WAN/VPN - Bonding and Failover

ayori

Hi All,

We have multiple sites that have a hub and spoke topology (Head office is the hub, remote sites are the spokes). The HO and each remote site have 2 ISPs for Internet browsing and IPSec GRE tunnels back to HO. The remote sites have applications that are accessed in the HO via the IPSec tunnels (for each remote site there are 4 tunnels to HO running OSPF). If one of the ISPs at the remote site is degraded or down, the failover to the next VPN takes a few minutes (as expected) and all sessions have to be re-established (again, as expected). However, the company loses money when this happens. We would like to install devices that are capable of bonding multiple WAN connections as one and provide load balancing and seamless VPN failover.

I've been doing my research on Peplink and Ecessa WAN bonding/load balancing products and wondering if you guys have had any experience on these or any other similar devices.

Thanks!

vinbuck

Depending on the type of network gear you have, you probably already have the capability to do this.

With Cisco gear you can use interface tracking and possibly an FHRP like hsrp or vrrp to achieve a failover time of 10 seconds or less

Lizano

Yeah why does it take minutes? I know with an ASA or even with a Fortigate failover happens within like 10 seconds. I have done the setup that you describe with both Fortigate's and ASA's and, even though the failover is not seamless, it´s common that end user don't even notice it.


What type of WAN links do you have? I'm not sure how bonding different ISPs into a single device would make the failover seemless, doesn't the public IP of the ISP still have to become unavailable for the failover to happen? Even BGP is cheap or free nowadays, if you are using at least 2 T1s. What kind of internet service do you have at the far sides?

ayori

Appreciate the replies guys.

I should have been more clear. Internet traffic, yes the failover is way faster just like you described. But with VPNs it's a bit slower. At the firewall/router level it may take less than a minute, but for the actual user applications it takes more time. The other problem is after the traffic from remote to HO started using the backup VPN tunnel, all the sessions time out and have to re-initiated (which I would expect). We're looking into products that is somewhat a "WAN etherchannel" that can provide session persistence over VPN (or proprietary protocols) in an event of a failure.

We've also talked about dedicated lines like MPLS, but many of the sites are very remote that there are no available reliable circuits around.

We're running SSGs with ip tracking by the way. The problem with tracking is when the link is just degraded (not hard down), failover won't kick in.

ayori

The topology between the HO and a remote site is this:

Lizano

I see. Besides the ones you mentioned, I have heard of Elfiq, F5, and AscendLink.

I don't have references from any of these though.

ayori

Thanks for the suggestions Lizano!

chmod

Can you run EIGRP? From my experience a properly configured VPN setup failover running eigrp through gre tunnels under IPSec can transition quickly enough.
You can tweak it to re-reoute in case of jitter.

It just takes time to configure it properly and tweak it/tune it up but you shoudl be able to do it with all that gear