Solved

Failover for VPN

Posted on 2004-04-19
3
270 Views
Last Modified: 2011-09-20
We are running a Sonicwall PRO 3060 on our network and have 2 DSL lines connected to it for Load Balancing.  Currently, I have internet traffic piped out through one of the connections, and all of our VPN's using the other connection so as to prevent our internet traffic from interfering with out VPN traffic.  Now I would like to make it so that if the DSL connection that is running the VPN's goes down, they will all switch to the other DSL line's address.  I am told I can do this by putting in a DNS name rather than an IP address in the remote VPN router's IPSec Gateway field for that particular Security Association.  That part I understand.  What I want to know is how then do I automatically manipulate that DNS record to change back and forth between the 2 addresses as connections go down and come back up.  Is there a way to do it with a Windows 2000 DNS server, or something that will run on Windows?  Something that will monitor an IP address, and if it goes down (misses x number of heartbeats or whatever), changes the DNS entry to another address.  As soon as that IP comes back up and stays up for x number of hearbeats, it will switch it back again.  Any ideas?
0
Comment
Question by:fbob
3 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10868823
There are a lot of complexities with link load balancing that the small office should definitely shy away from.
I suggest you approach your DSL provider and ask for 2x DSL lines (both taking different hardware routes back to the core) which will allow you to retain a single set of IP addresses.
Or switch to leased lines and get some sort of SLA ?
DNS is not the way forward - it's not dynamic enough and won't give you the instant failover you require.
Alternatively, there are hardware solutions available that could help out.  This entails plugging both ADSL links into a hardware device, and that device would make decisions as to which link was up or not, and advertise a single default gateway to your Sonicwall.

Maybe something like the Cyclone would help - http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ShopGroupID=&CategoryID=48&ProductID=400

Or the Linksys ones = http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ShopGroupID=&CategoryID=48&ProductID=915

UK list around £300, so probably $4-500 in dollar terms.

They will save you lots of grief in the long run !
0
 

Author Comment

by:fbob
ID: 10880396
I will have to investigate these Cyclone units.  They look very promising.  One thing I have always wanted to figure out was to have a VPN split across 2 IP addresses.  If I could do that, then there trully would be a seamless failover (it would basically just start going slower if one connection fell off).  From the sounds of it, these Cyclones may be able to do that.

A major concern for me involved load balancing internet requests.  Certain secure sites seem not to tolerate this kind of behavior, I assume because the IP address is changing during the secure session.  I ended up having to turn off the percentage-based load balancing because of this.  Something will definitely need to be done to prevent that kind of occurrence or I will have to abandon the idea altogether.
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AnyConnect - VPN server list 2 125
Cisco ASA 5505's for VPN study 15 58
Internet Connection -- PING testing ? 1 59
Clientless VPN Access 23 39
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question