Solved

Dual WAN Router

Posted on 2011-03-02
10
1,474 Views
Last Modified: 2012-06-27
Hello,

We are putting in dual connections into a new office.  A fiber and T1 line.  We would like to use the T1 line as a fail over from the fiber connection.   There will be 15 VPN connections to other offices and we need to assure these will also fail over when the WAN connection shifts.

We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality.  

We are a Juniper office and would like to keep with Juniper unless there is a compelling reason to switch.

Thank you.



 
0
Comment
Question by:networkadmin
10 Comments
 
LVL 9

Expert Comment

by:joshbula
ID: 35022392
We have had success with the Ecessa PowerLink Pro series - it supports up to 15 WANs and does a good job with load-balancing and failover.

http://www.ecessa.com

0
 
LVL 9

Expert Comment

by:rawinnlnx9
ID: 35022461
Get a SonicWALL TZ firewall with an optional port that can be configured however you want. It's the cheapest, most effective solution and if your needs change then you can set the optional to some other purpose like VLAN, LAN2, WAN2 or whatever.

http://www.sonicguard.com/NSA-240.asp
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35023409
>We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality

not with a click of a buttom; to properly failover ISPs, you will need some type fo SLA monitoring that can send ICMP to your ISP default gateway (This will detect RIB/Routing failuers); dual default routes that one will track the primary sla monitor (Physical and VPN Tunnel). It can get really hairy if have you have not completed the config before.

The link should have everything that you need for info
http://kb.juniper.net/kb/documents/public/VPN/Interface_Failoverv14.pdf

Billy
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:digitap
ID: 35024365
to expound on Billy's comment from the sonicwall perspective, 15 site to site vpn connections is a lot of IPSEC processing. i'd certainly recommend an NSA series starting at the 2400. this is more to raise the concern of the processing needed to encrypt/decrypt 15 vpn connections worth of traffic than it is to push a sonicwall appliance.

regarding the failover, i know that the sonicwall can handle failover and it uses active probing to confirm a down connection. the sonicwall allows me to put in two destination public IP addresses. so, if i have failover at both ends and i've specified the two public IP addresses, the sonicwall is going to try one and then the other to establish the vpn. if i have only failover at one end, then i have both public IPs specified in the SA. if the failover end...well, fails over, the other end will try the first public IP and if that fails, it will try the other. OR, the failover side will try to raise the VPN and the other end will allow the failed over public IP to connect with the secondary public IP.

make sense?

@Billy :: looking at the PDF you provided, it looks like the juniper has a configuration for this as well.
0
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35025693
Hi

pfSense is free, and way better than anything you can buy.
I replaced all our Cisco devices with pfSense machines.
The fail-over works really well.

Install it on an old workstation with three network cards.
The web interface is really easy to configure. You can buy the book on amazon for version 1.2.3. There is no book yet for version 2 which was released two days ago.

http://www.pfsense.org

BitFreeze.
0
 

Author Comment

by:networkadmin
ID: 35029487
We have tested NSA 240's in the past for other applications but have not used the WAN fail-over.  Do you think the NSA 240 is a better product than the Juniper SSG 140?  I have had really good luck with Juniper devices in the past.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35029553
i'm using the NSA 240 currently for WAN failover and not having challenges with it. actually, i'm performing load balance with spillover. i'm going to be biased though as i've never used a juniper. i hear a lot of good things about them. the only appliance i'd recommend you stay away from like the plague is watchguard. i've used that hardware and can say without a doubt, that i'd rater chew my arms off than have to work on one them.
0
 

Author Comment

by:networkadmin
ID: 35053850
Will the both WAN1 and WAN2 VPN's on the NSA 240 be connected at all times or when WAN1 goes down with WAN2 VPN's negotiate and start tunneling traffic?

How long will the fail-over take on the NSA 240?

Tempted to try one out as we have heard positive things about them from multiple people.

Any advice would be nice on the NSA 240.

Thank you.



0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35055994
no, only one will connect at a time. if the interface goes down or loses connectivity, then the sonicwall will failover to the secondary WAN connection. once the failover settles in, then the sonicwall try to connect on the primary IP configured on the SA. if that fails to establish a connection, it will move to the secondary IP.

failover will depend on how the failover is configured. you can configure a probe to examine if the connection is up. it pings an external source and if the source doesn't respond, it goes into a failover state. i believe your users ARE going to see a drop in connectivity.

when setting up the SA policies on the sonicwall, i'd make sure to enable the keep alive which is on the last tab. when the failover occurs, this enabled feature will force the sonicwall to try and bring up the tunnel. normally, the tunnel will only come up if traffic tries to go across the tunnel or if the other end starts negotiating. this will ensure that the tunnel comes up as quickly as possible.

here is a KB on configuring failover:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7828

if you wanted a look at the firmware before purchasing, here is a link to the 240 online demo:

http://nsa240.demo.sonicwall.com/main.html

be aware that alot of the features are enabled due to all the licenses being available on a demo unit. this will at least let you poke around in the failover area.

hope that helps!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP routing on Windows 2016 7 53
Classlful vs Classless subneting 18 67
Routing 2 local networks together 8 89
VPN tunnel between Watchguard and OpenVPN? 1 36
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question