Solved

Dual WAN Router

Posted on 2011-03-02
10
1,442 Views
Last Modified: 2012-06-27
Hello,

We are putting in dual connections into a new office.  A fiber and T1 line.  We would like to use the T1 line as a fail over from the fiber connection.   There will be 15 VPN connections to other offices and we need to assure these will also fail over when the WAN connection shifts.

We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality.  

We are a Juniper office and would like to keep with Juniper unless there is a compelling reason to switch.

Thank you.



 
0
Comment
Question by:networkadmin
10 Comments
 
LVL 9

Expert Comment

by:joshbula
ID: 35022392
We have had success with the Ecessa PowerLink Pro series - it supports up to 15 WANs and does a good job with load-balancing and failover.

http://www.ecessa.com

0
 
LVL 9

Expert Comment

by:rawinnlnx9
ID: 35022461
Get a SonicWALL TZ firewall with an optional port that can be configured however you want. It's the cheapest, most effective solution and if your needs change then you can set the optional to some other purpose like VLAN, LAN2, WAN2 or whatever.

http://www.sonicguard.com/NSA-240.asp
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35023409
>We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality

not with a click of a buttom; to properly failover ISPs, you will need some type fo SLA monitoring that can send ICMP to your ISP default gateway (This will detect RIB/Routing failuers); dual default routes that one will track the primary sla monitor (Physical and VPN Tunnel). It can get really hairy if have you have not completed the config before.

The link should have everything that you need for info
http://kb.juniper.net/kb/documents/public/VPN/Interface_Failoverv14.pdf

Billy
0
 
LVL 33

Expert Comment

by:digitap
ID: 35024365
to expound on Billy's comment from the sonicwall perspective, 15 site to site vpn connections is a lot of IPSEC processing. i'd certainly recommend an NSA series starting at the 2400. this is more to raise the concern of the processing needed to encrypt/decrypt 15 vpn connections worth of traffic than it is to push a sonicwall appliance.

regarding the failover, i know that the sonicwall can handle failover and it uses active probing to confirm a down connection. the sonicwall allows me to put in two destination public IP addresses. so, if i have failover at both ends and i've specified the two public IP addresses, the sonicwall is going to try one and then the other to establish the vpn. if i have only failover at one end, then i have both public IPs specified in the SA. if the failover end...well, fails over, the other end will try the first public IP and if that fails, it will try the other. OR, the failover side will try to raise the VPN and the other end will allow the failed over public IP to connect with the secondary public IP.

make sense?

@Billy :: looking at the PDF you provided, it looks like the juniper has a configuration for this as well.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35025693
Hi

pfSense is free, and way better than anything you can buy.
I replaced all our Cisco devices with pfSense machines.
The fail-over works really well.

Install it on an old workstation with three network cards.
The web interface is really easy to configure. You can buy the book on amazon for version 1.2.3. There is no book yet for version 2 which was released two days ago.

http://www.pfsense.org

BitFreeze.
0
 

Author Comment

by:networkadmin
ID: 35029487
We have tested NSA 240's in the past for other applications but have not used the WAN fail-over.  Do you think the NSA 240 is a better product than the Juniper SSG 140?  I have had really good luck with Juniper devices in the past.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35029553
i'm using the NSA 240 currently for WAN failover and not having challenges with it. actually, i'm performing load balance with spillover. i'm going to be biased though as i've never used a juniper. i hear a lot of good things about them. the only appliance i'd recommend you stay away from like the plague is watchguard. i've used that hardware and can say without a doubt, that i'd rater chew my arms off than have to work on one them.
0
 

Author Comment

by:networkadmin
ID: 35053850
Will the both WAN1 and WAN2 VPN's on the NSA 240 be connected at all times or when WAN1 goes down with WAN2 VPN's negotiate and start tunneling traffic?

How long will the fail-over take on the NSA 240?

Tempted to try one out as we have heard positive things about them from multiple people.

Any advice would be nice on the NSA 240.

Thank you.



0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35055994
no, only one will connect at a time. if the interface goes down or loses connectivity, then the sonicwall will failover to the secondary WAN connection. once the failover settles in, then the sonicwall try to connect on the primary IP configured on the SA. if that fails to establish a connection, it will move to the secondary IP.

failover will depend on how the failover is configured. you can configure a probe to examine if the connection is up. it pings an external source and if the source doesn't respond, it goes into a failover state. i believe your users ARE going to see a drop in connectivity.

when setting up the SA policies on the sonicwall, i'd make sure to enable the keep alive which is on the last tab. when the failover occurs, this enabled feature will force the sonicwall to try and bring up the tunnel. normally, the tunnel will only come up if traffic tries to go across the tunnel or if the other end starts negotiating. this will ensure that the tunnel comes up as quickly as possible.

here is a KB on configuring failover:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7828

if you wanted a look at the firmware before purchasing, here is a link to the 240 online demo:

http://nsa240.demo.sonicwall.com/main.html

be aware that alot of the features are enabled due to all the licenses being available on a demo unit. this will at least let you poke around in the failover area.

hope that helps!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now