Announcement

Collapse
No announcement yet.

Backup WAN still being used after Primary WAN is already UP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Backup WAN still being used after Primary WAN is already UP

    I have FTTH as my primary internet connection and 4G/LTE as backup. The 4G/LTE is metered so it is imperative that nothing goes through it while the primary is up.

    However, this is what is happening:

    1. Primary is UP - All traffic goes through the primary ISP. No traffic going through backup - OK
    2. Primary goes DOWN - All traffic stops for a few seconds but then resumes, going through the backup - OK
    3. Primary goes UP - All new traffic sessions gets routed through the primary BUT previous (still open) sessions continue to go through the backup - Not quite OK

    I don't know how long before the sessions times out but even after several minutes the primary went back online, some of the traffic are still being routed through the backup.

    I have setup WAN Balancer 100% / 0% for Primary and Backup, respectively. I've also configured WAN Failover as well as the Test methods for both WANs and they are working. The test Pings do consume a little bit of data but they are virtually negligible.

    Untangle 16.5.2

    Is this a bug or did I miss something?

    Last edited by oj88; 12-30-2022, 06:13 AM.

  • #2
    Originally posted by oj88 View Post
    All new traffic sessions gets routed through the primary BUT previous (still open) sessions continue to go through the backup - Not quite OK
    This is expected, unfortunately.

    WAN Balancer weighting is only evaluated on new sessions, so if you were streaming something or running a large file download on the secondary WAN, that session stays where it is. WAN Balancer can't 'transfer' the session over to the preferred/primary WAN; it completes on the WAN it started on.


    Originally posted by oj88 View Post
    …even after several minutes the primary went back online, some of the traffic are still being routed through the backup.

    It's also worth noting that NG Firewall uses 'sticky' sessions, where sessions that successfully connected on a particular WAN tend to 'prefer' that WAN for a short time. For example, if you'd been web browsing on the secondary WAN, even new browser sessions might 'stick' to the secondary WAN for a little while after the primary reconnects. I know jcoffin or sky-knight understand sticky sessions better than I do and they might be able to give you a little more insight into that facet.​
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

    Comment


    • #3
      Thank you. That actually makes sense.

      I might have to change my approach then.... Is there an SSH command I can use to terminate all sessions on the interface the backup WAN is on? I checked but apparently, tcpkill isn't implemented in UT. If there's such a single-line command, I can "Plink" it using a batch file remotely. Beats having to disable/enable the backup WAN interface or power cycle the 4G/LTE CPE.... all to clear the sessions.
      Last edited by oj88; 12-30-2022, 08:26 AM.

      Comment


      • #4
        You don't want to do that. The behavior of keeping a session to a specific interface was chosen for a reason. Things like games or streams don't respond well to suddenly changing interfaces; it's part of how a server knows who you are, to keep data going consistently.
        Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

        Comment


        • #5
          You might look at openwrt or micro edge.

          Comment


          • #6
            Originally posted by jcoehoorn View Post
            You don't want to do that. The behavior of keeping a session to a specific interface was chosen for a reason. Things like games or streams don't respond well to suddenly changing interfaces; it's part of how a server knows who you are, to keep data going consistently.
            They wouldn't care. I'd really rather they re-login than using up more bandwidth than necessary on a metered connection. It doesn't happen often enough to be a nuisance.​

            Originally posted by donhwyo View Post
            You might look at openwrt or micro edge.
            Apologies but I genuinely don't know how that would help.

            Comment


            • #7
              Originally posted by oj88 View Post
              Apologies but I genuinely don't know how that would help.
              I am not sure either because I don't use it but they do have a multi wan feature. They also have very many developers open to new ideas.

              Good luck

              Comment

              Working...
              X