Announcement

Collapse
No announcement yet.

Backup WAN still being used after Primary WAN is already UP

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Backup WAN still being used after Primary WAN is already UP

    I have FTTH as my primary internet connection and 4G/LTE as backup. The 4G/LTE is metered so it is imperative that nothing goes through it while the primary is up.

    However, this is what is happening:

    1. Primary is UP - All traffic goes through the primary ISP. No traffic going through backup - OK
    2. Primary goes DOWN - All traffic stops for a few seconds but then resumes, going through the backup - OK
    3. Primary goes UP - All new traffic sessions gets routed through the primary BUT previous (still open) sessions continue to go through the backup - Not quite OK

    I don't know how long before the sessions times out but even after several minutes the primary went back online, some of the traffic are still being routed through the backup.

    I have setup WAN Balancer 100% / 0% for Primary and Backup, respectively. I've also configured WAN Failover as well as the Test methods for both WANs and they are working. The test Pings do consume a little bit of data but they are virtually negligible.

    Untangle 16.5.2

    Is this a bug or did I miss something?

    Last edited by oj88; 12-30-2022, 05:13 AM.
    Tags: None
    • 👍 1
  • #2
    Originally posted by oj88 View Post
    All new traffic sessions gets routed through the primary BUT previous (still open) sessions continue to go through the backup - Not quite OK
    This is expected, unfortunately.

    WAN Balancer weighting is only evaluated on new sessions, so if you were streaming something or running a large file download on the secondary WAN, that session stays where it is. WAN Balancer can't 'transfer' the session over to the preferred/primary WAN; it completes on the WAN it started on.


    Originally posted by oj88 View Post
    …even after several minutes the primary went back online, some of the traffic are still being routed through the backup.

    It's also worth noting that NG Firewall uses 'sticky' sessions, where sessions that successfully connected on a particular WAN tend to 'prefer' that WAN for a short time. For example, if you'd been web browsing on the secondary WAN, even new browser sessions might 'stick' to the secondary WAN for a little while after the primary reconnects. I know jcoffin or sky-knight understand sticky sessions better than I do and they might be able to give you a little more insight into that facet.​
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    How can we make Arista ETM products better?

    Comment

    • #3
      Thank you. That actually makes sense.

      I might have to change my approach then.... Is there an SSH command I can use to terminate all sessions on the interface the backup WAN is on? I checked but apparently, tcpkill isn't implemented in UT. If there's such a single-line command, I can "Plink" it using a batch file remotely. Beats having to disable/enable the backup WAN interface or power cycle the 4G/LTE CPE.... all to clear the sessions.
      Last edited by oj88; 12-30-2022, 07:26 AM.
      • 👍 1

      Comment

      • #4
        You don't want to do that. The behavior of keeping a session to a specific interface was chosen for a reason. Things like games or streams don't respond well to suddenly changing interfaces; it's part of how a server knows who you are, to keep data going consistently.
        Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

        Comment

        • #5
          You might look at openwrt or micro edge.

          Comment

          • #6
            Originally posted by jcoehoorn View Post
            You don't want to do that. The behavior of keeping a session to a specific interface was chosen for a reason. Things like games or streams don't respond well to suddenly changing interfaces; it's part of how a server knows who you are, to keep data going consistently.
            They wouldn't care. I'd really rather they re-login than using up more bandwidth than necessary on a metered connection. It doesn't happen often enough to be a nuisance.​

            Originally posted by donhwyo View Post
            You might look at openwrt or micro edge.
            Apologies but I genuinely don't know how that would help.

            Comment

            • #7
              Originally posted by oj88 View Post
              Apologies but I genuinely don't know how that would help.
              I am not sure either because I don't use it but they do have a multi wan feature. They also have very many developers open to new ideas.

              Good luck

              Comment

              • #8
                Following this topic. While I've found the WAN failover to 4G LTE works well, in a home environment where multiple users are streaming content before the fiber failover, it immediately fails over to the cellular backup (as designed), but quickly consumes excessive cellular data.

                Would it be possible to add an option that forces WAN Failover to disconnect all current connections to the backup WAN and re-establish them on the primary WAN once service is restored? However inconvenient that may seem, it could be effective in many cases and gives the admin the flexibility. Otherwise is there a way to perhaps prevent the type of data or sessions that failover to restrict to more important functions until the primary WAN connection is re-established?
                Last edited by miles267; 04-30-2023, 06:06 AM.

                Comment

                • #9
                  Originally posted by miles267 View Post
                  Following this topic. While I've found the WAN failover to 4G LTE works well, in a home environment where multiple users are streaming content before the fiber failover, it immediately fails over to the cellular backup (as designed), but quickly consumes excessive cellular data.

                  Would it be possible to add an option that forces WAN Failover to disconnect all current connections to the backup WAN and re-establish them on the primary WAN once service is restored? However inconvenient that may seem, it could be effective in many cases and gives the admin the flexibility. Otherwise is there a way to perhaps prevent the type of data or sessions that failover to restrict to more important functions until the primary WAN connection is re-established?
                  Sadly, nothing can be done on UT that can influence the sessions on the backup WAN to failback to the primary. How I solved this is by putting the 4G/LTE CPE on a smartplug. When the primary comes back up, I run an Alexa Routine to shutdown the 4G/LTE CPE for about 60 seconds to force all sessions back through the primary.

                  It is manual still but I might device a more automated way to do this without human intervention, maybe.

                  As for traffic selection for the backup WAN, I only allowed a VLAN or two to use the backup WAN (Firewall rules). This cuts off all non-essential VLANs from accessing the internet. In a similar fashion, you can create custom Firewall rules to only allow a subset of devices access to the backup WAN. For instance, you can block smart TVs or STBs from accessing the backup WAN, as a quick and dirty approach.

                  To the Arista folks, is there an SSH command that lets me terminate all sessions going through the appliance?
                  Last edited by oj88; 05-01-2023, 06:23 PM.
                  • 👍 1

                  Comment

                  Previous template Next
                  Working...
                  X
                  😀
                  🥰
                  🤢
                  😎
                  😡
                  👍
                  👎