Use an edge router to automatically failover to another ISP for devices that are not multi-ISP aware

I have (2) ISP's with a /29 network space available in each (5 usable IP's).

Behind these devices, I have (1) Firewall on one ISP and (1) Firewall on the other ISP.  These are performing NAT for (2) different LAN segments.  

I also have a PBX that has a WAN interface on ISP (1) with a LAN interface that is in LAN segment (1).  The WAN interface exists OUTSIDE of the firewall (this device takes care of its own security in its IOS).  This device is only able to have (1) IP address and only has (1) port for WAN communication.  This WAN port is used for multiple things, including:  SIP trunks, remote phones (physical phones as well as soft phones), and remote administration among other things.  

The PBX is not MULTI-ISP aware and is not able to be made aware of multi-ISP.  It does have a routing table that I am able to add static routes to, but there is no way that I can tell that would enable this ISP to be MULTI-ISP aware in the event of an ISP failure.  

Since I have (2) ISP's and quite a lot of network gear, is there ANY WAY that I can get this PBX to have a single default gateway, and get that gateway to make a routing decision of ISP 1 if ISP 1 is up, and use ISP 2 if ISP 1 is down?  

There is a catch...the settings of the PBX cannot be changed in order to use ISP 2, it has to be automatic...I was thinking of trying something like this:

- Take a Cisco 1841 router and give it an IP address on each ISP
- Set the PBX default gateway to the IP address of the Cisco 1841 on ISP 1
- Set the 1841 up with a default route to ISP 1 as long as it can ping [the next hop or the core router @ ISP 1] using the SLA command/icmp reachability/route track
- Set the default route to ISP 2 in the event that ISP 1's SLA tracking fails to ping via ISP 1
- When the 1841 send traffic out ISP 2, have it NAT the IP address using NAT OVERLOAD and the IP address from ISP 2
- Set a 1-to-1 NAT for the IP address of the Cisco 1841 on ISP 2 point in to the PBX, so that traffic returning OR traffic coming unsolicited (like SIP trunk traffic) always lands on the PBX, even though the traffic was sent to the public IP of ISP 2

Would this work?  It works with LAN/Private IP's in this way, I was wondering if I could arrange a failover this way for a PUBLIC IP address and not a private IP.  I don't think it should matter, unless the SLA tracker comes back up in the middle of a conversation with ISP 2, and then the default route of the Cisco 1841 would change back to ISP 1.

Just so we're clear:  BGP is not an option, one of these circuits is Broadband and the ISP's will not peer with tier 2 devices.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

jkeegan123Connect With a Mentor Author Commented:
I ultimately did this with a device called PEPLINK in DROP-IN-MODE.

(2) ISP's
(1) PEPLINK 210 (2 ISP's MAX)
(1) device that is not multi-ISP aware that is configured with a single WAN IP on ISP-1, with a default gateway of the CPE router from that ISP-1, nothing out of the ordinary.

(2) WAN ports
(1) LAN port

Configure PEPLINK as such:
(WAN 1) - static IP on WAN 1 circuit, with default gateway and correct SNM.
(WAN 2) - static IP on WAN 2 circuit, with default gateway and correct SNM.
(LAN 1) - same IP address as the WAN IP that the device you want to protect has.
Mode:  Configure unit in DROP-IN mode.

What happens is that the device you want to protect ends up being able to use BOTH ISP's without realizing that it is doing so, in a balanced format.  I'm not sure exactly what is being done behind the scenes, but I do know that SSL/encrypted sites keep an affinity so that you do not have to re-auth unexpectedly coming from a new IP, and sites that use multicast like torrents are able to make use of BOTH ISP's at once.  Given a failure of either WAN circuit, the protected device keeps on working without missing a beat, and without reconfiguration.  

The Peplink 210 is about $1399.
pergrConnect With a Mentor Commented:
Yes, it should work.

The remote phones will also need a way to fail over.
Some phones can be configured with a backup sip server - which would be the IP on ISP2.

Make sure your sip trunk provider allows you to connect from any of the two ISPs.
I usually use a Cisco ASA to do this, it removes any "double NAT" from the equation.

With a Cisco ASA with Sec Plus licence, you can have two ISP connections and use an IP SLA to have primary and secondary.

The ASA IP SLA can manage outbound routing priorities.

As an example, your VoIP traffic is SIP trunk (so going to known destinations) and your SIP trunk provider will allow you move than one exit address, you could have all traffic apart from your SIP trunks on your primary line and the SIP trunks on the secondary line, in the event of the primary line failing all traffic would be on the secondary, and in the event of the secondary, your SIP traffic would fail over to the primary.

All traffic has the ASA as it's default gateway. The PBX would be re-homed so that it's "wan" interface had a private address.

I manager a number of Avaya CM and IP500 systems running with this configuration with teh ASA performing SIP inspection to manage the IP address change inside the SIP packets.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

jkeegan123Author Commented:
@ArneLovius:  Does that affect your SIP packets in any way?  I have found that during extremely high periods of utilization, the Cisco ASA can cause SIP packets to have jitter / delay more often than when I DIDN'T have the Cisco ASA in as an intermediary device.  Also, running the inspection of SIP packets seems like it could also cause un-needed delay.  I have not made a scientific measure of these situations, this is only conjecture and observation, BUT since my PBX (ALLWORX) allows for itself to be directly on the internet via a WAN port managing its own security, I just do that.  I also use the SecPlus/DualISP feature of the ASA very often, especially when VPN's are involved...but I haven't used it in a situation like this for SIP failover.  That's why I was going with NAT'ing the edge router from one ISP to the other.  Seems complicated, but it was the only way I could think of without putting the WAN interface of the PBX in the private network.

@pergr:  Remote phones are fine, they always register with the PBX and all calls are forced through the PBX, the phones never talk to the SIP carrier directly.
I manage a site with 80 phones and an ASA 5510, and another site with 60 channels of a SIP trunking with an ASA 5510, neither site has experienced any SIP issues that even slightly look like the ASA, however one site has 100mb, and the other has 500.

What bandwidth do you have? Could your jitter problems have been when you reached high utilisation on your Internet connection?
jkeegan123Author Commented:
@ArneLovius:  Could you share an ASA config in this thread to show how to prioritized the outbound traffic with (2) links?  On SECPLUS licensed Cisco ASA 5505's I am only able to have the 2nd circuit as a cold failover, using the SLA / RTR commands.  

jkeegan123Author Commented:
my solution provided the most automatic way to get this done.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.