Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Multiple Internet Links - Failover
  •  
menace

Messages: 4
Karma: 0
Send a private message to this user
Kerio Control Software Appliance.
Two Internet links in Native mode. Failover enabled, one Primary link and other Secondary link.
Problem - both Internet Interfaces listening incoming connections from outside (Internet) at the same time? Why backup Interface is active while Primary Link is working fine?
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
That is the reason of having failover links, the moment the primary link is down the backup will kick in to minimise down time.

If you prefer, you can always use load balancing mode so both links are being utilised.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
menace

Messages: 4
Karma: 0
Send a private message to this user
mlee (Kerio) wrote on Mon, 16 March 2015 22:15
That is the reason of having failover links, the moment the primary link is down the backup will kick in to minimise down time.

So there is no way to keep the Backup Link completely inactive when the Primary Link is working?
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
Use a traffic rule to force traffic on the primary link. Below that rule, add an identical rule to force traffic through the backup link.

Ken Snyder
  •  
menace

Messages: 4
Karma: 0
Send a private message to this user
ksnyder (KERIO) wrote on Mon, 16 March 2015 23:56
Use a traffic rule to force traffic on the primary link. Below that rule, add an identical rule to force traffic through the backup link.


For example, rules for VPN-clients connect to the Kerio Control as you said. One for Primary Link and one for Backup Link.
While the Primary Link works users can easily connect to the server via Backup Link's IP according to the second rule.
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
My belief is that what you need to do is use Policy-Based Routing ( http://kb.kerio.com/product/kerio-control/bandwidth-optimiza tion/configuring-policy-routing-1314.html) principles to force all traffic through your primary Internet interface. The first rule will force all allowed traffic through Primary. The rule below (forcing traffic through Backup) will not be evaluated *UNLESS* the Primary interface is down. Please note that the interface must be down (slow doesn't count as a failure).

Ken Snyder
  •  
Brian Carmichael (Kerio)

Messages: 605
Karma: 61
Send a private message to this user
@menace, I agree that in failover mode the firewall should not allow incoming connections to the backup interface. I have filed a bug for this behavior.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
menace

Messages: 4
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 17 March 2015 08:40
<_at_>menace, I agree that in failover mode the firewall should not allow incoming connections to the backup interface. I have filed a bug for this behavior.

Thx, waiting for fix.
  •  
Brian Carmichael (Kerio)

Messages: 605
Karma: 61
Send a private message to this user
@menace, we'd like to understand this situation a bit more. What type of services are you hosting through the backup link? Why is it a problem if someone accesses the backup link while the primary is still active?
You mentioned a scenario of VPN clients. Normally you should use a dynamic DNS service so that clients will connect to a name that is associated with the active link. Or in the VPN client, you can use failover by inputting multiple names (separated by semicolon) into the connection field. For example primary.example.com;backup.example.com.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
UnifiedTechs-Brian

Messages: 164
Karma: 15
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 17 March 2015 10:40
<_at_>menace, I agree that in failover mode the firewall should not allow incoming connections to the backup interface. I have filed a bug for this behavior.


I disagree 100%, if incoming traffic is coming in the backup link IP Kerio Connect should not refuse it simply because the primary link appears active, You need to figure out why traffic is coming to that link because something is wrong. Take this example.

User runs a mail server:
MX1 is set as primary link.
MX2 is set as backup link.

Due to a net-split or routing error between ISPs MX1 is not reachable for some senders so per SMTP standards the sending mail server uses MX2, your saying Control should refuse this traffic? Or what if the primary link is overloaded or slow? The above situation is exactly how the SMTP system is designed and any firewall I have ever worked with will accept this traffic, as it should.

If steady traffic is incoming for no reason then there is some problem that is pointing normal traffic to the wrong interface. This could be an inability for some traffic to reach that port, or some DNS issue such as reversed MX records. The firewall can not possibly know the status of the entire internet and should not be making these decisions based solely on if a link appears up because it can ping its gateway.

If this is a needed feature it needs to be built in as a special behavior that is turned off by default. I can see some situations where this behavior could be beneficial involving tolled connections (Cellular Modems maybe), but it should not be the default behavior.

[Updated on: Sun, 12 April 2015 14:54]


- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
UnifiedTechs-Brian

Messages: 164
Karma: 15
Send a private message to this user
menace wrote on Tue, 17 March 2015 03:07
ksnyder (KERIO) wrote on Mon, 16 March 2015 23:56
Use a traffic rule to force traffic on the primary link. Below that rule, add an identical rule to force traffic through the backup link.


For example, rules for VPN-clients connect to the Kerio Control as you said. One for Primary Link and one for Backup Link.
While the Primary Link works users can easily connect to the server via Backup Link's IP according to the second rule.


The problem is you should not be connecting the client to VPN directly with IP addresses. This whole situation can be fixed by using DNS and the tools already built into Control:

Use the failover built into Control VPN client already. "Multiple endpoints can be defined to configure VPN failover in case the Kerio Control VPN server is load balancing with multiple Internet links. To separate entries, use a semicolon (for example, primary.example.com;secondary.example.com)". http://kb.kerio.com/product/kerio-control/vpn/configuring-ke rio-control-vpn-client-1303.html.

To force users to go back to your primary link when it returns you need to hit the advanced button under "Internet Connectivity" and make sure the box "Force reconnect of all VPN tunnels when the primary line is used again" This will cause the VPN tunnels to drop and when they reconnect they will go back to the primary link barring any other issues.

(Alternate method with 3rd party service: Use a DNS service with failover such as EasyDNS. Users always connect to VPN.domain.com. The DNS host monitors if the address is up and if it goes down it fails over the record to the second IP, when the first IP returns the DNS record goes back to normal.)

[Updated on: Sun, 12 April 2015 15:17]


- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
  •  
Brian Carmichael (Kerio)

Messages: 605
Karma: 61
Send a private message to this user
@UnifiedTechs, the scenario you presented (involving incoming SMTP connections) is best achieved via load balancing. In this case Kerio Control would receive incoming connections on either interface. You can use policy routing to favor one of the links for outgoing connections. As it is now (and will likely remain), Kerio Control allows incoming connections to the failover/backup interface in both scenarios. As you mentioned, perhaps the use case is that there is some kind of tolled connection for the backup line, but in this situation I would not recommend hosting services. Perhaps the original author of this topic (Menace) has a more tangible use case for blocking incoming connections to a backup interface?

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
acq@ghi-dc.org

Messages: 59
Karma: 5
Send a private message to this user
It seems as if I am trying to achieve something similar.

I would like to use failover but also host a service behind the firewall. If both internet interfaces are up the server cannot be reached from the internet. If I take the backup link down the server becomes available again.

Is there a way to force all traffic coming from the internet to the primary link?
  •  
acq@ghi-dc.org

Messages: 59
Karma: 5
Send a private message to this user
The way I see it is that WAN link failover and hosting services could only be achieved through implanting a load balancer. However, my guess is that especially small business would be glad to be able to host services without additional complexity and financial expenses.

I added a feature request for this.

When using Multiple internet links it would be great to set options for the backup link.
1. Currently the primary as well as the backup link are listening for incoming (i.e. internet) traffic. This poses problems when hosting services behind the Kerio Control firewall.
2. It would be tremendously helpful if an option could be added that would turn off the listening mode for the backup link until the failover sets in. It might also help some people to have an option that would allow the backup link to only listen for its own IP address when in backup mode.
Previous Topic: Speed issues with FTP and kerio control VPN tunnel
Next Topic: real time monitor kerio sip trunk register status
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Feb 26 06:27:26 CET 2017

Total time taken to generate the page: 0.01311 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.