USG110 - WAN Failover - Policy Routes vs. WAN Trunk settings

USG_User · June 2021

Since a few days we're owning a second internet access line. But since the new fiber line has way more performance, we would like to use our "old" DSL line for failover reasons only and not for load ballancing.

In the meantime we've considered the different methods, like spill over, least load first, etc..

Further we do not like permanent ping connectivity checks. In case one server (which was choosen for connectivity check) is shortly not available, the USG would directly switch over to the "smaller" WAN port, altough WAN1 is still working.

Anyway ..., finally we found two different opportunities which are also described in following youtube tutorials:

WAN Trunk procedure: https://www.youtube.com/watch?v=jogTfujoHkI

Policy Routing: https://www.youtube.com/watch?v=6XhyZ3KWaxc

But for us, the result is the same, isn't it? Could anybody shortly explain the advantages vs. disatvantages between WAN failover realized by WAN Trunk against Policy Routes?

Are both methods able to recognize a dead WAN line without connectivity check?

For example, in last week we got an internet connection loss on the fiber line where the USG WAN port still had a connection to the provider access server but nothing could be transmitted since the backbone failed.

What kind of failure will be recognized by USG without connectivity check?

Zyxel_Stanley · June 2021

Hi @USG_User

If connectivity check function is disabled.

WAN trunk and policy route rule could failover to other interface when selected interface is physical link down.

WAN trunk -> failover to passive interface.

Policy route -> ignore policy route rule from table.

The only different is policy route priority is higher than WAN trunk.

I will recommend to use connectivity check.

It could check your network connection healthy but not only physical link.

You can check google DNS server than should without unavailable issue.

And you can configure check sensitivity in Interface setting or policy route rule.

Zyxel_Stanley · June 2021

Hi @USG_User

WAN trunk failover is only works during when connectivity check fail or interface physical link down.

When system detected all of Active interfaces are linking down, then traffic will pass through to Passive interface automatically.

WAN trunk load balancing will always work on all of “Active” interfaces.

If you selected “spillover” algorithm. The traffic will transmitted to 2nd priority interface when 1st interface loading has full.

If your ISP sometimes unable transmit data to internet successfully. Then your case will much fulfill “Failover”.

And also have to enable connectivity check for check network healthy….since your physical link may still alive.

Zyxel_Stanley · June 2021

Hi @USG_User

Yes, after primary interface connection is back then new session will pass through by primary interface continually.

The old session and traffic will transmitting by passive interface until it is timeout.

Of cause you can enter cli command to flush all of sessions exist on device.

Router# debug conntrack flush

Zyxel_Stanley · June 2021

Hi @USG_User

If connectivity check function is disabled.

WAN trunk and policy route rule could failover to other interface when selected interface is physical link down.

WAN trunk -> failover to passive interface.

Policy route -> ignore policy route rule from table.

The only different is policy route priority is higher than WAN trunk.

I will recommend to use connectivity check.

It could check your network connection healthy but not only physical link.

You can check google DNS server than should without unavailable issue.

And you can configure check sensitivity in Interface setting or policy route rule.

USG_User · June 2021

Thanks a lot Stanley for your explanations. Appreciated.

Which event is being observed when using WAN Trunk Failover with active/passive WAN without Ethernet Connectivity Check? Does the physical link has to be dead firstly, that USG is switching over to WAN2?

Or is "Spillover" also working fine (without connectivity check) when WAN1 interface isn't physical dead but ISP's backbone failed and nothing can be transmitted? (which is normally not a Spillover scenario)

I think, without connectivity check the USG is only able to switch to another WAN, in case it detects a dead interface. But in most cases the interfaces are not completely dead since the next hop/gateway is still running. That's why the connectivity check is important. Is this correct?

Zyxel_Stanley · June 2021

Hi @USG_User

WAN trunk failover is only works during when connectivity check fail or interface physical link down.

When system detected all of Active interfaces are linking down, then traffic will pass through to Passive interface automatically.

WAN trunk load balancing will always work on all of “Active” interfaces.

If you selected “spillover” algorithm. The traffic will transmitted to 2nd priority interface when 1st interface loading has full.

If your ISP sometimes unable transmit data to internet successfully. Then your case will much fulfill “Failover”.

And also have to enable connectivity check for check network healthy….since your physical link may still alive.

USG_User · June 2021

Will the USG continue to check the active WAN1 line after connectivity check on WAN1 failed and USG switched-over to passive WAN2 line? Means, does the USG automatically switch back to WAN1 as soon as it is available again?

Zyxel_Stanley · June 2021

Hi @USG_User

Yes, after primary interface connection is back then new session will pass through by primary interface continually.

The old session and traffic will transmitting by passive interface until it is timeout.

Of cause you can enter cli command to flush all of sessions exist on device.

Router# debug conntrack flush

USG110 - WAN Failover - Policy Routes vs. WAN Trunk settings

Best Answers

All Replies

Categories

Security Highlight

Security Help Center