1. Home
  2. Cisco Systems
  3. 3002-3005 tunnel won't failover

3002-3005 tunnel won't failover

We have a large eye clinic with three branches in three Texas towns. The main branch has DSL (static IP) and T1 (static IP), and a second branch has DSL (static IP) and cable (dynamic IP). They both have

3002 HW clients that tunnel to a 3005 at a remote site.

Both sites have HotBrick dual-WAN gateway routers, that load-share between the two WAN connections when both are up, and failover to one when the other goes down.

We learned by accident that at the site with the DSL and cable, if DSL was disconnected, the VPN tunnel would go down and not come back up. When cable was disconnected and DSL reconnected, the tunnel came back up quickly. So we tried at the main branch -- same thing. The tunnel only worked through DSL and not through the T1. So despite all the expensive connectivity, there is still a single point of failure.

The 3005 is on a T1 or T3, I"m not sure, and has other clients too and they all work fine.

So the question is, does anybody know what might be the cause of this inability to failover? Does the 3002 - 3005 connection bind in some way to a path? Or is the HotBrick more likely the culprit?

Thank you for help,

Bob Wilson

Reply to
RoverDrover
Loading thread data ...

Hi,

I have no idea what a HotBrick is ... but I'll still try to list common issues with VPN. Allthough it would greatly assist throubleshooting, if you have any idea whats going on at the VPN headend - the VPN3005. Also what version of code you are running, along with the VPN modes.

anyway - I will assume that your setup is two routers and/or modems both connected to a router, that will do the LB and FO, behind this router there is your VPN3002. assuming this, it would be likely the the DSL runs great with VPN but the T1 router doesnt. This could be true for many reasons, one is VPN pass-through or IPSEC NAT traversal, both are features that the router needs to be configured fore. Allso you need the UDP encapsulation of the IPSEC on fx UDP/4500 or TCP/10000. Then you would be likely to connect and pass traffic onto a VPN tunnel.

what you can do is verify this and provide more info. Also you might test the VPN on the T1 router alone.

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Thanks for your thoughtful response Martin. These routers are new to me too, and I have learned once more the hard way to RTFM.

I got into a HotBrick user forum of stock traders and people who cannot have downtime, and got the lowdown: The HotBrick manufacturers say they'll do FO and LB, but you have to get down to the fine print to see that they only do one of those and not both at the same time.

So everything is working just the way it's supposed to, from the Cisco side, and the HotBrick dual-WAN boxes are doing only what the fine print says they have to do.

Be well and thanks again,

Bob

Reply to
RoverDrover

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.