Peplink Balance 20 VPN Site-Site failover question


#1

I’ve got an interesting scenario that I’d love an answer to if anyone has an idea…

I’ve got a Cisco ASA at the main site, and a Peplink Balance 20 at a remote site.

The Balance 20 has WAN1 connected to a DSL with a static IP, and a 4g Verizon (also static ip) connected to the Mobile Internet port.

Here’s the weird thing:

If the Mobile Internet is set to Always on, and the WAN1 is set to backup, the VPN tunnel back to HQ fails over flawlessly when either port is unplugged.
If the WAN1 is set to Always on, and the Mobile Internet is set to backup, the VPN tunnel WILL NOT establish over the Mobile Internet port.

I want to be able to use WAN1 as my primary and fail over to the mobile internet if it goes down, but the VPN failover will only work with Mobile as primary. any ideas?

Thanks!
Ryan


#2

If you are terminating the IPsec VPN with the Balance, what is the WAN connection priority set to in the IPsec VPN profile?


#3

The priority is set to WAN 1, then Mobile Internet.


#4

Does it fail over both ways if both WANS are set to always on?


#5

No. With both set to Always On, only the WAN 1 will establish the VPN tunnel.


#6

OK – how about if you enable NAT-Traversal in the Balance under Network> IPsec VPN?


#7

with NAT-Traversal enabled:

WAN1 and Mobile Internet Always On:
If I unplug the cable from WAN1, it will not fail over. If I leave the cable plugged in, but click the “disconnect” button for WAN1 in the dashboard it will fail over.

WAN1 set to Always On and Mobile Internet set to Backup:
If I unplug the cable from WAN1, it will not fail over. If I leave the cable plugged in, but click the “disconnect” button for WAN1 in the dashboard it will fail over.


#8

Please open up a support ticket with us here so we can investigate the issue.


#9

Update

After upgrading from firmware 5.3.12 to 5.4.9, the VPN failover is working properly.


#10

Glad to hear the firmware upgrade was able to resolve your issues.


#11

Me too! I will note that the NAT-Traversal did have to be enabled to make it fail back and forth smoothly.