• February 11, 2012, 10:11:55 AM
Welcome, Guest. Please login or register.
Did you miss your activation email?
« previous next »
Pages: [1]

Author Topic: NVR1750 not routing properly on tunnel failure  (Read 731 times)

0 Members and 1 Guest are viewing this topic.

Offline mfundaro

  • Rookie
  • **
  • Posts: 1
NVR1750 not routing properly on tunnel failure
« on: June 02, 2010, 01:21:51 PM »
Hi all,

Here's my scenario: I have several NVR1750 (formerly Contivity) devices set up as a small network of branch offices. I have them set in a "full mesh" configuration, i.e. every box has a BO tunnel to every other box. When all the tunnels are up, it's dandy, but if the tunnel between box A and box B goes down, they can't talk anymore.

I have OSPF routing configured, and I can see the route table on boxes A and B update to indicate A can reach B, and B can reach A, through C. The route cost increases, but that is expected given there is now an additional hop involved for A to reach B.

However, pings between A and B fail and traffic does not pass. I have System -> Forwarding set to proxy ARP everything, and to allow end user-end user, end user-BO, and BO-BO. I do not, however, have the "Apply Packet Filter on Private to Tunnel Traffic" box checked, because I am using the Stateful Firewall. My firewall rules basically allow trusted and tunnel traffic to traverse unimpeded.

My understanding is that if the tunnel between A and B dies, they should be able to reach each other via C. That's pretty much one of the basic principles of this kind of networking.

Have I missed something obscure (or obvious) in setting this up?

Software on the boxes is a mix of 8_05.200 and 8_05.250. I will soon be upgrading all of them to .250.

Any help is appreciated, and thanked in advance!

Mike
Logged

Online Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 2164
    • Michael McNamara
Re: NVR1750 not routing properly on tunnel failure
« Reply #1 on: June 02, 2010, 06:41:44 PM »
Hi Mike and welcome to the forums!

When you say you have a "full mesh" what exactly do you mean? You literally have a full mesh between EVERY router? How many routers are we talking about? Or do you have IPSec tunnels from each branch office site to 2 1750s located at the main office?

Are you routing all traffic back to the main office? How do you handle Internet bound traffic, do you allow the NVR to route/NAT that traffic out the public interface or do you route all traffic back to the main office and then jump on the Internet at a central location?

I'm curious if your firewall rules are getting in the way, you might want to try disabling the firewall and use the interface filters just to test. I have dozens of branch office sites that connect to 2 NVR 1740s. The fail-over only takes a few seconds for OSPF to re-converge.

If you change the route cost within the OSPF interface or disable various IPsec tunnels can you get traffic to pass over the other IPSec tunnels? I would guess you've got a problem with the IPSec tunnel and/or your firewall rules. Disable your primary IPSec tunnel and make sure you can pass traffic over the remaining IPSec tunnels.

Good Luck!
Logged
If you've found this site useful and helpful, please help me spread the word. Link to us in your blog or homepage or Tweet about us! - Thanks!
Pages: [1]
« previous next »