Let's imagine the following scenario:
Your Nebula Security Gateway (NSG) or USG FLEX has a dual active WAN interface that makes traffic potentially route across an interface with no Internet connection because of load sharing.
For example, NSG has WAN 1 and WAN 2 connections to perform load sharing.
However, when there is a remote routing failure on WAN 1, NSG can't detect it.
WAN Connectivity Check will let NSG detect the remote routing failure on WAN1 and will create event logs about it.
How it works:
1. NSG will send ICMP requests to target domain names or IP addresses when enabling this feature.
The following is the mechanism of this feature:
(1) Check Interval: 10 seconds
(2) Check timeout: 5 seconds
(3) Check Fail Tolerance: 3 times
(4) Maximum time to detect failures: 45 seconds
2. Disables routing across WAN interface if connectivity check fails on that interface.
Where to configure on NSG:
You may find it on NSG via:
"Security Gateway > Configure > Traffic Shaping"
As soon as you select the Load-balancing-type "Failover", you can see the Connectivity Check-menu:
Where to configure on USG FLEX:
You may find it on NSG via:
"Firewall > Configure > Routing"
And enable connectivity check on the primary interface.
Comments
0 commentsPlease sign in to leave a comment.