Question

Hi,

We are using PPPoE for WAN (Primary) and LTE for the failover.

The issue we are having is that the IPSEC VPN gets stuck on the LTE connection even when the internet connection is resumed back on the primary WAN. Is it possible to have the LTE connection completely disabled/down if the primary connection is switched over to the main WAN?

This issue is causing our VPN to break as the main connection has switched over to the primary wan (PPPoE) but the VPN is still connected via LTE/Mobile. 

Answer 1

Hello,

Please, navigate to Network -> Failover and edit both interfaces that you use for failover (wan/mob1s1a1). In the settings for both interfaces, set flush connections on 'connected + disconnected'.

Also, if you have any custom failover rules configured on the same page, make sure that the 'sticky' option is disabled.

In case this does not resolve your issue, please, replicate it by forcing failover, waiting for a few minutes for the interface to failover and VPN to establish, and then download a troubleshoot file. Troubleshoot file can be downloaded from System -> Administration -> Troubleshoot. Attach the file by editing your question. The attached files are only visible to Teltonika moderators.

Kind Regards,

Andzej

Comments

Hi Andzej,

That did not work. 

When we force to LTE, the IPSEC VPN is moved over to the LTE but when we connect back the primary wan (PPPoE) the VPN disconnects and reconnects back to the LTE. Debug file attached. 

---

Hi,

It appears that in your situation, the wired WAN becomes the main interface, removes Security Associations (SAs) over LTE, and attempts to establish an SA over the WAN. However, during the IPSec initialization, the router sends and receives the first packets via the wired WAN, but the subsequent packets are received by the mobile interface instead of the wired WAN (the peer sends packets to the mobile interface instead of WAN for some reason). As a result, this breaks the SA. Right after that, the other end of the connection tries to establish an SA via the mobile interface of RUT950. I suspect that the device on the other end has the IP address of the RUT mobile interface configured as the peer for the IPsec tunnel. Could you please check the other device and try removing the IP address of the RUT955 mobile interface as its peer? This way, the RUT950 should be able to establish SA over wired WAN.

Let me know how it goes.

Kind Regards,

Andzej

---

.

Hi Andzej,

We are checking the configuration on the other end.

Is it possible to have the mobile interface go down when the primary WAN (PPPoE DSL) is in service? One of the issues is when both the WAN, and LTE Is active its causing issues.

Prior to deploying this device, we had a Meraki device and the way to solve this issue was to shutdown the interface completely when it wasn’t in use.

---

Hello,

In this scenario, one possible solution is to create a hotplug script. Since I am not a developer, the script could probably be better.

Create the following hotplug script in /etc/hotplug.d/iface (named 17-wwan0-off):

#!/bin/sh

[ "$ACTION" = ifup ] || exit 0

if [ "$ACTION" == "ifup" ] && [ "$INTERFACE" == "wan" ] ; then

    ip link set wwan0 down

    logger -t hotplug "Disabling wwan0 for 20 seconds."

    sleep 20

    ip link set wwan0 up

fi

The folder should look like this:

By implementing this script, whenever the device switches to the wired WAN interface, the mobile interface will be disabled for 20 seconds (you can adjust the time). This duration allows sufficient time for the IPSec tunnel to establish over the wired WAN. So you should also be able to retain the IP address of the RUT device on the remote peer as well (no need to remove it).

Let me know if this resolves your issues.

Kind Regards,

Andzej