|
Home > Archive > VPN > May 2007 > Contivity 1100 (VPN Router) and Demand (Backup Interface)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Contivity 1100 (VPN Router) and Demand (Backup Interface)
|
|
| v_2morm@hotmail.com 2007-05-03, 1:13 pm |
| Hi everyone,
We are currently migrating all of our remote store sites to Nortel
Contivity 1100 routers (called 1100 VPN routers now I believe).
At our head office and DRP site we have 1750's, which the 1100's will
be connecting to via branch office tunnels. We also have a 2208
alteon (application switch) at each site which will be doing load
balancing and failover between the head office and DRP site.
All is fine with the current setup, we setup the 1100's to connect to
vpn.domain.com (not real) for the destination of the tunnel and route
all traffic down that tunnel.
The problem we have now is, we have another ethernet interface in the
1100's we want to use as a backup interface incase the tunnel using
the main line dies. We have cellular routers that go over the HSDPA
or EDGE networks we want to utilize on this secondary ethernet
interface, only if the main line is down.
First we tried using Demand with the trigger as ping, but the router
will not allow us to use a DNS name for the destination address... so
we do not want to just point to one address, incase that one address
dies all of our stores would switch over to the backup interface. If
we could somehow ping our destination for our BOVPN it would be great
(because our vpn.domain.com contains the addresses of both our sites).
Interface groups would also be nice, which we have tried as well... in
the interface group we added the two tunnels to both 1750's and setup
the Demand trigger to use this group. Now, when we disconnect the
main line in testing, it switches over to the backup line and
establishes the tunnel. Problem with this is, now that the interface
group is back up, because the tunnels are back online, the router
tries to switch back over to the main line even though it is still
down. Then it notices the interface group has dropped once more
(because the main line is still down) and switches to backup again -
this loop continues until the main line is actually back up.
I guess I am just looking for any recommendations on how we can
possibly configure this to have complete redundancy at our remote
sites.
So, in review... we have a contivity 1100 at the remote sites with 2
ethernet interfaces, both online. We want the main line (DSL)
connected to a tunnel via a DNS name (vpn.domain.com - which has 2 ips
of each of our 1750s at the head office and DRP site).
Once the tunnel dies, we want to establish another tunnel with the
secondary ethernet interface (cellular) and route all traffic through
it, but only until the main line (DSL) has come back online.... at
that point we would want the tunnel to re-establish using that
interface.
Any recommendations are greatly appreciated.
Thank you.
| |
|
| Have you looked into 2 Routers doing VRRP to resolve this issue?
<v_2morm@hotmail.com> wrote in message
news:1178214784.411049.89720@y80g2000hsf.googlegroups.com...
> Hi everyone,
>
> We are currently migrating all of our remote store sites to Nortel
> Contivity 1100 routers (called 1100 VPN routers now I believe).
>
> At our head office and DRP site we have 1750's, which the 1100's will
> be connecting to via branch office tunnels. We also have a 2208
> alteon (application switch) at each site which will be doing load
> balancing and failover between the head office and DRP site.
>
> All is fine with the current setup, we setup the 1100's to connect to
> vpn.domain.com (not real) for the destination of the tunnel and route
> all traffic down that tunnel.
>
> The problem we have now is, we have another ethernet interface in the
> 1100's we want to use as a backup interface incase the tunnel using
> the main line dies. We have cellular routers that go over the HSDPA
> or EDGE networks we want to utilize on this secondary ethernet
> interface, only if the main line is down.
>
> First we tried using Demand with the trigger as ping, but the router
> will not allow us to use a DNS name for the destination address... so
> we do not want to just point to one address, incase that one address
> dies all of our stores would switch over to the backup interface. If
> we could somehow ping our destination for our BOVPN it would be great
> (because our vpn.domain.com contains the addresses of both our sites).
>
> Interface groups would also be nice, which we have tried as well... in
> the interface group we added the two tunnels to both 1750's and setup
> the Demand trigger to use this group. Now, when we disconnect the
> main line in testing, it switches over to the backup line and
> establishes the tunnel. Problem with this is, now that the interface
> group is back up, because the tunnels are back online, the router
> tries to switch back over to the main line even though it is still
> down. Then it notices the interface group has dropped once more
> (because the main line is still down) and switches to backup again -
> this loop continues until the main line is actually back up.
