cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1402
Views
0
Helpful
3
Replies

[SRP527w] VPN failover and recovery

ggarnierseml
Level 1
Level 1

Hi,

Our company is using DSL routers to connect remote sites to our headquarters.
We buid VPN over ADSL, between a Zyxel USG 200 Firewall/VPN appliance and our remote routers.

We decided to add a 3G backup connection, and we chose to test the SRP527w for that purpose.
Thanks to Andrew Hickman who answered my questions, we successfully build an IPSEC VPN over the 3G connection, and it works really fine.

There is a remaining problem with the failover/recovery of the VPN tunnel:

1)
We start the router
The SRP527w set ADSL up, and build the VPN.
ADSL fails (we unplug the cord)
3G starts very fast, and the WAN connection is OK (ping of our vpn appliance though internet)

But the VPN tunnel never comes back!

If i manually click on "Connect" on the VPN menu, it doesn't connect either!
If I look at the log on my VPN appliance, i don't see any attempt to build the VPN.
If i re-plug the ADSL, the VPN connects again though ADSL!


2)
WITH EXACTLY THE SAME CONFIGURATION, AND THE SAME VPN CONFIGURATION ON BOTH SIDES:
We start the router with the ADSL cord unpluged.
The SRP527w set 3G up, and build the VPN!
We re-plug the ADSL, and ADSL connects successfully (ping of our vpn appliance through internet)

But the VPN tunnel never comes back!

If i manually click on "Connect" on the VPN menu, it doesn't connect either!
If I look at the log on my VPN appliance, i don't see any attempt to build the VPN.
If i unplug the ADSL, the VPN connects again through 3G!

My configuration:

Failover and recovery activated, with timeout set to 60 sec.
ADSL first, then 3G. 1 PVC enabled on ADSL.
1 IPSEC policy and 1 IKE policy, both matching with 1 tunnel on my VPN appliance (configured in "Dynamic Peer" because there is no static IP adress on the 3G connection).

Version ID: V01
Hardware version: 4.0.0
Boot version: 1.1.17
Firmware version: 1.01.19

It's like once the VPN is setup on the first WAN interface, it can't be setup on the second if the first fails. Andrew, do you know that issue? Am I doing it wrong somewhere?

Thank you very much for your answer.

1 Accepted Solution

Accepted Solutions

Andrew Hickman
Cisco Employee
Cisco Employee

Hi

Thanks for the feedback - this is a known issue.  We'll work on a fix as possible as it is possible.

Regards,

Andy

View solution in original post

3 Replies 3

Andrew Hickman
Cisco Employee
Cisco Employee

Hi

Thanks for the feedback - this is a known issue.  We'll work on a fix as possible as it is possible.

Regards,

Andy

Ok, thanks again for your fast answer!

Can you tell me if it is a matter of days, weeks, or month?

We need to be sure these routers will meet our required specifications before buying 20 or 30 of them.

Thank you very much for your concern.

Gaultier

Hi Gaultier,

We're looking in to this now.  We don't have a firm date for the next maintenance release yet, but it won't be for a few months yet.

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: