Solved

Failover for VPN

Posted on 2004-04-19
3
269 Views
Last Modified: 2011-09-20
We are running a Sonicwall PRO 3060 on our network and have 2 DSL lines connected to it for Load Balancing.  Currently, I have internet traffic piped out through one of the connections, and all of our VPN's using the other connection so as to prevent our internet traffic from interfering with out VPN traffic.  Now I would like to make it so that if the DSL connection that is running the VPN's goes down, they will all switch to the other DSL line's address.  I am told I can do this by putting in a DNS name rather than an IP address in the remote VPN router's IPSec Gateway field for that particular Security Association.  That part I understand.  What I want to know is how then do I automatically manipulate that DNS record to change back and forth between the 2 addresses as connections go down and come back up.  Is there a way to do it with a Windows 2000 DNS server, or something that will run on Windows?  Something that will monitor an IP address, and if it goes down (misses x number of heartbeats or whatever), changes the DNS entry to another address.  As soon as that IP comes back up and stays up for x number of hearbeats, it will switch it back again.  Any ideas?
0
Comment
Question by:fbob
3 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10868823
There are a lot of complexities with link load balancing that the small office should definitely shy away from.
I suggest you approach your DSL provider and ask for 2x DSL lines (both taking different hardware routes back to the core) which will allow you to retain a single set of IP addresses.
Or switch to leased lines and get some sort of SLA ?
DNS is not the way forward - it's not dynamic enough and won't give you the instant failover you require.
Alternatively, there are hardware solutions available that could help out.  This entails plugging both ADSL links into a hardware device, and that device would make decisions as to which link was up or not, and advertise a single default gateway to your Sonicwall.

Maybe something like the Cyclone would help - http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ShopGroupID=&CategoryID=48&ProductID=400

Or the Linksys ones = http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ShopGroupID=&CategoryID=48&ProductID=915

UK list around £300, so probably $4-500 in dollar terms.

They will save you lots of grief in the long run !
0
 

Author Comment

by:fbob
ID: 10880396
I will have to investigate these Cyclone units.  They look very promising.  One thing I have always wanted to figure out was to have a VPN split across 2 IP addresses.  If I could do that, then there trully would be a seamless failover (it would basically just start going slower if one connection fell off).  From the sounds of it, these Cyclones may be able to do that.

A major concern for me involved load balancing internet requests.  Certain secure sites seem not to tolerate this kind of behavior, I assume because the IP address is changing during the secure session.  I ended up having to turn off the percentage-based load balancing because of this.  Something will definitely need to be done to prevent that kind of occurrence or I will have to abandon the idea altogether.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP through VPN setup 9 61
ASA Tunnel 18 42
How can block, by ip address, people trying to vpn into my server? 9 22
Updating Group Policy over a PPTP VPN 21 32
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question