Rv082 Redundant VPN Tunnels ideas? 2

[FSTShaun]

Sorry in advance for the long post.

I recently called Linksys's tech to tech hotline to inquire about the RV082 router. The tech mentioned that it had two Wan ports that could be configured as a smart backup or load balanced.

My idea was to buy two Rv082 routers and use the Wan1 on each device in each location to attach it to our T1 Lines. I would then use Wan2 and hook it up to our DSL lines at both locations.

Both the DSL and T1 lines at both locations have 6 usable IP addresses.

I want to use Wan1 as primary and Wan2 as smart backup. I would create a VPN from Wan1 on device1 to Wan1 on device2. In the event that Wan1 goes down on device1 Wan2 should come up. I then wanted to create a VPN tunnel on Device2 that is constantly trying to connect to Wan2 on device1. When Wan1 on device1 goes down, Wan2 comes up and the tunnel from device2 now connects to Wan2 on device1. However after buying the product and trying this I found that when trying to create a tunnel with the same remote security group subnet, you get and error message saying that this tunnel conflicts with another tunnel and it lists the tunnel number. So obviously this idea will not work even though in writing from the product manager at Linksys he said that it would work based on the configuration I listed above. I will post the message below from Linksys.

Anyways... now I have two RV082 routers one in LA and one in San Diego. They currently have a VPN tunnel between them using Wan1 at on both devices. Wan2 on both devices is connected to the DSL lines at each location and configured to be used as a smart backup. Besides the redundant VPN tunnels not working the Smart Backup line does not work unless I actually unplug Wan1. When I do this it will fail over to Wan2 but when I plug Wan1 back in no traffic gets out at all until I remove the cable from Wan2. If I then plug Wan2 back in it continues to use Wan1 and the VPN tunnels come back up. My problem here is that when I remove the cable from the CSDSU, which is the device that the T1 line comes into, the power on the link stays up on the RV082 Wan1 interface. What I'm trying to accomplish here is simulate a failure in the T1 line outside the office. The RV082 should be able to fail over to Wan2 if no connectivity is detected on Wan1 without physically pulling the cables out. I actually got a few techs at Linksys to confirm this. But at both locations if I try and just take the T1 line down without pulling the cable out of the RV082 router the fail over never actually moves over to Wan2.

The question here is how does the Linksys RV082 know when connectivity is down on one of the Wan interfaces besides the cable being removed. I got one Linksys guy named Bob that says it try’s to contact the DNS server for Wan1 and when it can connect to it for a certain period of time it assumes the connection is down and brings up Wan2. Well I have DNS server entries in both the Static Wan1 and Wan2 configurations and it never switches over to Wan2 for me.

Sorry this is so long but I have been having many issues with this device and I’m about ready to visit LA and knock on the door at Linksys.

Both routers are using firmware 1.1.1 from March 17th 2004.

Oh one more thing. Bob at Linksys Tech to Tech told me that because I used WhatsUpGold which pings the devices at the other side of the VPN to determine if they are on, it drops my VPN tunnel because the router detects this as a possibly attack. I think he is full of crap but I haven’t been able to confirm or deny this allegation with any other techs at Linksys.

Last but not least the actual email from Linksys stating that my configuration would work 100% from the product manager. BELOW>>



Shaun,

Your theory about the tunnels is 100% correct, and will work setup this way.

I have attached the throughput results we got from testing a RV082 with an IXIA chassis using 3DES here in our Irvine lab.

Let me know if you have any questions.

Chris

Chris Chapman
Product Manager
Linksys
A division of Cisco Systems Inc.

http://www.linksys.com

-----Original Message-----
From: Shaun Richardson
Sent: Thursday, April 15, 2004 8:11 AM
Subject: Linksys RV082 Technical Questions


Brian,

Per our conversation yesterday here is the scenario that I would like clarified.

Lets say I purchase two RV082 routers. I place one router in Los Angeles (LA) and the Other in San Diego (SD).

At each location I have a T1 and a DSL line. I attach the T1 line to Wan1 on each RV082 at each location. Then I attach the DSL lines to Wan2 at each location.

Now for the fun stuff. I enable the T1 line at both locations to be the primary line and set the DSL line the be the backup line.

I then create a tunnel in SD that accepts connections from the Wan1 lets say 65.77.88.91 in LA, I also create a tunnel called LA Backup which accepts connections from Wan2 lets say 65.77.88.92 in LA.

In LA I create two tunnels that connect to SD Wan1 lets say 65.77.88.91 connects to Wan1 in SD at 65.77.88.91. I then create a tunnel called SD Backup that connects to SD from lets say 65.77.88.92 or 91 depending on which interface is up.