>
> I guess I am just looking for any recommendations on how we can
> possibly configure this to have complete redundancy at our remote
> sites.
>
> So, in review... we have a contivity 1100 at the remote sites with 2
> ethernet interfaces, both online. We want the main line (DSL)
> connected to a tunnel via a DNS name (vpn.domain.com - which has 2 ips
> of each of our 1750s at the head office and DRP site).
>
> Once the tunnel dies, we want to establish another tunnel with the
> secondary ethernet interface (cellular) and route all traffic through
> it, but only until the main line (DSL) has come back online.... at
> that point we would want the tunnel to re-establish using that
> interface.
>
> Any recommendations are greatly appreciated.
>
> Thank you.
>
| |
| v_2morm@hotmail.com 2007-05-07, 7:14 pm |
| On May 4, 11:36 am, "John" <j...@magma.ca> wrote:[vbcol=seagreen]
> Have you looked into 2 Routers doing VRRP to resolve this issue?
>
> <v_2m...@hotmail.com> wrote in message
>
> news:1178214784.411049.89720@y80g2000hsf.googlegroups.com...
>
>
>
>
>
>
>
>
>
>
>
>
In what sense?
I thought a bit about using an HSRP address as the destination for
each remote site to ping (as a trigger for the backup interface), but
this will not work as our head office and DRP are using different ISPs
and are on completely different subnets.
Or did you mean using HSRP at each remote site? If so, we would need
2 routers at each site and would nearly double the expense of this
project. (We have over 300 remote sites..)
Let me know if your idea was different than I have taken it, or if
anyone else has ideas, I would love to hear them!
Thanks again
| |
| nortel user 2007-05-08, 7:13 am |
| We have a similar set up (I Think)
We have a 1750 at site 1 and a 1750 at our DR site (different
location)
We have a 1100 at each branch. The 1100 has 2 x internet connections
(1 via a dsl card in the 1100 and the 2nd via the ethernet port to a
DSL Modem)
We have set up 2 tunnels to each site (4 tunnels in total)
Tunnel 1 goes to the primary 1750 using the 1100's dsl interface. We
have weighted the route as 10 in the branch office profile
Tunnel 2 also goes to the primary 1750 but using the 1100's ethernet
interface. We have weighted the route as 100 in the branch office
profile
We have repeated the above the the DR site.
When a route becomes unavailable the 1100 automatically re-routes for
us and when the primary routes come back the 1100 automatically re-
routes back via that route.
Could this be a possible solution for your issue?
| |
| v_2morm@hotmail.com 2007-05-10, 1:14 pm |
| On May 8, 2:20 am, nortel user <parmstr...@p-ccomms.com> wrote:
> We have a similar set up (I Think)
>
> We have a 1750 at site 1 and a 1750 at our DR site (different
> location)
> We have a 1100 at each branch. The 1100 has 2 x internet connections
> (1 via a dsl card in the 1100 and the 2nd via the ethernet port to a
> DSL Modem)
>
> We have set up 2 tunnels to each site (4 tunnels in total)
>
> Tunnel 1 goes to the primary 1750 using the 1100's dsl interface. We
> have weighted the route as 10 in the branch office profile
> Tunnel 2 also goes to the primary 1750 but using the 1100's ethernet
> interface. We have weighted the route as 100 in the branch office
> profile
> We have repeated the above the the DR site.
>
> When a route becomes unavailable the 1100 automatically re-routes for
> us and when the primary routes come back the 1100 automatically re-
> routes back via that route.
>
> Could this be a possible solution for your issue?
This sounds like it would suit what we are trying to do exactly. I
have tried the two tunnel setup (two for each interface - 4 in total)
on our test 1100, which would be the easiest way to go I believe. But
I think the problem it gave me was it wouldn't create 2 tunnels from
the 1100 to our head office on different interfaces, it said something
along the lines of "You cannot have 2 tunnels with the same
endpoint". This could have been because of weighting though now that
I think about it.
I will try this route again and see how it goes. If this scenario
works for you though, then it would be perfect for our situation.
