Solved

Failover for VPN

Posted on 2004-04-19
3
267 Views
Last Modified: 2011-09-20
We are running a Sonicwall PRO 3060 on our network and have 2 DSL lines connected to it for Load Balancing.  Currently, I have internet traffic piped out through one of the connections, and all of our VPN's using the other connection so as to prevent our internet traffic from interfering with out VPN traffic.  Now I would like to make it so that if the DSL connection that is running the VPN's goes down, they will all switch to the other DSL line's address.  I am told I can do this by putting in a DNS name rather than an IP address in the remote VPN router's IPSec Gateway field for that particular Security Association.  That part I understand.  What I want to know is how then do I automatically manipulate that DNS record to change back and forth between the 2 addresses as connections go down and come back up.  Is there a way to do it with a Windows 2000 DNS server, or something that will run on Windows?  Something that will monitor an IP address, and if it goes down (misses x number of heartbeats or whatever), changes the DNS entry to another address.  As soon as that IP comes back up and stays up for x number of hearbeats, it will switch it back again.  Any ideas?
0
Comment
Question by:fbob
3 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 10868823
There are a lot of complexities with link load balancing that the small office should definitely shy away from.
I suggest you approach your DSL provider and ask for 2x DSL lines (both taking different hardware routes back to the core) which will allow you to retain a single set of IP addresses.
Or switch to leased lines and get some sort of SLA ?
DNS is not the way forward - it's not dynamic enough and won't give you the instant failover you require.
Alternatively, there are hardware solutions available that could help out.  This entails plugging both ADSL links into a hardware device, and that device would make decisions as to which link was up or not, and advertise a single default gateway to your Sonicwall.

Maybe something like the Cyclone would help - http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ShopGroupID=&CategoryID=48&ProductID=400

Or the Linksys ones = http://www.broadbandbuyer.co.uk/Shop/ShopDetail.asp?ShopGroupID=&CategoryID=48&ProductID=915

UK list around £300, so probably $4-500 in dollar terms.

They will save you lots of grief in the long run !
0
 

Author Comment

by:fbob
ID: 10880396
I will have to investigate these Cyclone units.  They look very promising.  One thing I have always wanted to figure out was to have a VPN split across 2 IP addresses.  If I could do that, then there trully would be a seamless failover (it would basically just start going slower if one connection fell off).  From the sounds of it, these Cyclones may be able to do that.

A major concern for me involved load balancing internet requests.  Certain secure sites seem not to tolerate this kind of behavior, I assume because the IP address is changing during the secure session.  I ended up having to turn off the percentage-based load balancing because of this.  Something will definitely need to be done to prevent that kind of occurrence or I will have to abandon the idea altogether.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now