I recently encounter instability with my FusionHub deployed in vSphere,
the device becomes unreachable via inControl (flip online/offline) and after some time the tunnels cease to work will appearing online.
It happened 2-3 times in the last 2 months and I ended up rebooting(relatively quick) the VM to solve the problem.
I am not sure where this comes from, it seems to occur more since I upgraded Balance routers to firmware v7.
is there by any change a possibility to deploy FusionHub in HA setup or do you recommend any thing to pro-actively act on software failure?
Hi Florent,
I have always recommended configuring Fusionhubs for critical systems in active/active Pairs. That way the remote device monitors the health of the Fusionhub (via the availability of the tunnel) and automatically routes traffic over the secondary Fusionhub if the primary is unavailable.
An added benefit (depending on your topology) is that you can then have the Fusionhubs is completely different datacenters - hosted by two different providers, so that if its a provider issue (as it often is) the other Fusionhub is still available.
Can you please exaplain a little how you perform HA using FusionHub ?
On the server side ? What’s the default gateway (or routes) defined ?? no VRRP support if 'm wrong with FH
Remote devices have a primary PepVPN / SpeedFusion tunnel configured to one hosted Fusionhub node and a backup to a secondary Fusionhub. Remote sites are distributed across Fusionhubs. Fusionhubs have a PepVPN between each other. Job done.
can you please explane how is routed the traffic from datacenter to fusionihub?
Are there any specifications about fusionhub to support this configuration?
Sure, all traffic at datacenter is routed via the firewall appliances (using Send all traffic via LAN setting on FH).
So for one peer to route to another on the same node:
Since the firewalls are inline with all traffic I get really granular control at the firewall level as to which peer LAN devices can communicate with other peers, at an IP level but also a TCP level.
I can also add more public IPs to the firewall to provide inbound NAT over PepVPN to LAN devices connected using MAX routers on dynamic cellular IPs.
This lets be build complex multi-tenanted multi-Fusionhub deployments across multiple datacentres really easily. And I can add in SSL / OpenVPN / TINC / IPSEC VPNS from the firewalls back to the customers corporate resources, add existing IPSEC remote sites (using 3rd party routers) or provide any type of client VPN access as an enhancement to PepVPN for remote site access.
Here is an example where we provide remote CCTV connectivity as a service to multiple CCTV companies across europe. Firewall & routing rules let any remote CCTV system (using a MAX) connect to any of our hybridNET nodes whilst limiting access to the correct service provider / customer.
We effectively become a virtual Network operator for the CCTV service provider companies.
sorry but I’m a bit confused. Maybe I’ve to explanne my scenary:
I’m looking for deploy FusionHub in HA cluster on the same DC (as we can do with Balace) to achieve the 100% speedfusion uptime for branch offices.
We are now routing the traffic to the branch with static routes to the FusionHub prvate IP address (172.16.x.x). The same ip is NAT on internet with a public IP.
If we install a secondary FusionHub how we can do the HA and how wi will route the traffic to the Cluster?
Maybe the cluster make a virtual IP like VRRP of the blanace?
Hi Stefano.
Fusionhub does not support traditional HA/VRRP. As a virtual machine you would use the hypervisor capabilities to provide high availability and resilience for the VM itself and build out a HA core network infrastructure from your hypervisor to and from the internet to guarantee its availability.
When building public cloud hosted environments I always deploy Fusionhub in an active/active way as detailed above on different hosting platforms (ie AWS & AZURE). I find it hard to justify the expense of HA appliances in a single location, compared to the versatility and improved Disaster Recovery capabilities of a pair of appliances hosted in two seperate locations.
All Peplink devices support connecting to at least two remote peers via PepVPN/SpeedFusion for failover between two hub devices - whether they are deployed in active/active or active/failover.
In your case then where you have a single DC at a single location, I would suggest you run two seperate FH appliances, primary and secondary. All remote devices create two tunnels one to each FH. The Secondary FH appliance will have a higher metric set for the remote peers, the remote peers will also have higher metric set for the secondary FH profile. Then use OSPF between the Fusionhubs and the DC core router so that the primary is used until it is unavailable at which point OSPF updates send the traffic via the secondary.
I’m trying to implement your suggestion “two seperate FH appliances, primary and secondary. All remote devices create two tunnels one to each FH. The Secondary FH appliance will have a higher metric set for the remote peers, the remote peers will also have higher metric set for the secondary FH profile. Then use OSPF between the Fusionhubs and the DC core router so that the primary is used until it is unavailable at which point OSPF updates send the traffic via the secondary.”