Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 3933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG as RED client: WAN link manager (active/backup)

scorpionking

I have a self built XG at home and I'm using a RED Tunnel to a Sophos UTM (server) at another Site. The XG is "RED legacy client".

My XG has 2 internet connections: primary is a VDSL 100 (Germany), second is backup with LTE.
I've configured the LTE connection as backup only when all active WAN interfaces fail because I have limited data transfer volume on the LTE connection.

Sadly there is a short disconnection (about 10-60 seconds) on the main line after 24h hours (enforced by the provider, called "Zwangstrennung").

Recently I've noticed that my LTE data volume was exhausted although the main line has been available all the time.

After some research I've found out that the RED connection seems to switch to the LTE line when the main line has the "Zwangstrennung" and does not switch back when it is available again.

So how can I force the RED tunnel to the main line as long as it is available?
Otherwise my data volume is exhausted after about 10-15 days and the backup line is useless for the rest of the month.



This thread was automatically locked due to age.
Parents
  • 0

    Try to use the Note in this KBA. https://community.sophos.com/kb/en-us/125101

     

    Observe the connection via tcpdump, if it takes the correct connection. 

     

    Another Point is, did you already select the option in Gateway:

  • 0 in reply to LuCar Toni

    Try to use the Note in this KBA. https://community.sophos.com/kb/en-us/125101

     

    If I understand that note correctly, this is only for the RED server!? My XG is RED client, the RED server is a Sophos UTM on a small vServer with only 1 WAN interface.

    Another Point is, did you already select the option in Gateway:

    Yes, I've set that already like in your screenshot.

  • 0 in reply to scorpionking

    Any other ideas?

    In my understanding this should be considered as a bug as internal services should follow the WAN linkm manager settings as any other rules do...

     

    This can be a real pain if you have 2 WAN lines, one very fast and one very slow and you cannot force the RED tunnel to only use the slow one if the fast fails...

  • 0 in reply to scorpionking

    Can you dump this connection - actually going still over the backup interface, while the Primary Interface is back online?

  • 0 in reply to scorpionking

    Hello Scorpion,

    Unfortunately, it is not a bug (i know, i know but bear with me!) but is design oversight on the implementation of the RED client system on the XG in regards to multi-WAN integration.

    The feature request is here: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31790149-red-xg-to-xg-client-side-multiple-wan-link-fail-ov

    I don't like it anymore than you do and strong arguments could be made that the "serve connections back through restored gateway" not happening in regards to the RED tunnel is a bug (and I would happily argue in your corner) but the bigger picture is that the XG RED client system needs to be better aware of multi WAN configuration.

    In v18 there is a huge push for SD-WAN with SD-RED so there could/will be a large overhaul to RED and tunnel management, your prayers may be answered sooner as part of that upgrade.

    Public Beta EAP should be out in the next few months.

    Emile

  • 0 in reply to Emile Belcourt

    Hi Emile,

    i am not quite sure, if this feature request still is valid after V17.5 MR...2 i guess? 

    We released this Failback mechanism in a MR Release couple month ago. 

    So i would say, this should be retested. 

  • 0 in reply to LuCar Toni

    Hi Lucar,

    I've not tested this personally but from what I understand it is more orientated on traffic flowing through the XG not traffic initiated from the XG?

    If it is meant to apply to traffic initiated by the XG including RED then this could definitely be a bug, is there a log file where the WAN Link manager failover states and operations is dumped in to?

    The Feature request is still valid because I cannot select which WAN I want to set as the initiator so cannot use a secondary line as the VPN concentrator and have the other line as HO traffic.

    Emile

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    So i would say, this should be retested. 

    And so did I.

    I startet tcpdump with udp and dst [public ip of my vserver UTM]. Got:

    19:25:09.124348 Port2_ppp, OUT: IP [ip of my XG's VDSL interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:25:09.284372 Port2_ppp, OUT: IP [ip of my XG's VDSL interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108

    Then disconnected PPPoE for a few second and reconnected. Took about 1 minute until it was back.

    19:25:09.822955 Port2_ppp, OUT: IP [ip of my XG's VDSL interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:25:09.823038 Port2_ppp, OUT: IP [ip of my XG's VDSL interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:25:09.823130 Port2_ppp, OUT: IP [ip of my XG's VDSL interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:25:09.956930 Port2_ppp, OUT: IP [ip of my XG's VDSL interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:25:58.178652 Port4.101, OUT: IP [ip of my XG's LTE interface].3400 > [public ip of my vserver UTM].3400: UDP, length 1084
    19:25:58.458392 Port4.101, OUT: IP [ip of my XG's LTE interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108

    VDSL interface came back, but connection stays on the LTE line even after 15 minutes:

    19:40:46.121483 Port4.101, OUT: IP [ip of my XG's LTE interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:40:46.620107 Port4.101, OUT: IP [ip of my XG's LTE interface].3400 > [public ip of my vserver UTM].3400: UDP, length 108
    19:40:46.767592 Port4.101, OUT: IP [ip of my XG's LTE interface].3400 > [public ip of my vserver UTM].3400: UDP, length 876

    So: No, there is no switching back of the RED tunnel after the main interface comes up again...

    So my only option is to reboot my LTE router every time after I have a short VDSL outage!?

     

    edit: And sure, the Backup gateway is set to "Serve all connections through restored gateway".

  • 0 in reply to scorpionking

    Any news on this?

    Is it considered as a bug or "works as designed"?

  • 0 in reply to scorpionking

    Any news? Is it "by design" or is it a bug?

Reply Children
No Data