Thank you for your response, I will post an update after doing some
more testing today.
| |
| v_2morm@hotmail.com 2007-05-10, 1:14 pm |
| On May 8, 2:20 am, nortel user <parmstr...@p-ccomms.com> wrote:
> We have a similar set up (I Think)
>
> We have a 1750 at site 1 and a 1750 at our DR site (different
> location)
> We have a 1100 at each branch. The 1100 has 2 x internet connections
> (1 via a dsl card in the 1100 and the 2nd via the ethernet port to a
> DSL Modem)
>
> We have set up 2 tunnels to each site (4 tunnels in total)
>
> Tunnel 1 goes to the primary 1750 using the 1100's dsl interface. We
> have weighted the route as 10 in the branch office profile
> Tunnel 2 also goes to the primary 1750 but using the 1100's ethernet
> interface. We have weighted the route as 100 in the branch office
> profile
> We have repeated the above the the DR site.
>
> When a route becomes unavailable the 1100 automatically re-routes for
> us and when the primary routes come back the 1100 automatically re-
> routes back via that route.
>
> Could this be a possible solution for your issue?
It did not work as I wanted... I cannot get the 1100 to create two
tunnels, from different interfaces, to one 1750. I went into Profiles
> Branch Office, then I created an initiator tunnel from the main
ethernet interface to the IP address of our head office 1750. I
checked the status of this tunnel and it is working ok.
Now, when I try to go back into Profiles > Branch office and create a
second initiator tunnel with a higher weight, from the backup (or what
we want to be the backup) ethernet interface to the same 1750 it gives
me this error:
"This connection has not been configured properly. It will be disabled
until the problems have been corrected.
ERROR: Remote IP address is already in use by another connection"
How did you get it to accept the two tunnels both going to the same
endpoint IP (1750)? Is there something I am missing?
| |
| nortel user 2007-05-11, 7:13 am |
| Sorry, my error, I have just double checked and we have 2 x interfaces
on the 1750 as well.
We have tunnel 1 to interface 1 (weight is 10)
We have tunnel 2 to interface 2 (weight is 50)
| |
| v_2morm@hotmail.com 2007-05-11, 1:13 pm |
| On May 11, 2:02 am, nortel user <parmstr...@p-ccomms.com> wrote:
> Sorry, my error, I have just double checked and we have 2 x interfaces
> on the 1750 as well.
>
> We have tunnel 1 to interface 1 (weight is 10)
> We have tunnel 2 to interface 2 (weight is 50)
Ok, I thought there was something obvious I was missing :-)
I will throw a NIC into our test 1750 and do some more testing. I
think this may work for us - I will post another message if it does.
Thank you again.
| |
| v_2morm@hotmail.com 2007-05-11, 7:14 pm |
| On May 11, 8:46 am, v_2m...@hotmail.com wrote:
> On May 11, 2:02 am, nortel user <parmstr...@p-ccomms.com> wrote:
>
>
>
> Ok, I thought there was something obvious I was missing :-)
>
> I will throw a NIC into our test 1750 and do some more testing. I
> think this may work for us - I will post another message if it does.
>
> Thank you again.
This is now somewhat working as we want, however one thing still needs
to be worked out. It seems that if we logged off the main tunnel it
would switch over to the next tunnel (one with the higher weight).
However, if we killed the actual DSL it the other tunnel wouldn't come
up.
We made a static route to the IP of the 1750, (where the secondary
tunnel was trying to connect to) and pointed it at the gateway for the
secondary interface and now it works as we want. So, it seems as if
without that static route all the control info for the tunnel was
still being sent over the main ethernet interface.
We do have the default gateway set to the gateway for that interface,
but there is another default gateway (with a higher weight) set as the
gateway of the secondary interface. This does not seem like it is
working though. We even tried the "Validate public default routes",
which did not work neither.
We are trying to overcome this now, but I'm wondering if you know what
you did for this in your situation... We would rather not have to
make the static route on every router, because we may not know it in
all cases and we are going to be setting up over 300 of these.
What we need is a setting that says, send all traffic (even control,
isakmp, keepalives) down the same interface. IE. For tunnel1 send
all traffic down slot 1 interface 1 and for tunnel2 send all traffic
down slot 2 interface 1.
|
|
|
|
|