Solved

Cisco backup VPN

Posted on 2004-04-22
8
691 Views
Last Modified: 2006-11-17
Here is the basic idea – 3 sites – NY, Fl, NJ  -  NY is the hub and NJ and Fl are spokes.  Normal operation is as follows – NJ and FL are connected to NY via point to point T1’s with Cisco 2600’s at the sites to a Cisco 3600 at the NY site – the 3600 is then connected to a Cisco Gbic Aggregator which does of the vlans for the NY site – the Aggregator then goes to a Watchguard Firebox firewall/VPN server and out to the internet over a 4.5 mbps pipe.  So remote sites are connected to the hub with point to point T1’s and use the hub’s internet connectivity.  This all works fine and is running well.  If none of the point to point T1’s ever go down, the next paragraph will not be an issue.

This is the issue – goal is to have redundancy at both remote locations for both internet access and site to site connectivity to the NY office.  So, both remote sites have additional internet T1’s and an identical Watchguard Firbox/VPN server.  Both of the 2600’s at the remote sites have a primary gateway of last resort as the 3600 back in the NY office.  This works fine.  They also have another gateway of last resort set with a metric of 100 – so it will be “secondary.”  This is the trusted interface on the Watchguard so it will be used as a backup in the event that the point to points go down.  In theory, if I shutdown the serial interface on the point to point connectivity on the 2600 at either of the remote sites the 2600 should then route all packets to the route with a metric of 100 as the main route has become unavailable.  Is this correct?  I am finding the rollover test process to be very rough to say the least.  It is proving to be very sloppy when the point to point T1 drops and it “rolls” to the backup internet connectivity / VPN to the NY office.  I am finding reboots of Windows machines, reassignment of gateways are necessary among other anomalies.

Without getting too detailed and going on too long – is the basic engineering premise behind this backup solution sound?  Does it seem like it should work?  If you were the engineer how would you accomplish this goal of internet and remote site to NY site redundancy ?
0
Comment
Question by:mrsmileyns
  • 5
  • 3
8 Comments
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 250 total points
Comment Utility
If I was to do this, I would:
1. Make the current backup T1s the primary path for internet connectivity from the remote sites. As I understand you, these T1s terminate at the ISP and there is a firewall at all 3 sites. Unless you also have some sort of usage policy enforcement that only exists via your NY office, why push the internet traffic the extra hops? This also frees the primary T1s bandwidth for company traffic.

2. Whenever you are dealing with multiple gateways, a dynamic routing protocol helps a lot. I once set up an organization with 2 sites, so that all of the routers comminicated over VPNs. Inside the VPN, we set up a GRE tunnel and ran EIGRP through that. So it looked like point to point networks. You may not need to do this, but the point is that it worked really well.

3. I don't how your firewall stuff is set up; but the nature of a firewall is that it checks for stateful traffic. If a PC has a TCP session going with something in NY, and then you change the route so that the traffic is going through a firewall, the firewall may drop the traffic because it has no state table entry for it. This would cause havoc for the PCs. The solution is to make ALL the remote site traffic go out through the firewall. The router should be on the outside of the firewall.

Then no matter what your router is doing, the LAN doesn't have to adjust.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
In fact, if you make the firewall changes your static routes would likely work a lot better for your design. But as I said, static routes are static. If you want routes that are (almost) guaranteed to be good you should use something dynamic.
0
 

Author Comment

by:mrsmileyns
Comment Utility
Actually - good point - I will clarify - all of the internet traffic must go out through the NY office unless there is a catastrophe and the backup internet connections at the remote sites are to be used.  We do have browsing policies, strict logging and the like enforced via the NY office due to the nature of our business this is a requirement.  I do have EIGRP set up on all of our Ciscos - the 2600's at the remote offices, and the 3600 and the Aggregator at the home office - I am fairly new to using that routing protocol - it was that way when I started here 2 months ago as was this design half done - I am not sure if it is helping.  I will leave this open for a while longer and see if anyone has any other ideas.  Thanks.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Even if you had to reboot PCs, etc. the fact that the problem cleared after that indicates to me that routing isn't the issue. A routing problem would be persistent and has nothing to do with your LANs. It sounds like the firewall state issue is causing your problems.

One way to test whether your routing design is working is to do your failover test without the remote-site firewalls in the mix. Then simply set up pings to some addresses both in NY and the Internet. If those go as hoped when you fail over, you know that the firewalls are the problem.

What I'm not clear about is whether the goal is to have internet traffic on the backup T1 travel the VPN and go through NY also? If so, then just remove the remote firewalls. If not, perhaps you can set up the remote-site firewalls so that any VPN traffic to NY is not checked for state. Go with my original suggestion but decentralize the usage policies so that all of the sites are self-sufficient (probably expensive though!) but log back to NY.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:mrsmileyns
Comment Utility
No - goal is to have the backup T1's go out direct to the internet - in the event that we needed to use the backup T1's, they will go out to the internet over those pipes - we will sacrfice the monitoring and logging for that time as...well, hopefully they never get used - the VPN is only for connection to file and application servers back in NYC.

I think there are better ways to do this - unfortunately, equipment was purchased and this was halfway done when I arrived on the scene - so I am trying to get the best solution under the circumstances - in addition it is tough because there is no IT staff at one of the remote sites for testing - whine whine from me  :)
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Do the failover test I suggested and then at least you'll know where to focus your efforts. I see 2 solutions:
1. Try to set up firewalls so that VPN traffic to NY passes through without state checking. Maybe you can set up the VPN between 2 routers that are already inside the firewalls instead of between the firewalls themselves, which would keep the remote firewalls out of the loop. You may still have problems with some internet traffic though.
2. Perhaps the NY firewall can share state info with the remote ones. But usually this is done out-of-band.
0
 

Author Comment

by:mrsmileyns
Comment Utility
I will work on it and post back to this question in the future - but you have given me a lot to chew on - thanks for the help and time
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
In early 2000 a friend and I tested 2 2620s with encryption modules running IPSec across a T1 with no problems. It depended on how many packets/sec, not on the actual bandwidth. We were jamming up to 1800 pkts/sec with the encryption module, 1300 without, before CPU utilization got too high.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Show ip route - definition 1 59
SSL RA VPN 7 70
Configure QoS on Archer c9 running WR-DDT 2 39
EIGRP Full Mesh 2 25
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now