VPN Backup functionality w/rv082, Anyone doing it?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ed001, Sep 6, 2006.


Which OS

  1. Windows

    1 vote(s)
  2. Mac

    0 vote(s)
  3. Linux

    0 vote(s)
  4. BSD

    0 vote(s)
  1. ed001

    ed001 Network Guru Member

    Here's my dilemma. I have a small business I do work for who can't afford month by month cost of t-1 and neither the cable or dsl on their own provide reliable enough service for connection to the database. My idea was to use VPN failover utilizing both cable and dsl to reduce downtime. These were the options I came up with.
    3 cisco 1811's
    3 Linksys RV082's
    3 Hotbrick LB-2's
    3 Xincom 603's

    The cisco's are pricey and waaaay more than their needs. We tried the Hotbricks and that is a long story so in the interest of time I will just tell you they never made it out of a test environment. That leaves the Xincoms (limited documentation) which cost nearly as much as the Cisco's and the much more afforadable RV082's

    The RV082's are a little more in line with the needs of my SMB client and the budget as well. I was wondering if anyone has had success with this setup with 1.3.2. I asked this question a long time ago and got a response that someone was going to try it out. I would appreciate anyone's experience with this function either way. This is a small business (owned by a family memeber) with very limited funds so I'd rather not blow the wad on the Cisco gear if something else will get the job done. Below is the quote from the 1.3.2 version info.

    1. Support VPN (IPSec tunnel) Backup functionality.
    Mechanism: When the dead-peer-detection (DPD) mechanism detects that the primary VPN is no longer available, the VPN backup mechanism will be activated and try to establish a VPN connection via a user-defined WAN interface. The configuration is in the advnaced setting of Gateway-to-Gateway VPN. See the online help for more information.
  2. pablito

    pablito Network Guru Member

    I have limited experience with failover VPN. In my case I had two endpoints available at the far end (vs two WAN ports on the RV end). I added the secondary IP (static IP seems to be the only option for the failover) and kept the same WAN port option. To test I brought down the far end and sure enough the failover VPN was established. I don't know how long it took for the primary to come back up but it eventually did. This setup requires some routing tricks at the other end but a pair of high metric static routes worked fine (once the VPN is up it creates a low metric route and becomes the primary route). What you're doing should be simpler.

    I have another one to test with two WAN ports but that will have to wait until I can be onsite for the test.
  3. jgutz20

    jgutz20 Network Guru Member

    I dont see any reason why the RV082 would not work for you, i'd give those a shot over the more expensive alternatives
  4. ed001

    ed001 Network Guru Member


    Ok, a little update.
    I went with the RV082's and it is working in the test lab... sort of!

    On all routers I set up a tunnel using Wan1 and defined an alternate IP address and wan2 as the backup. In my tests the tunnel does switch to the backup ip and wan within an average of 50 seconds when wan1 on any router goes down. The problem is that once the Wan1 (primary) is re-established the VPN traffic does not return to the primary. The traffic will however return to Wan1 once any of the wan2 connections go down. This is a little more erratic as far as the amount of time it takes for the tunnel to come back. In 1 case it took 20 seconds and in another it took just over 3 minutes with an average of 1 minute 15 seconds. So it does work to some extent but does cause some dilemmas in my case.
    First, my primary (Wan1) is a much faster connection so if it does fail all traffic is transferred to the slower connection and does not return until the slower connection suffers a hiccup which could take weeks.
    Second, to limit impact on the business critical store fronts I tunnel the mobile users to wan2 to eliminate network load. This is not effective if there is failure on any of the Wan1 connections.
    As a temporary fix, I can check in from time to time and if necessary bring down wan2 after business hours, wait for the traffic to switch and then bring wan2 back up.

    I do have a dialogue with Linksys now and have been told that this is the first they have heard of the problem. I was also told that it has been turned over to the product engineers for a fix. I provided the information that I felt comfortable providing,

    BTW, does anyone else feel as I do? Call me paranoid but I think sending VPN logs, screen shots and or config files via e-mail is a BAD idea. Anyone sniffing on the net would now have detailed directions of owning your network and if you redacted the pertinent info it would make the info basically useless to the engineers anyway. It concerns me that they would even ask you for this info. I think they should look into changing that policy. (Doing this would actually violate the network security policy I helped write).

    If anyone is in the same boat or has any questions, feel free to ask.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice