We have central balance 710s and many remote pepwave peers.
At each pear there is an untagged network, frequently 192.168.3.0 or 192.168.1.0 (due to installing into existing network) plus a unique VLAN small subnet for the ip phones. This is a unique subnet for each location so we can do routing instead of NAT for the phones. Usually a /28 or /27 depending on number of phones.
The problem we have is that if someone forgets to set a custom OSPF unit ID and turn on PEPvpn route isolation on the “OSPF and RIP v2” page we get one or two problems:
-
If you do not set a custom OSPF id it uses the unit IP from the untagged subnet, so you get a duplicate such as 192.168.3.1.
The problem is that this is a silent failure. At the remote peer the dashboard and status->speedfusion both show ESTABLISHED. At the central unit it gets to updating routes and stays there. There is no indication of a OSPF ID conflict.
Also, if the OTHER peer that has the same ID is rebooted or otherwise drops it’s VPN and tries to bring it back up, the new unit will have completed the connection and now “owns” the ID, so the previous unit now fails to finish connecting. -
If you have a duplicate subnet being advertised you have a similar silent failure. The VPN is fully established, but the route does not work.
In both cases the central unit knows that there is a conflict. It should be able to notify the peer of the conflict, so that could be displayed, but it certainly can display it at the central unit. It should also be logged in the event log.
I would actually like OSPF conflicts to be an email alertable failure, as it is a serious problem that can disrupt the network.