RED: Restart tunnel instead of unit
When the internet connection drops at the main site (UTM location) the RED restarts to get the tunnel up again. When (for some reason) the internet connection stays down at the main site all internet activities at the remote location are down due to continuous restarts of the RED. If the RED only tries to pick up the tunnel, the internet at the remote location can still be used.
Just to add - Andrew Kay suggests that the RED is a "fail closed" device, and it is. But I think when Transparent Split was added, the failed closed makes the mode completely un-usable. The whole point of T/S mode is that you're providing a host or network access to a specific resource but leaving the access control policy to the firewall on the network. The only way Fail Closed makes any sense is in standard mode where you do not want any traffic to make it to the internet. I'm glad to see this is under review, even if its been under review since 9/2013. Hopefully after the next big release of the firmware for the UTM is out, we'll either see this move forward to close it. :)
This seems to be a big point of confusion. I was about to deploy a RED in Transparent/Split mode and was concerned that the RED would reboot after the UTM goes off line and effectively block internet access.
Yesterday, I setup a RED in T/S mode in the lab, and blocked the red's ability to communicate with the UTM that is located at another office. After several attempts to contact the UTM the RED rebooted and the devices behind the RED lost their internet connection.
I can confirm 100% that after the RED loses connection to the UTM, it will reboot, and will not pass any traffic. For uses where the RED is either in T/S or Standard/Split, having the RED reboot and block internet access is detrimental to the use cases where I've deployed it.
I agree that if all possible, the RED shouldn't just reboot to try to bring up the tunnel again.
AdminJan Weber (Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) commented
Moving to correct Category.
Nils Brinkmann commented
RED should reconnect without reboot if the cluster failover to passive node.
Andrew Kay commented
I thought that the RED was a "fail closed" device which means that if in split mode the tunnel goes down, the RED will no longer forward *any* traffic. If so, that makes this moot.
Jan Muller commented
Are You using RED50? We had problems with RED50 restarts we were talking to support. We recieved hotfixes to greatly reduce restart time, I imagine they will be released some time soon. Also, do You have AP5 usb wifi plugged into RED? This caused problems as well.
same issue here
This is a must have. Rebooting the device is not a option when uses as default gateway for the local LAN. All clients are losing their connection to internet until the problem on the utm location is solved…
I have the same problem. Anyone??