Link fail over[SOLVED]

Hi All:

I have followed AN14 for dual SIM failover and that is working fine. We have some sites that have Fiber or ADSL so I want to put the WR21 in port isolate mode and have Eth0 connected to the local instrumentation and Eth1 to the fibre/ADSL.
To make this work I did the following:

  1. Assigned a static IP to Eth1 in the range of the GPON ONT/ADSL input interface,
  2. Set a default route to Eth1 to metric 1, I set default routes to PPP1 and PPP3 to metric 10,

This seems to work, however today I spent 6 hours trouble shooting “why” the IPSec tunnels would not come up when we loaded the config into a new router.

With the ADSL NOT CONNECTED, so Eth1 was disconnected, the router would negotiate phase 1 against the Cisco and then stop. When looking at the UI I noticed that it was negotiating the phase 1 session using the static IP from the unused Eth1 interface. So of course the Cisco ignored phase 2 because that had a source IP of the PPP1 interface.

The only way to fix it was to force the unused Eth1 into dhcp mode which caused the static IP to disappear and then the tunnels came up immediately.

Is this a bug or normal behavior?
Did I set something up wrong to make this happen?

I have the ADSL router connected again and have rebooted several times and it all comes up fine. I would like to figure this out before we deploy to the field as don’t want any anomalies that would require a 3 hour drive in a land rover.

Cheers,
john

Hi John and welcome to Digi Forum!

Basing on your description it looks that if all is configured properly, the tunnel should just use the IP of the default interface active (so the cellular when the ADSL is down).
I would suggest you to check the tunnel settings here: https://www.digi.com/resources/documentation/digidocs/90001019/default.htm#tasks/t_configure_ipsec_tunnels.htm%3FTocPath%3DConfiguring%2520Virtual%2520Private%2520Networking%2520(VPN)%2520|Configure%2520Internet%2520Protocol%2520security%2520(IPsec)%2520|_____2 to see if maybe is enabled something like tunnel linked to an interface or IKE negotiation IP source (in the advanced section).

If you need further assistance, I would suggest you to write an email to tech.support@digi.com providing a backup file from the unit (Administration > Backup/Restore) being sure to include the debug.txt file in it so we can check whole config and logs. Also, please provide the IMEI of the router for warranty check.

Please also see here for details on Digi Support levels: https://www.digi.com/support

Thanks!

Best Regards,
Anny
Digi Technical Support Team

I need to add something here that might be related…
When I put the Digi into port isolate mode, the DHCP client will NOT pick up and address. We have tried this with a Linux based router as DHCP sever, a windows server as a DHCP server and a Cisco as a DHCP server and we’ve tried several brand new WR21 and they will NOT get a DHCP address in port isolate mode.

I don’t know if that’s related to what I saw or not.

Cheers,
john

The DHCP client works only on Eth0.

John