Dual WAN problem

Unanswered Question
Sep 23rd, 2009

I have attempted to do a Dual WAN configuration on the UC520, with the primary Internet connection being through a T-1 router with a static IP address, and the backup Internet connection being a Cradlepoint CBA250 Cellular Broadband Adapter. I was attempting to accomplish the following, but I didn't get it working:

  • Use the T-1 connection (this is going through the T-1 router connected to the FastEthernet0/0 interface on the UC520) if it is connected to the Internet
  • Use the backup cellular connection (this is connected via a VLAN interface associated with one of the UC520 switchports) if the T-1 connection fails

I have looked over the Dual WAN resources in Cisco Community Central, but they do not explain the situation that I really want to accomplish. I understand that plugging in both connections will create a conflict because we cannot seamlessly cut over to the actual active connection, plus we might be getting the IP settings from the wrong Internet connection.

I have been able to get the following working:

  • Creating a new VLAN for the backup WAN connection
  • Getting an IP address for the backup WAN connection
  • Getting a switchport assigned to the VLAN used for the backup WAN connection
  • Getting the default route pushed down, but only if the route for the primary WAN connection is removed

I have not been able to get the following accomplished:

  • Fail over from the primary Internet connection to the backup Internet connection
  • Getting out to the backup WAN connection through the VLAN interface
  • Getting the NAT settings correct for the failover scenario

What do I need to configure to get this scenario working? I am able to get the Cradlepoint CBA250 Cellular Broadband Adapter connected to the UC520's FastEthernet0/0 port and access the Internet through the Cradlepoint CBA250 Cellular Broadband Adapter (as long as the necessary configuration changes are made).

I am aware that the SA520 supports dual WAN and SIP ALG. I do understand that the SA520 supports 50 IPsec VPN tunnels. I have read over the SA520 documentation, and I know that it can be installed in front of the UC520. However, the challenge that I have with this setup is that the SA520 does not support some of the VPN features that are in the UC500, such as Easy VPN or the VPN Tunnel Interface. I need to be able to utilize these VPN capabilities which are available in IOS. Should I be migrating over to the SA520, even though it is missing the VPN capabilities of the UC520, or should I keep the UC520 and get the correct configuration for the Dual WAN failover, or should I be deploying an alternative solution with both dual WAN and the needed VPN capabilities.

Reasons that I configure Easy VPN are:

  • I often remotely access computers behind the UC520 unit through an Easy VPN connection
  • I sometimes use Easy VPN to remotely configure Cisco Unity Express or to remotely copy files over to UC520 units
  • Some of our customers use the Cisco IP Communicator softphone over a VPN connection

I could use QuickVPN if the SA520 is being deployed standalone without the UC520 unit or multiple VLANs or multiple subnets, but it creates problems for our customers who are using the Cisco IP Communicator Softphone or when I am doing UC520 maintenance.

I often do site-to-site VPNs for multisite customers. I am able to do the following for site-to-site VPNs on the Cisco UC520:

  • Set up a crypto keyring
  • Set up the crypto isakmp policy (used by all VPNs on the UC520 unit)
  • Set up the crypto isakmp profile
  • Set up the crypto ipsec profile
  • Creating the IPSec tunnel interface
  • Adding routes to subnets at other sites through the IPsec tunnel interface

The above approach allows me to set up a fully meshed multisite setup with the subnets connected to each other. The IOS approach allows me to route multiple subnets over the VPN tunnel interface. However, I have read over the SA520 documentation, and as far as I know, the SA520 only supports one remote LAN subnet in a site-to-site VPN.

One possible workaround to the site-to-site VPN problem is to set up GRE tunnels on the UC520 and IPsec tunnels on the SA520, and route site-to-site traffic with the GRE tunnels. Is there an better workaround, or will a firmware upgrade address these issues?

Should I consider deploying a Cisco Integrated Services Router that has dual WAN capabilities instead of the SA520 or using the UC520 without a SA520, SR520, or ISR?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.