Skip to main content
BWiebe
BWiebe
New Member
July 26, 2018
Question

Tunnel Failover Question

  • July 26, 2018
  • 1 reply
  • 8043 views

We have a client in a serverless location with a site-to-site tunnel to a 3rd party service provider which provides them access to their internal servers, DNS, etc.  The tunnel is linked directly to WAN1.

 

Their site has 2 ISP connections and we have internet failover configured using system link-monitor.  In general, with other clients where we control both sides of the connection, we setup failover tunnels linked to WAN2 and the site-to-site tunnels failover accordingly as well.

 

This works great, in general, however their service provider can't (or doesn't know) how to setup failover tunnels, and have configured their existing site-to-site tunnel as an 'alternate IP' for the tunnel (where we have it configured as a secondary tunnel linked to WAN2). 

 

As a result - they need us to have the failover tunnel interface in a 'disabled' state, unless it's specifically needed, in which case we enable the failover tunnel interface and disable the primary tunnel interface we have configured.  Once their primary ISP is back online, we need to reverse this.

 

Is there a better way we can manage this/more automated method we may have overlooked?  In general, we detect the ISP failure before the client, but there's times we don't and we'd like to see about automating this as much as we can.

 

Client is in the 5.6.* version of firmware (currently 5.6.3 and we plan to take them to 5.6.5).

 

Thanks!

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 26, 2018

    We never used (needed) it but "set update-cascade-interface enable" might help if you set the "srcintf" as your tunnel interface. CLI manual says below:

    update-cascade-interface {disable | enable}

    Enable to bring down the source interface if the link health monitor fails. Disable to keep the interface up if the link health monitor fails. Default is enable.

     

     

    BWiebe
    BWiebeAuthor
    New Member
    July 26, 2018

    I think the only issue with that setting is both interfaces need to be online at all times.  We can allow that with the WAN interfaces, but not the tunnel interfaces.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 26, 2018

    I misread your original post. You need to keep the backup side down when the primary is up. So that option wouldn't work. You might need to discuss with the provider to have a routing protocol like BGP between the client and them to have dynamic failover.

    Terms & ConditionsAccessibility statement