Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 1397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote monitoring of MPLS fails in both directions

Marshall Ringler1

I used the instructions here (https://community.sophos.com/kb/en-us/123323) to set up an MPLS failover to a VPN between two XGs. The MPLS connection has been working just fine for months, but it had been configured as a LAN connection. I reconfigured it on both ends to be in the WAN zone as the instructions require, and set the IPsec failover command in the console. The result is failed MPLS monitoring, and the connection has "successfully" failed-over to the VPN. I can't seem to figure out how to get the MPLS to connect though.

One difference in my setup compared to the instructions is that I don't have router IPs on each end of the MPLS. We are simply given a straight, end-to-end private connection, and the IP address is determined by the XG on each end. So, I have 10.0.0.1 as the address on the HO, and 10.0.0.2 on the BO. I told the monitor on each XG to PING the corresponding IP address on the other end. I am unable to PING that address from a PC on the LAN as well, so I figure it may be a routing or firewall rule issue. However, when I PING from a PC on the HO end, the FW logs show the ICMP traffic as allowed, with the correct FW ports, but it never shows in the logs on the BO end. I need some guidance to figure out where I went wrong. It seems like it should be pretty simple, but I can't seem to figure I out.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    The provided setup information should work if it is configured as per the KB article.

    Please let us know which communication mode you want to set up as the primary method to communicate, IPsec or MPLS.

    It would be great if you could share the network diagram as well.


  • 0 in reply to Keyur

    My apologies. I am trying to use MPLS as the primary, with a failover to the VPN. We have better bandwidth over the MPLS, so that is our primary. 

    I used the following commands on the console (all seemed successful) to tell each XG to fail-over to the VPN, and to set the Static route as primary:

    On the HO XG:
    system link_failover add primarylink Port5 backuplink vpn tunnel BO_VPN monitor PING host 10.0.0.2
    system route_precedence set static
     
    On the BO XG:
    system link_failover add primarylink Port3 backuplink vpn tunnel HO_VPN monitor PING host 10.0.0.1
    system route_precedence set static
     
    I hope this diagram makes sense...
     
  • +1 in reply to Marshall Ringler1

    I just figured it out...

    It turns out, there is something else required that the instructions do not mention!

    To allow for the PING health check on the MPLS connection, you must allow for PING over the WAN in Administration - Device Access. Once I checked that box on both ends, the connection came up!

    Thanks for letting me work through this here.

  • 0 in reply to Marshall Ringler1

    Hi  

    Yes, ping should be allowed to satisfy the condition. I am glad that the issue got resolved, please contact us if you require any further assistance. Thank you for your patience 

Reply Children
No Data