SD-WAN Profile failback with VPN Does not work.

Question

Hello Dear Partners! 
 I configured an SD-WAN Scenario with Two VPN Tunnels and then created an SD-WAN Profiles. as the image below:

I did the following Test I dropped the Main Link VPN_MTZ_1 and Sophos Quickly switched the Route to the Backup Link VPN_MTZ_2. 
 
 But when I returned the Main link that is certainly the link with lower latency because it is an end-to-end fiber. Sophos simply keeps all the traffic through the Backup route and does not obey the order of the Tunnels and does not perform the Failback.

It simply keeps all traffic being routed through the Backup Tunnel instead of re-establishing the route through the Main tunnel, as its performance is proven to be better as shown in the image below:

Unfortunately I see this as a serious failure of our SD-WAN that Failback has to work very well. 
 Conclusion: for Sophos to return the traffic through the Main tunnel to the router, I have to take down the Backup VPN tunnel, which is a Manual procedure.

Moheed Ahmad · Accepted Answer

Dear Fagner, 
 This is Moheed from Sophos. 
 Reason you are not seeing switchback to primary link is because the switch-back is ONLY triggered in case latency-difference is more than 10ms. Likewise if its a 'Best profile with jitter sensitivity margin is 5ms and for Best profile with packet-loss as sensitivity margin is Zero percent. 
 This is by design and it is there to avoid unnecessary link flap in case of links have varying sensitivity.

LuCar Toni · Answer

You need to use this V19.0 MR1 feature: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/RoutingSDWANRoutesBehavior/index.html#rerouting-snat-connections 
 Basically the connections are stay on the existing connections. 
 But it could potentially mean, the connections fails (as the firewall will close the connection to rebuild it again).

SD-WAN Profile failback with VPN Does not work.

Top Replies