Multiple VTI tunnels between sites on HA & multi-WAN routers
-
I am currently working on this in a lab to try to prove if VTI will work for our production environment. We have two locations, both with HA and both with 2 WAN connections. In the lab, I have Site 1 WAN 1 connected to Site 2 WAN 1, and Site 1 WAN 2 connected to Site 2 WAN 2. We want to have routed traffic so that if Site 1 WAN 1 goes down, traffic between sites will switch to use the WAN2 tunnel with nearly no delay. I'm using BGP to dynamically route traffic.
What I've found is that both tunnels work and both will pass traffic after setting up routes, etc. However, only one phase 1 will be connected at a time. If I click on the "Connect" for the 2nd tunnel, then the first tunnel disconnects. I was hoping to have both phase 1s active and let the routing protocol reroute traffic in case of an outage. Instead, there's downtime while phase 1 on the secondary WAN connects and the routing protocols then update.
Is this normal, or am I missing something that will allow both phase 1s to be connected at the same time and minimize downtime when a provider fails?
-
@thale
Something must be awry with the IPSec configuration. Getting two tunnels going should be the easy part, just use unique ip's on the vti connections and set one with a higher weight in BGP. The problems I've seen have been packet loss unless mss clamping is on, and a tunnel not re-establishing if the line is down for an extended period of time. What messages are you getting in the ipsec log when the second tunnel comes up? -
@dotdash thanks for the feedback.
Just to follow up on this in case it helps someone else, I did get this working. I had upgraded my lab routers to 2.6.0 (which it looks like I left out of my original message), and then restored a backup from an earlier version (2.4.5 I think). Either the upgrade or the restore of the previous version's backup seems to have caused this (or the combination). I did a completely fresh install of version 2.6.0 and manually reconfigured it, and I didn't have any more problems.