Dual WAN Router

Posted on 2011-03-02
Medium Priority
Last Modified: 2012-06-27

We are putting in dual connections into a new office.  A fiber and T1 line.  We would like to use the T1 line as a fail over from the fiber connection.   There will be 15 VPN connections to other offices and we need to assure these will also fail over when the WAN connection shifts.

We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality.  

We are a Juniper office and would like to keep with Juniper unless there is a compelling reason to switch.

Thank you.

Question by:networkadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 35022392
We have had success with the Ecessa PowerLink Pro series - it supports up to 15 WANs and does a good job with load-balancing and failover.



Expert Comment

ID: 35022461
Get a SonicWALL TZ firewall with an optional port that can be configured however you want. It's the cheapest, most effective solution and if your needs change then you can set the optional to some other purpose like VLAN, LAN2, WAN2 or whatever.

LVL 24

Expert Comment

ID: 35023409
>We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality

not with a click of a buttom; to properly failover ISPs, you will need some type fo SLA monitoring that can send ICMP to your ISP default gateway (This will detect RIB/Routing failuers); dual default routes that one will track the primary sla monitor (Physical and VPN Tunnel). It can get really hairy if have you have not completed the config before.

The link should have everything that you need for info

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 33

Expert Comment

ID: 35024365
to expound on Billy's comment from the sonicwall perspective, 15 site to site vpn connections is a lot of IPSEC processing. i'd certainly recommend an NSA series starting at the 2400. this is more to raise the concern of the processing needed to encrypt/decrypt 15 vpn connections worth of traffic than it is to push a sonicwall appliance.

regarding the failover, i know that the sonicwall can handle failover and it uses active probing to confirm a down connection. the sonicwall allows me to put in two destination public IP addresses. so, if i have failover at both ends and i've specified the two public IP addresses, the sonicwall is going to try one and then the other to establish the vpn. if i have only failover at one end, then i have both public IPs specified in the SA. if the failover end...well, fails over, the other end will try the first public IP and if that fails, it will try the other. OR, the failover side will try to raise the VPN and the other end will allow the failed over public IP to connect with the secondary public IP.

make sense?

@Billy :: looking at the PDF you provided, it looks like the juniper has a configuration for this as well.
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35025693

pfSense is free, and way better than anything you can buy.
I replaced all our Cisco devices with pfSense machines.
The fail-over works really well.

Install it on an old workstation with three network cards.
The web interface is really easy to configure. You can buy the book on amazon for version 1.2.3. There is no book yet for version 2 which was released two days ago.



Author Comment

ID: 35029487
We have tested NSA 240's in the past for other applications but have not used the WAN fail-over.  Do you think the NSA 240 is a better product than the Juniper SSG 140?  I have had really good luck with Juniper devices in the past.

LVL 33

Expert Comment

ID: 35029553
i'm using the NSA 240 currently for WAN failover and not having challenges with it. actually, i'm performing load balance with spillover. i'm going to be biased though as i've never used a juniper. i hear a lot of good things about them. the only appliance i'd recommend you stay away from like the plague is watchguard. i've used that hardware and can say without a doubt, that i'd rater chew my arms off than have to work on one them.

Author Comment

ID: 35053850
Will the both WAN1 and WAN2 VPN's on the NSA 240 be connected at all times or when WAN1 goes down with WAN2 VPN's negotiate and start tunneling traffic?

How long will the fail-over take on the NSA 240?

Tempted to try one out as we have heard positive things about them from multiple people.

Any advice would be nice on the NSA 240.

Thank you.

LVL 33

Accepted Solution

digitap earned 2000 total points
ID: 35055994
no, only one will connect at a time. if the interface goes down or loses connectivity, then the sonicwall will failover to the secondary WAN connection. once the failover settles in, then the sonicwall try to connect on the primary IP configured on the SA. if that fails to establish a connection, it will move to the secondary IP.

failover will depend on how the failover is configured. you can configure a probe to examine if the connection is up. it pings an external source and if the source doesn't respond, it goes into a failover state. i believe your users ARE going to see a drop in connectivity.

when setting up the SA policies on the sonicwall, i'd make sure to enable the keep alive which is on the last tab. when the failover occurs, this enabled feature will force the sonicwall to try and bring up the tunnel. normally, the tunnel will only come up if traffic tries to go across the tunnel or if the other end starts negotiating. this will ensure that the tunnel comes up as quickly as possible.

here is a KB on configuring failover:

if you wanted a look at the firmware before purchasing, here is a link to the 240 online demo:


be aware that alot of the features are enabled due to all the licenses being available on a demo unit. this will at least let you poke around in the failover area.

hope that helps!

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question