Failover, link monitor, and SD-WAN
This is my first time working with multiple ISPs on a Firebox. I have a client with Spectrum Cable as their primary ISP, AT&T Fiber for secondary, and AT&T LTE wireless backup for tertiary connection. I have their T35 running 12.5.7 U3 doing Multi-WAN failover in the order above, along with Link Monitor and SD-WAN.
Link Monitor is monitoring all the connections just so I can see how loss, latency, and jitter compare (so far, it's AT&T Fiber, AT&T LTE, then Spectrum for quality). I just asked my AT&T provider if it is OK to keep monitoring the LTE or if that will somehow incur extra charges for uptime or data usage. That made me wonder if I am doing this correctly.
Assuming that monitoring the LTE would incur extra charges, I can turn off Link Monitor on the LTE and still have it as an SD-WAN action, BUT I don't know what the outcome of that would be or if it is needed.
For failover to happen, do I need either Link Monitor or SD-WAN active? Without LM or SD-WAN on the LTE connection, if Spectrum and AT&T Fiber go down, I just want it to fail over to the LTE, then fail back to Spectrum and AT&T when they come up again.
Thank you for your help!
Gregg Hill
Comments
We can still fail over, but if we're not pinging that connection we can't guarnatee it's up. I'm not sure what data rates are for your service, but it's unlikely that pings are going to eat up anything substantial over a month.
If you utilize the firebox's built in USB 3G/4G modem support, the firewall can be set up to only bring the 3G/4G modem up when it's needed for failover (to help decrease any costs involved.)
-James Carson
WatchGuard Customer Support
"if we're not pinging that connection we can't guarantee it's up." I think that at the point of it needing to switch with two dead ISP connections already, if it's also down, it might be a moot point. But, yes, it would be nice to monitor it.
I have read quite a bit about the built in USB 3G/4G modem support and most of what I read says it's not very reliable.
Gregg Hill
Hi @Greggmh123
Reliability depends on the USB modem in use. If it's on the supported device list and matches the hardware ID, it'll work.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/modem_interfaces_about.html
We leave the flexibility for you to choose if we check the connection (via ping or TCP connect.) If you don't enable either due to data charges, the firewall will do it's best not knowing the status. It's a trade off.
-James Carson
WatchGuard Customer Support
My main concern is that without LM or SD-WAN on the LTE connection, if Spectrum and AT&T Fiber go down, I just want it to fail over to the LTE, then fail back to Spectrum and AT&T when they come up again.
The Multi-WAN setup article says that LM is required for failover, which makes sense, but is that on ALL interfaces intended for failover?
Gregg Hill
Also choose your LM ping targets carefully.
I only had 8.8.8.8, and there was a problem with Comcast someplace upstream, with intermittent packet loss.= the other day.
This caused eth0 to be marked down, then up, then down...
I had to add a 2nd entry which went a different path, avoiding the problem location which was identified by a tracert tool.
I think WatchGuard recommends using an IP that is only a few hops away. like one's ISP's DNS servers, to avoid that issue. I use 8.8.8.8 or 1.1.1.1 plus the IP of their VoIP provider because that's the most critical one to know about line quality. Yes, we definitely need two!
Gregg Hill
I went ahead and enabled LM on the LTE connection as well so that all three are monitored.
Gregg Hill