| Multiple Internet Links - Failover [message #120064] |
Tue, 17 March 2015 04:03  |
menace
Messages: 4
Registered: March 2015
|
|
|
|
Kerio Control Software Appliance.
Two Internet links in Native mode. Failover enabled, one Primary link and other Secondary link.
Problem - both Internet Interfaces listening incoming connections from outside (Internet) at the same time? Why backup Interface is active while Primary Link is working fine?
|
|
|
|
| Re: Multiple Internet Links - Failover [message #120065 is a reply to message #120064] |
Tue, 17 March 2015 05:15  |
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
|
|
|
|
That is the reason of having failover links, the moment the primary link is down the backup will kick in to minimise down time.
If you prefer, you can always use load balancing mode so both links are being utilised.
M.
PTSD. BP. OCD. ASPD. BPD. Certified.
|
|
|
|
| Re: Multiple Internet Links - Failover [message #120066 is a reply to message #120065] |
Tue, 17 March 2015 05:29 |
menace
Messages: 4
Registered: March 2015
|
|
|
|
mlee (Kerio) wrote on Mon, 16 March 2015 22:15That is the reason of having failover links, the moment the primary link is down the backup will kick in to minimise down time.
So there is no way to keep the Backup Link completely inactive when the Primary Link is working?
|
|
|
|
|
|
| Re: Multiple Internet Links - Failover [message #120069 is a reply to message #120068] |
Tue, 17 March 2015 08:07 |
menace
Messages: 4
Registered: March 2015
|
|
|
|
ksnyder (KERIO) wrote on Mon, 16 March 2015 23:56Use a traffic rule to force traffic on the primary link. Below that rule, add an identical rule to force traffic through the backup link.
For example, rules for VPN-clients connect to the Kerio Control as you said. One for Primary Link and one for Backup Link.
While the Primary Link works users can easily connect to the server via Backup Link's IP according to the second rule.
|
|
|
|
|
|
|
|
| Re: Multiple Internet Links - Failover [message #120085 is a reply to message #120084] |
Tue, 17 March 2015 15:44 |
menace
Messages: 4
Registered: March 2015
|
|
|
|
Brian Carmichael (Kerio) wrote on Tue, 17 March 2015 08:40<_at_>menace, I agree that in failover mode the firewall should not allow incoming connections to the backup interface. I have filed a bug for this behavior.
Thx, waiting for fix.
|
|
|
|
|
|
| Re: Multiple Internet Links - Failover [message #120630 is a reply to message #120084] |
Sun, 12 April 2015 14:47 |
UnifiedTechs-Brian
Messages: 159
Registered: March 2011
Location: Vero Beach, FL
|
|
|
|
Brian Carmichael (Kerio) wrote on Tue, 17 March 2015 10:40<_at_>menace, I agree that in failover mode the firewall should not allow incoming connections to the backup interface. I have filed a bug for this behavior.
I disagree 100%, if incoming traffic is coming in the backup link IP Kerio Connect should not refuse it simply because the primary link appears active, You need to figure out why traffic is coming to that link because something is wrong. Take this example.
User runs a mail server:
MX1 is set as primary link.
MX2 is set as backup link.
Due to a net-split or routing error between ISPs MX1 is not reachable for some senders so per SMTP standards the sending mail server uses MX2, your saying Control should refuse this traffic? Or what if the primary link is overloaded or slow? The above situation is exactly how the SMTP system is designed and any firewall I have ever worked with will accept this traffic, as it should.
If steady traffic is incoming for no reason then there is some problem that is pointing normal traffic to the wrong interface. This could be an inability for some traffic to reach that port, or some DNS issue such as reversed MX records. The firewall can not possibly know the status of the entire internet and should not be making these decisions based solely on if a link appears up because it can ping its gateway.
If this is a needed feature it needs to be built in as a special behavior that is turned off by default. I can see some situations where this behavior could be beneficial involving tolled connections (Cellular Modems maybe), but it should not be the default behavior.
- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
[Updated on: Sun, 12 April 2015 14:54] Report message to a moderator |
|
|
|
| Re: Multiple Internet Links - Failover [message #120631 is a reply to message #120069] |
Sun, 12 April 2015 15:08 |
UnifiedTechs-Brian
Messages: 159
Registered: March 2011
Location: Vero Beach, FL
|
|
|
|
menace wrote on Tue, 17 March 2015 03:07ksnyder (KERIO) wrote on Mon, 16 March 2015 23:56Use a traffic rule to force traffic on the primary link. Below that rule, add an identical rule to force traffic through the backup link.
For example, rules for VPN-clients connect to the Kerio Control as you said. One for Primary Link and one for Backup Link.
While the Primary Link works users can easily connect to the server via Backup Link's IP according to the second rule.
The problem is you should not be connecting the client to VPN directly with IP addresses. This whole situation can be fixed by using DNS and the tools already built into Control:
Use the failover built into Control VPN client already. "Multiple endpoints can be defined to configure VPN failover in case the Kerio Control VPN server is load balancing with multiple Internet links. To separate entries, use a semicolon (for example, primary.example.com;secondary.example.com)". http://kb.kerio.com/product/kerio-control/vpn/configuring-ke rio-control-vpn-client-1303.html.
To force users to go back to your primary link when it returns you need to hit the advanced button under "Internet Connectivity" and make sure the box "Force reconnect of all VPN tunnels when the primary line is used again" This will cause the VPN tunnels to drop and when they reconnect they will go back to the primary link barring any other issues.
(Alternate method with 3rd party service: Use a DNS service with failover such as EasyDNS. Users always connect to VPN.domain.com. The DNS host monitors if the address is up and if it goes down it fails over the record to the second IP, when the first IP returns the DNS record goes back to normal.)
- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
[Updated on: Sun, 12 April 2015 15:17] Report message to a moderator |
|
|
|
|
|
| Re: Multiple Internet Links - Failover [message #129441 is a reply to message #120064] |
Sat, 07 May 2016 00:13 |
Kerio Blue
Messages: 62
Registered: April 2013
|
|
|
|
It seems as if I am trying to achieve something similar.
I would like to use failover but also host a service behind the firewall. If both internet interfaces are up the server cannot be reached from the internet. If I take the backup link down the server becomes available again.
Is there a way to force all traffic coming from the internet to the primary link?
|
|
|
|
| Re: Multiple Internet Links - Failover [message #129481 is a reply to message #129441] |
Mon, 09 May 2016 18:03 |
Kerio Blue
Messages: 62
Registered: April 2013
|
|
|
|
The way I see it is that WAN link failover and hosting services could only be achieved through implanting a load balancer. However, my guess is that especially small business would be glad to be able to host services without additional complexity and financial expenses.
I added a feature request for this.
When using Multiple internet links it would be great to set options for the backup link.
1. Currently the primary as well as the backup link are listening for incoming (i.e. internet) traffic. This poses problems when hosting services behind the Kerio Control firewall.
2. It would be tremendously helpful if an option could be added that would turn off the listening mode for the backup link until the failover sets in. It might also help some people to have an option that would allow the backup link to only listen for its own IP address when in backup mode.
|
|
|
|
Members
Search
Help
Register
Login
Home