Both tunnels have the keep alive option enabled. Its my understanding that since only one interface can be on at a time only one of the tunnels will be connected because the IP address of the Remote Secure Gateway will be incorrect for one of the tunnels. So the router should continually try and connect the tunnel. When the T1 interface goes down, the DSL line comes up and the other tunnel drops. Now that the DSL line is up the other tunnel should now connect since the Remote secure gateway of the DSL line now matches the criteria for the other tunnel in SD.

This should effectively create a redundant VPN tunnel on either interface, should the T1 line go down. This scenario almost resembles two BEFVP41's connection to the RV082 but if the backup line is only active when the primary line is down only one of the routers would be connected at a time.

My last question is what is the throughput for the VPN tunnels for the RV082. Will I be able to sustain 1.5Mbs.

Thank You in advance.

Shaun

 

[gacollier]

Shaun,

I have (4) RV082's spread out across the midwest. I ended up punting one unit and replacing it with a ZyWall 10 because of connection issues. At any rate, I haven't tried the failover so I can't help you with that, but in terms of running "WhatsUp Gold" I currently use IPCheck for the same reason and have never had a problem. I ping through the VPN tunnel and the WAN interface.

Greg

 

[FSTShaun]

Could someone please post all the settings they have for connecting two RV082 routers using the VPN. The tunnel that I have between the LA and San Diego RV082 is constantly dropping and I need to resolve this issue soon as it is affecting our business.

At each location the RV082 is attached to a Wireless T1 line. When I had the BEFVP41 devices in place I never had the tunnels fail except when I rebooted the devices.

If someone could please post their exact VPN tunnel settings or make some suggestions I would appreciate it very much.

Thank you in advance.

Shaun

 

[gacollier]

Shaun,

I was never able to get my connections to stay up consistently. I was able to get things almost there with these seetings though:

I rolled all units back to firmware relase 1.0.7.
I disabled SPI, DOS, and Block WAN Requests.
I manually set MTU to 576.
Local Security Gateway Type: IP Only
Local Security Group Type: Subnet
Remote Security Gateway Type: IP Only
Remote Security Group Type: IP Only
Keying Mode: IKE with Preshared key
Phase1 DH: Group Group1
DES
MD5
28800
DES
MD5
28800
Keep Alive checked.

I finally gave up on the RV082 and replaced one end point with a ZyWall 10 II.

Good luck.

 

[FSTShaun]

gacollier.

Thank you very much for your reply. I made all the changes except for rolling back the firmware to 1.0.7. I'm going to stick with 1.1.1 for a while first and see what happens. I sure hope this stabilizes the tunnel. As far as giving up on the RV082 I don't think I can do that anytime soon since my nuts are already in a ringer for suggesting this device and it working worse than our old configuration.

Hopefully Linksys will fix this issue. Friday after putting my post up I called Linksys and they assured me their product manager would call me back ASAP. Never heard from him Friday but I assume he will call Monday.

I really wish I had known all this before I suggested we buy these devices. I talked to three of the usual techs I talk to at Linksys before purchasing this device and they all said that it was a good buy. Now I wish I could ring their necks. Cause that’s what’s going to happen to me if the VP does not see some benefit to wasting $600 on these devices.

Finally gacollier when you say that you replaced the RV082 with the Zywall does that mean your still using the RV082 at your remote locations and they tunnel into your ZyWall 10 II ?? If so what did you pay for this device. I was all ready to go buy a SonicWall Pro 2040 and the SonicWall telsis 370 before Crapsys convinced me to save $1600 and buy the RV082.

Anyways... Thank you very much for your post. Also I hope someone can shed some light on how to configure a fail over VPN solution with the RV082. I was thinking maybe the PPTP on Wan2 might work as a backup that could tunnel into my Win2k Server. Wait... one more question. The syslog feature of this router does not seem to work with Linksys's log viewer program. I went in to the RV082 and pointed it to the IP of the workstation with the log viewer installed and then enabled it and it doesn't seem to send any data to the log viewer. However the BEFVP41 works fine and sends all its data to the log viewer. If you have any suggestions I would greatly appreciate it.

Thank you.

 

[FSTShaun]

gacollier

Your settings don't seem to be working. Now the tunnel says its up for hours and not traffic passes through. I will see it go down and then come up like 2 hours later. Could you please describe some of the settings that might be relevant to tweek. Im not sure how setting the seconds up or down will affect the way the tunnel works. I have tried to ask Linksys about this and they just tell me bs like "more is better" then I say why and they say it just is. Obviously they don't understand the technology they support so they just give you BS answer without details or descriptions of what it does.

Anyways.. If you know more about these please let me know. Also I noticed when I turn SPI off I'm unable to forward any traffic in to my web server or mail server so I had to turn it back on. Any suggestions??

Thank You very much for your time.

