VPN Failover Speed
I work in rural Ohio, and we finally have been able to add backup fiber WAN circuits to several of my sites. My main site with our biggest data center has redundant fiber, Charter 500x500 and horizon 100x100. I run a couple of Windows file servers using DFS as a file repository for folder redirection for my users. As we are able to get redundant and better circuits in our remote sites, we've been adopting the model of moving their on-site data store over to our main data center there for saving funds in hypervisors and SANs, etc. However, this brings up the need for the best possible VPN configuration as their data will now all reside over a tunnel.
Currently - all of my remote sites are using the site-to-site style tunnels. A few of the sites have dynamic WAN addresses so they are set up with IKEv2 to negotiate the tunnel. During testing, I would disable the x1 interface (our main Charter Fiber) and test a full fail-over simulation. Several of the remote sites took longer than expected to connect to the secondary WAN interface (our Horizon fiber) and reestablish the tunnels.
We are passing VoIP, Access Control management, as well as data over the tunnel. So the delay causes a huge amount of issues.
All that to be asked, what direction would everyone head in? Route-based tunnels over a tunnel interface? SD WANs for sites with multiple wans?
Ajishlal Community Legend ✭✭✭✭✭
If your all location have fail-over WAN, Go ahead with SD WAN.
If all paths are qualified, it will load balance the traffic & when the paths become disqualified die to any drops/glitches, those paths get removed from the pool and it will take right path.
SonicOS SD-WAN offers these features:
- Application-aware routing
- Dynamic path selection based on Latency, jitter, and/or packet loss
- User-defined thresholds for quality assessment
- SD-WAN Interface Groups for WAN and VPN Numbered Tunnel Interface
- Path Performance Probes for metrics
- Connection-based traffic distribution
- Automatic connection Failover over VPN
- Provisioning and management (GMS and Capture Security Center)
- Zero-Touch Deployment firewall configuration
- Centralized management and policy configuration
kennymathews2003 Newbie ✭
I was able to get everything working by disabling the IP helper polices that were auto added0
Ajishlal Community Legend ✭✭✭✭✭
You might be enabled the Ip Helper in wrong end of the S2S policy. Anywat glad to hear that your issue is solved.
IP Helper Policy will automatically create once you enable the "Enable Windows Networking (NetBIOS) Broadcast" in S2S VPN Policy.0
You can create mesh vpn topolgy and design route base vpn on the mesh network. especily you should use "Network Monitor" on the route policy.
or as @Ajishlal said you can create sd-wan topolgy.
below type of vpn knowledge base.
My main site has primary and backup fiber WAN circuits. My remote sites that have dual WANs are typically fiber/cell or fiber/cable. The probes for the SD wan always pick the fiber naturally as that circuit should perform better. The only time it would go out of the cell/cable connection would be total packet loss on the primary circuit.
Other than my main site, which is fiber/fiber from two different ISPs, the remote sites are either single WAN or lopsided performance, meaning fiber DIA versus cell. I think route-based tunnels are probably the best solution in this case instead of SD-WAN for uniform management and the fact my primary and backup circuits have such different performances at the remote sites. Several are small remote offices with just single WANs at the current time...
did you check dns sercurity features on sonicwall dns pages? normaly There is no problem dns over vpn during netbios enabled. try packetcapture and check dns packets
If you want enable netbios broadcast over VPN, you must have enable nebios protocol in IPhelper page. Follow the below KB;