured the LTE connection as backup only when all active WAN interfaces fail because I have limited data transfer volume on the LTE connection.

Sadly there is a short disconnection (about 10-60 seconds) on the main line after 24h hours (enforced by the provider, called "Zwangstrennung").

Recently I've noticed that my LTE data volume was exhausted although the main line has been available all the time.

After some research I've found out that the RED connection seems to switch to the LTE line when the main line has the "Zwangstrennung" and does not switch back when it is available again.

So how can I force the RED tunnel to the main line as long as it is available?
Otherwise my data volume is exhausted after about 10-15 days and the backup line is useless for the rest of the month.



This thread was automatically locked due to age.
Parents
  • 0

    Try to use the Note in this KBA. https://community.sophos.com/kb/en-us/125101

     

    Observe the connection via tcpdump, if it takes the correct connection. 

     

    Another Point is, did you already select the option in Gateway:

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Try to use the Note in this KBA. https://community.sophos.com/kb/en-us/125101

     

    If I understand that note correctly, this is only for the RED server!? My XG is RED client, the RED server is a Sophos UTM on a small vServer with only 1 WAN interface.

    Another Point is, did you already select the option in Gateway:

    Yes, I've set that already like in your screenshot.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0 in reply to scorpionking

    Any other ideas?

    In my understanding this should be considered as a bug as internal services should follow the WAN linkm manager settings as any other rules do...

     

    This can be a real pain if you have 2 WAN lines, one very fast and one very slow and you cannot force the RED tunnel to only use the slow one if the fast fails...

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0 in reply to scorpionking

    Can you dump this connection - actually going still over the backup interface, while the Primary Interface is back online?

    __________________________________________________________________________________________________________________

  • 0 in reply to scorpionking

    Hello Scorpion,

    Unfortunately, it is not a bug (i know, i know but bear with me!) but is design oversight on the implementation of the RED client system on the XG in regards to multi-WAN integration.

    The feature request is here: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31790149-red-xg-to-xg-client-side-multiple-wan-link-fail-ov

    I don't like it anymore than you do and strong arguments could be made that the "serve connections back through restored gateway" not happening in regards to the RED tunnel is a bug (and I would happily argue in your corner) but the bigger picture is that the XG RED client system needs to be better aware of multi WAN configuration.

    In v18 there is a huge push for SD-WAN with SD-RED so there could/will be a large overhaul to RED and tunnel management, your prayers may be answered sooner as part of that upgrade.

    Public Beta EAP should be out in the next few months.

    Emile

  • 0 in reply to Emile Belcourt

    Hi Emile,

    i am not quite sure, if this feature request still is valid after V17.5 MR...2 i guess? 

    We released this Failback mechanism in a MR Release couple month ago. 

    So i would say, this should be retested. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi Lucar,

    I've not tested this personally but from what I understand it is more orientated on traffic flowing through the XG not traffic initiated from the XG?

    If it is meant to apply to traffic initiated by the XG including RED then this could definitely be a bug, is there a log file where the WAN Link manager failover states and operations is dumped in to?

    The Feature request is still valid because I cannot select which WAN I want to set as the initiator so cannot use a secondary line as the VPN concentrator and have the other line as HO traffic.

    Emile

Reply
  • 0 in reply to LuCar Toni

    Hi Lucar,

    I've not tested this personally but from what I understand it is more orientated on traffic flowing through the XG not traffic initiated from the XG?

    If it is meant to apply to traffic initiated by the XG including RED then this could definitely be a bug, is there a log file where the WAN Link manager failover states and operations is dumped in to?

    The Feature request is still valid because I cannot select which WAN I want to set as the initiator so cannot use a secondary line as the VPN concentrator and have the other line as HO traffic.

    Emile

Children
No Data
Cookie Information Banner