 

[gacollier]

Shaun,

First off, I am using the Zywall 10 II in a "hub and spoke" arrangement (Zywall 10 at host site and (3) RV082's at remote sites. Everthing thing has been very stable for (4) weeks now.

Secondly, what settings differed from your original settings?

 

[FSTShaun]

Keying Mode Manual IKE with Preshared key
Phase1 DH Group Group1
Phase1 Encryption 3DES
Phase1 Authentication MD5
Phase1 SA Life Time seconds 28800

Perfect Forward Secrecy
Phase2 DH Group Group1
Phase2 Encryption NULL
Phase2 Authentication MD5
Phase2 SA Life Time seconds 900

Aggressive mode (ON)
Keep Alive (ON)
Dead Peer Detection (120 Seconds ON)

As you can see I changed the Phase2 SA to 900 seconds and it seemed to resolve the two hour downtimes. Now my router actually responded 94.6% in the last 4 hours.

I also have SPI turned on and I have firmware version 1.1.1. Still this uptime is unaceptable and should be 100%. In fact my BEFX41 that connects to my RV082 actually works better than two RV082's hooked up. My orginal settings where the defaults. and I enabled Netbios broadcasts so that we could use RealPopup messenger between LA and San Diego. I'm about to call Linksys yelling come monday morning because I'm gonna be up shit creek if this doesn't stop soon. I'm really worried cause this could cost us thousands of dollars and hour that this dam VPN is down. If you could describe some of the features and how they might affect the VPN tunnel I would really appreciate it.

Both RV082 routers have the same configuration.

Thank you in advance.

 

[gacollier]

Shaun,

What's the MTU set at on your RV082's? Have you tired lowering it to 1300?

Also, by dropping phase 2 lifetime to 900 and using the keepalive, you're forcing Phase 2 re-negotiations every 15 minutes. I'm pretty sure that the "Keep-Alive" option forces the phase 2 negotitaion even if network traffic isn't present, but that's all.

I don't have the "Dead Peer Detection" with release 1.0.11 so I'm not sure what this is doing for you.

I paid $278 (CDW) for my ZyWall 10 II.

 

[ChinchBug]

I am on the phone to Linksys Support as I write, as I TOO have VPN stability problems with the RV-092, although my remote sites (8+) are connectingusing the BEFSX41 VPN endpoint routers.

As soon as I described my architecture, the CST mentioned that there ARE KNOWN VPN problems. They are well aware of the situation, so one would HOPE they are getting on it!

I too am getting flack as my company recommended this VPN solution to the end user, and they are getting VERY TIRED of having to slam the RV-082 to restart the tunnels!

IF I get some joy from Linksys, and my tunnels stabilize, I will post the settings here.

(crossing my fingers, but not expecting a resolution)

... sigh

 

[ChinchBug]

OK, here's what the Linksys CST said.

Change the Phase2 SA Life Time BACK to 3600 (default) from 28800 (where I had set it before), and (get this), ENABLE the NetBIOS broadcast button. I asked why, as I don't want NetBIOS enabled, but she said that in her experience it made the tunnels more stable. Hard to beLIEve, but to humour her, and to be able to say "I did what Linksys told me to do" I have made those settings. She also said that she recommended setting the MTU size to 1237 for DSL connections (which happens to be what we are using here).

Also, she HAD NO IDEA when a fix would be posted, and she said Linksys has seen a LOT of problems come in on the RV-082.

Sounds like it was released before it was properly tested, although you'd THINK that in an ALL LINKSYS network, things ought to work.

I am at the point, where I will need to consider pulling the RV-082 and popping in a stable product (ZyWall 10 II?).

g

 

[FSTShaun]

ChinchBug, thanks for your input. Gacollier. I have my MTU set to 1300. Im currently talking to my Wireless T1 provider to find out about some latency issues.

Otherwise here is the information that I submitted to Linksys this morning. This is there Tech to Tech service which reuires a pin and a special unpublished number to contact. They promised me I will speek with Chris Chapman the product manager today sometime so I will beat some answers out of him if I have to.


1st.

I have two RV082 routers and a BEFX41. The RV082's are located in SD & LA. The BEFX41 is located in Calexico. The RV082 in SD is the VPN endpoint. I.E. The RV082 in LA and the BEFX41 in Calexico both tunnel into the RV082 in SD.

Since last Thursday when I got the RV082's I have had constant problems with the Tunnel between LA & SD which is two RV082's going up and down. The tunnel between SD RV082 and Calexico BEFX41 has stayed up fairly consistent. However even when I used the BEFVP41 as the endpoint the BEFX41 in Calexico still occasionally dropped the tunnel.

The tunnel between SD RV082 and Calexico BEFX41 uses all the default settings.

The tunnel between SD RV082 and LA RV082 uses the following settings on both RV082's.


