Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Backup tunnel in IAP VPN..

This thread has been viewed 2 times

  • 1.  Backup tunnel in IAP VPN..

    Posted Jul 13, 2015 05:40 AM

    Hi,

     

    I have a DC site a DR site and branch offices with IAP's. One of my location is connected to DC via IAP VPN. Is it possibe that when IAP VPN link between brach office and DC goes down, automatically it should form a Backup link to DR site. Can we form two VPN links as active and standby in IAP VPN secnario. If yes, then will this switch be statefull, i.e. without drop in clients existing session. please help with config.

     

    Please help.



  • 2.  RE: Backup tunnel in IAP VPN..
    Best Answer

    EMPLOYEE
    Posted Jul 13, 2015 06:13 AM

    Hi,

     

    yes you can do it.

     

    Under VPN configuration on the IAP you can configurte the primary and secondary VPN. You will need to add the default route to the primary DC and another default route to the DR data center. Be careful with the order, the route to the primary DC must be above the other one.

     

    Hope this helps.

    Regards

    Borja



  • 3.  RE: Backup tunnel in IAP VPN..

    Posted Jul 13, 2015 07:14 AM

    Hi Borja,

     

    thanks for your reply, 

     

    Will this be statefull transition from one link to another, requirement is that user ongoing session should not get affected!



  • 4.  RE: Backup tunnel in IAP VPN..

    Posted Jul 13, 2015 07:46 AM

    HI Mohan,

     

    There will be some some negligible packet loos during the transition. hope user will not experience any significant performance issue.

     



  • 5.  RE: Backup tunnel in IAP VPN..

    Posted Jul 13, 2015 07:48 AM

    HI Mohan,

     

    There will be some some negligible packet loos during the transition. hope user will not experience any significant performance issue.



  • 6.  RE: Backup tunnel in IAP VPN..

    EMPLOYEE
    Posted Jul 13, 2015 08:19 AM
    @mohan007 wrote:

    Hi Borja,

     

    thanks for your reply, 

     

    Will this be statefull transition from one link to another, requirement is that user ongoing session should not get affected!

    There is potential for significant loss of traffic or loss of sessions, depending on your network design.  For it to even possibly be stateful, the second location would somehow need to be able to place the users on the same layer 2 vlan that they were in initially.  If the second location does not have the same layer 2 vlan, most likely the user will obtain a different ip address and all sessions would be reset.

     

    The only way to attempt to give users the same ip addresses that they had when failover occurs to two different location is to run OSPF between two controllers.  Even in that situation, the first controller would have to fail or the network would have to be down for the routes to be propagated to the second controller.  If a single access point lost contact with the controller and failed over, the routes would not be there and the user would not be able to pass traffic.

     

    Please do not plan on stateful failover.  It is quite possible that you are a better candidate for remote AP.