We introduce a new abstract concept: a backup group.
The most general definition is as follows. A backup group contains several WAN interfaces, some of which are designated as "backup". Those designated as "backup" are backing up the rest of the group members. In practice, it means that the overlay tunnels over them will be up only when the rest of the group members (non-backup ones) are down. However, as we explain below, there are certain limitations to this general definition, imposed by the FOS capabilities.
The concept is implemented using the IPSEC "monitor" feature available in FOS, also known as "redundant VPN" (see here).
In FOS 7.2, a backup tunnel can monitor only a single "main" tunnel. Therefore, the backup group must currently include only one non-backup interface and one or more backup interfaces. The tunnels over each backup interface will monitor the tunnel over the non-backup interface within the same backup group. Note that in the future FOS releases we will be able to lift this limitation.
There are two optional parameters added to the device profiles on per-interface level:
backup_group defines the ID of the backup group
backup (true/false) defines whether an interface is designated as backup or not
In the above example, "wan1" and "wan2" belong to the same backup group, in which "wan2" is designated as backup.
Let's assume that we have a Dual-Hub region, so that this example profile is expected to generate four overlay tunnels: H1_INET, H1_LTE, H2_INET and H2_LTE. The configuration above will result in the following redundant VPN configuration:
H1_LTE tunnel will monitor H1_INET
H2_LTE tunnel will monitor H2_INET
As can be seen, the IPSEC "monitor" feature is applied on per-Hub basis, within the configured backup group.
We introduce a new abstract concept: a backup group.
The most general definition is as follows. A backup group contains several WAN interfaces, some of which are designated as "backup". Those designated as "backup" are backing up the rest of the group members. In practice, it means that the overlay tunnels over them will be up only when the rest of the group members (non-backup ones) are down. However, as we explain below, there are certain limitations to this general definition, imposed by the FOS capabilities.
The concept is implemented using the IPSEC "monitor" feature available in FOS, also known as "redundant VPN" (see here).
In FOS 7.2, a backup tunnel can monitor only a single "main" tunnel. Therefore, the backup group must currently include only one non-backup interface and one or more backup interfaces. The tunnels over each backup interface will monitor the tunnel over the non-backup interface within the same backup group. Note that in the future FOS releases we will be able to lift this limitation.
Let's consider the most common example:
There are two optional parameters added to the device profiles on per-interface level:
backup_groupdefines the ID of the backup groupbackup(true/false) defines whether an interface is designated as backup or notIn the above example, "wan1" and "wan2" belong to the same backup group, in which "wan2" is designated as backup.
Let's assume that we have a Dual-Hub region, so that this example profile is expected to generate four overlay tunnels: H1_INET, H1_LTE, H2_INET and H2_LTE. The configuration above will result in the following redundant VPN configuration:
As can be seen, the IPSEC "monitor" feature is applied on per-Hub basis, within the configured backup group.