Keying Mode Manual IKE with Preshared key
Phase1 DH Group Group1
Phase1 Encryption DES
Phase1 Authentication MD5
Phase1 SA Life Time seconds 900

Perfect Forward Secrecy
Phase2 DH Group Group1
Phase2 Encryption NULL
Phase2 Authentication MD5
Phase2 SA Life Time seconds 900
Preshared Key


Aggressive Mode (ON)
Compress (Support IP Payload Compression Protocol(IPComp)) (OFF)
Keep-Alive (on)
AH Hash Algorithm MD5 SHA1 (OFF)
NetBIOS broadcast (OFF)
Dead Peer Detection (DPD) Interval seconds (OFF)




I changed the Phase1 and Phase2 life times because the tunnel would be down for almost and hour before it would come back up by itself. The dead peer detection seems to cause the tunnel to drop often and causes many problems.

2nd.

When the T1 line goes down between here and our T1 provider how does the RV082 know that that line is down? Does it ping the gateway and after a few failed attempts makes the determination that the link is down? The reason I ask is because I simulated this kind of failure and could not get the RV082 to switch over to Wan2 which has a static IP address and is plugged into the DSL line. The only way I could get the RV082 to switch over to Wan2 was to pull the cord out of Wan1. This should not be the only way this device will switch over. ???



3rd.

I have a web server and mail server running behind the RV082 in SD. I currently have the firewall and port forwarding enabled to forward port 25 and 80 for these services. However when I attempt to turn off SPI the forwarding no longer works. As soon as I check the box for SPI and choose save settings the forwarding works again.

I'm currently using firmware version 1.1.1 on both RV082 routers.

Thanks

 

[HeLRaZR]

So call me silly, but if you set the MTU for 1237 for DSL connections, don't you end up with frame fragmentation if the 2003 server and xp w/s's default to a 1500 MTU? BTW Chinchbug ya big gallut did you reset those endpoints remotely bud? The y were set for 28800 as well...

Don't these things have a Cisco badge on the front of them too? I guess I'd be feeling a little red in the face were I a Cisco employed engineer...

 

[FSTShaun]

Everyone I think I have found the solution.


Last night about 2:30 am the tunnel had dropped again between LA and SD. So I decided to roll the firmware back on the SD RV082 to version 1.0.11.

So here is my configuration that has been working for 24 hours.

SD RV082
firmware 1.0.11
Default seetings for VPN tunnel to LA except for Phase one and Two encryption I turned up to DES3 instead of standard DES.

I made this change on this tunnel because I found when I set the encryption to DES the tunnel dropped. Instantly as I changed it to DES3 the tunnel has been up for over 16 hours from LA to SD.

Obviously I had to make the same change to the tunnel in the LA router and change the encryption to DES3 also on phase 1 and 2.

The LA RV082 router is still running 1.1.1 firmware and I made no other changes to the tunnel on this device except for disabling the Dead Peer Detection (DPD).

The BEFX41 in Calexico has the same VPN settings and is connecting better than it ever did with the BEFVP41 to my RV082 in SD with firmware version 1.0.11. The tunnel encryption between the BEFX41 and the RV082 in SD is that default DES.

I have contacted both my T1 providers to find out about packet loss and latency and they have resolved the issues on both ends which seems to have helped the speed over the VPN tunnel between LA,SD and Calexico,SD.

I have yet to hear from anyone at Linksys back about any of my emails that I have sent them. The product manager has still yet to call me and they have still been absolutely no F%#%ing help.

I appreciate everyones feed back very much. I was ready to pull my hair out over all the stress and lack of sleep. However I'm not comfortable saying that the problem is completely resolved. I will give it a few more days until Friday to see how the stability is of the tunnels. I will post any new information as it becomes available.

 

[FSTShaun]

Thanks everyone for your input here is another status update.


I have been talking with Chris Chapman at Linksys and this is our last conversation via email.


I think because this seems to be unstable that you may want to move to another alternative.

Chris
-----Original Message-----
From: Shaun Richardson [mailto:Shaun@fastrucking.com]
Sent: Tuesday, May 04, 2004 2:59 PM
To: chris.chapman@linksys.com
Subject: Linksys RV082 Routers Fastrucking


Chris,

I haven't heard back from you yet about any of my issues. The tunnels are still dropping with your settings. I tried to set them up manually and it says the tunnel is used but no data will pass through. I.E. I can’t ping any device at either end of the tunnel. I'm starting to consider returning these devices. I really don't have the patience or the time to continue trouble shooting something that should work. What do you think??

Thank You,

I have since then pulled the RV082 from our San Diego office and replaced it with a BEFVP41 V1 and the tunnels have been up solid for 3 days straight with just basic configuration. Seems to me that the RV082 needs to have some serious work done to its VPN capabilities so that it works better with other Linksys devices.