Prev: What modules are supported by 2621
Next: Is it possible to load balance between MPLS router/network and DIA router?
From: RoverDrover on 21 Apr 2008 01:05
We have a large eye clinic with three branches in three Texas towns.
The main branch has DSL (static IP) and T1 (static IP), and a second
branch has DSL (static IP) and cable (dynamic IP). They both have
3002 HW clients that tunnel to a 3005 at a remote site.

Both sites have HotBrick dual-WAN gateway routers, that load-share
between the two WAN connections when both are up, and failover to one
when the other goes down.

We learned by accident that at the site with the DSL and cable, if DSL
was disconnected, the VPN tunnel would go down and not come back up.
When cable was disconnected and DSL reconnected, the tunnel came back
up quickly. So we tried at the main branch -- same thing. The
tunnel only worked through DSL and not through the T1. So despite all
the expensive connectivity, there is still a single point of failure.

The 3005 is on a T1 or T3, I"m not sure, and has other clients too and
they all work fine.

So the question is, does anybody know what might be the cause of this
inability to failover? Does the 3002 - 3005 connection bind in some
way to a path? Or is the HotBrick more likely the culprit?

Thank you for help,

Bob Wilson
From: Martin Bilgrav on 22 Apr 2008 14:50

"RoverDrover" <bob(a)bobwilson.us> wrote in message
news:ead0fe45-ea70-4771-a534-7ff7bac956e3(a)m73g2000hsh.googlegroups.com...
> We have a large eye clinic with three branches in three Texas towns.
> The main branch has DSL (static IP) and T1 (static IP), and a second
> branch has DSL (static IP) and cable (dynamic IP). They both have
> 3002 HW clients that tunnel to a 3005 at a remote site.
>
> Both sites have HotBrick dual-WAN gateway routers, that load-share
> between the two WAN connections when both are up, and failover to one
> when the other goes down.
>
> We learned by accident that at the site with the DSL and cable, if DSL
> was disconnected, the VPN tunnel would go down and not come back up.
> When cable was disconnected and DSL reconnected, the tunnel came back
> up quickly. So we tried at the main branch -- same thing. The
> tunnel only worked through DSL and not through the T1. So despite all
> the expensive connectivity, there is still a single point of failure.
>
> The 3005 is on a T1 or T3, I"m not sure, and has other clients too and
> they all work fine.
>
> So the question is, does anybody know what might be the cause of this
> inability to failover? Does the 3002 - 3005 connection bind in some
> way to a path? Or is the HotBrick more likely the culprit?
>

Hi,

I have no idea what a HotBrick is ... but I'll still try to list common
issues with VPN.
Allthough it would greatly assist throubleshooting, if you have any idea
whats going on at the VPN headend - the VPN3005.
Also what version of code you are running, along with the VPN modes.

anyway - I will assume that your setup is two routers and/or modems both
connected to a router, that will do the LB and FO, behind this router there
is your VPN3002.
assuming this, it would be likely the the DSL runs great with VPN but the T1
router doesnt.
This could be true for many reasons, one is VPN pass-through or IPSEC NAT
traversal, both are features that the router needs to be configured fore.
Allso you need the UDP encapsulation of the IPSEC on fx UDP/4500 or
TCP/10000.
Then you would be likely to connect and pass traffic onto a VPN tunnel.

what you can do is verify this and provide more info.
Also you might test the VPN on the T1 router alone.

HTH
Martin Bilgrav

> Thank you for help,
>
> Bob Wilson


From: RoverDrover on 23 Apr 2008 02:23


Thanks for your thoughtful response Martin. These routers are new to
me too, and I have learned once more the hard way to RTFM.

I got into a HotBrick user forum of stock traders and people who
cannot have downtime, and got the lowdown: The HotBrick manufacturers
say they'll do FO and LB, but you have to get down to the fine print
to see that they only do one of those and not both at the same time.

So everything is working just the way it's supposed to, from the Cisco
side, and the HotBrick dual-WAN boxes are doing only what the fine
print says they have to do.

Be well and thanks again,

Bob
 | 
Pages: 1
Prev: What modules are supported by 2621
Next: Is it possible to load balance between MPLS router/network and DIA router?