Hi,
I am currently trying to setup a remote site the has 1GB P2P connection along with a 100Mb backup internet connection with a VPN back to the primary site. OSPF is setup on all links as below:-
Primary Site:-
CORE to remote site via P2P - Area 2 Stub no summary
CORE to local Firewall via LAN - AREA 0
Local Firewall to remote site Firewall via IPSEC VPN - Area 2 Stub no summary
Remote Site:-
CORE to primary site via P2P - Area 2 Stub no summary
CORE to local Firewall via LAN - Area 2 Stub no summary
Local Firewall to primary site firewall via IPSEC VPN - Area 2 Stub no summary
This is mostly working as expected. However we have some clients that also VPN in via the firewall at the primary site. The routes on this firewall are preferring the Intra-Area route for Area 2 to Area 2 as it should according to the standards for route selection. However the core at the remote site is using the P2P as its route back, again as it should. The firewall at the remote site is using the remotes site router to get back to the primary site. The issue arises when a client connected via a VPN to the firewall at the primary site tries to access the secondary site we end up with assymetric routing as the firewall at the primary site sends traffic over the VPN and the remote site only knows to respond over the P2P. Ideally it should send this traffic to the CORE at the primary site unless the P2P is down in which case everything should use the VPN.
I hope this makes sense? I have drawn a diagram but I am not sure how to upload it here, its a PDF but I can make it a jpg or anything.
No comments:
Post a Comment