Multi-connection, multi-path routing
We currently utilize 2 ISP connections to connect to 4 cloud VPN gateways (2 gateways per ISP). I have the VPN tunnel configured as route instead of policy using a 4 gateway multi-path route.
ISP1 <-> CG1
ISP1 <-> CG2
ISP2 <-> CG3
ISP2 <-> CG4
The problem with this is if one of my ISPs go down, then the route cannot see those connections as offline which causes connection failures across the VPN. Since there is only 1 probe option per route, probing is not an option.
If I split the routes out into 4 separate routes, then all traffic goes across the first route in the list instead of load balancing, but I can probe each route and have that route disabled when the connection is down.
Is there a way to multi-path and have a path taken out of service when that connection is down? Or is there a way to load-balance 4 individual routes?
Comments
Hi @BSmithMMO, Please can you be a bit more specific, what networks are you routing?, are the cloud VPNs on the same platform?, have you enabled Asynchronous routing support on the WAN Interfaces? what are you trying to achieve Fail-over or load-balancing?
Multipath routing should go down through the list of interfaces in the route and use the top one which is available are you saying that even thought the VPN is down, it is not bringing the tunnel down?
even though you could technically use the same metric to load balance, it would likely send the same data down both connections which would create more overhead, if you want to load balance why don't you use ranges instead of the full subnet (if the non-sonicwall side supports this) this way you can route half the subnet down one ISP VPN and the other half down the other ISP VPN using the same metric on both routes.
personally I would put the same outgoing interface in the same Multipath routes and in your scenario use 2 interfaces rather than 4 this way you can use an explicit probe for each multipath route.
you may also want to look in to using overlapping polcies for redundancy (if the third party cloud VPN supports this) and also incorporating the SDWAN features. SonicWall do have guides for this it is the Route based VPN - Unnumbered method you would need see this other thread:
https://community.sonicwall.com/technology-and-support/discussion/5335/tunnel-interface-with-2-wan-connections-each-side-4-tunnels#latest
There is also a guide for SDWAN on route based VPN using the Numbered Interfaces, you can use this guide and ignore the Numbered Interface bit ( adding a VPN interface in the Network/Interfaces )
https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-sd-wan-using-vpn-numbered-tunnel-interfaces/190214085748593/
Thanks Preston.
Please can you be a bit more specific, what networks are you routing? The cloud service hosts our Oracle servers in OCI. I am routing my internal networks to the OCI networks.
Are the cloud VPNs on the same platform? Yes, they are on the OCI platform.
Have you enabled Asynchronous routing support on the WAN Interfaces? No, it's currently disabled.
What are you trying to achieve Fail-over or load-balancing? Seamless redundancy and high-availability in the event one of our ISP connections were to go offline.
Multipath routing should go down through the list of interfaces in the route and use the top one which is available are you saying that even though the VPN is down, it is not bringing the tunnel down? In my experience with a multi-path route they way I have it configured now, if one of the ISP connections go offline, then the SonicWall still attempts to send traffic across the paths that are down in the route. The entire route is not down since 2 of the 4 paths are still active. According to SonicWall's documentation, multi-path routes splits the traffic evenly across all routes, so if 1 of my ISP connections are down, that would mean 50% of my traffic gets dropped since the route is still up even though 2 paths are down. It seems the multi-path route isn't aware that the 2 paths are down and will continue to send traffic across the paths unless the VPN connection is administratively disabled. Then the paths associated with that VPN connection will be disabled in the route.
What I have noticed in my testing, is that if I create 2 2 path routes with metrics of 1, the 2nd route doesn't get used, unless the first route is down, because it's a lower order.
What I am trying to achieve, is a redundant, load-balanced (across both ISPs) route that is "aware" enough to disable the paths in a route when the underlying connection is down.
Hi @BSmithMMO , it all depends then on the OCI platform and what they support, SonicWall to SonicWall you can use the overlapping tunnel policies for full redundancy (with probes on separate routes) does the OCI platform allow overlapping policies?
We've decided to replace the firewall during our upcoming hardware refresh so I'll revisit this at another time.
Thank you for your input.