WAN Failover Data Usage?

itxnc

We're experimenting with Netgear LB1120 LTE modems for WAN failover on our USG and ATP routers. We're doing this instead of USB cellular modems because we can put the LTE modem elsewhere to get better signal (or attach a patch antenna to it). Since most of our clients the network closet, etc is a terrible place for LTE signal.

Anyway - setup is easy enough. Put in the activated LTE SIM, set the modem to bridge mode, and hook the network port to the WAN2 port on the Zyxel. Create the Trunk in Active/Passive mode and you have failover.

Here's the problem - we're seeing approximately 250MB of traffic going over the LTE modem every day (and it is remarkably consistent) - which adds up at $10/GB ($15/GB if you're on Verizon). That's $75/month just in *standby* data with the failover not even being used. The assumption was when WAN1 was online and WAN2 is set to passive - no data would go over it? Is it possible after failback that a long term connection stays up on WAN2 after everything flips back to WAN1? Haven't gotten a chance to WireShark the connection yet to figure out what the traffic is yet.

Has anyone else seen this?

Zyxel_Emily

Hi @itxnc,

Here is the behavior of wan trunk. 

The same session is running on the same interface because of link sticking.

The feature link sticking is enabled by default.

There is no configuration for link sticking on GUI or CLI.

The link sticking function is to stick the session on one of wan interface when destination address is the same until the session expires.

Hence, even if the active interface is back, the old sessions still stick to the passive interface until the old session expires.

This is to avoid the disconnection of some session-aware applications.

New sessions will go through the active interface.

You can also select other load balance algorithm for the passive interface.

Here is the configuration for user configured wan trunk. 

https://businessforum.zyxel.com/discussion/2743/wan-failover

In the configuration of active interface, remember to enable connectivity check with valid IP address.

Set small values to trigger failover more quickly. 

Zyxel_Emily

Hi @itxnc,

The passive interface is activated only when all active interfaces fail.

If only two interfaces are in a trunk and one interface is set as passive, there is no difference between spillover and least load first because only one interface is set as active mode.

The difference between spillover and least load first is obvious when there are at least two active interfaces in the trunk: 2 active interfaces and 1 passive interface.

itxnc

Suspect it was a lingering connection. I had not checked the 'Disconnect Connections Before Falling Back'

I also had used the wrong algorithm. Initially we'd used a cellular modem- which the KB says to use Weighted Round Robin for:

https://support.zyxel.eu/hc/en-us/articles/360001743233-How-to-configure-the-3G-LTE-Interface-on-the-ZyWALL-USG-as-a-WAN-Backup-

But the WAN Failover article says you have to use Spillover:

https://support.zyxel.eu/hc/en-us/articles/360005480394-WAN-Failover-via-trunk-of-a-USG

One weird thing - the video says to set the WAN1 Spillover value to something very high (say 100000kbps), but if you have the Egress value reduced so BWM works, you can't set it any higher than that (in my case 12000kbps). Not sure if it matters or not... 

Then another article says to use Least Load First...
https://support.zyxel.eu/hc/en-us/articles/360004076140-WAN-Failover-with-Mail-Alert-USG-Series-FW-4-10-

Go figure.. For now we're going to see how it works with Spillover and the spillover value at the max egress value (and 0 for WAN2). And disconnect connections on failback enabled.

Zyxel_Emily

Hi @itxnc,

Here is the behavior of wan trunk. 

The same session is running on the same interface because of link sticking.

The feature link sticking is enabled by default.

There is no configuration for link sticking on GUI or CLI.

The link sticking function is to stick the session on one of wan interface when destination address is the same until the session expires.

Hence, even if the active interface is back, the old sessions still stick to the passive interface until the old session expires.

This is to avoid the disconnection of some session-aware applications.

New sessions will go through the active interface.

You can also select other load balance algorithm for the passive interface.

Here is the configuration for user configured wan trunk. 

https://businessforum.zyxel.com/discussion/2743/wan-failover

In the configuration of active interface, remember to enable connectivity check with valid IP address.

Set small values to trigger failover more quickly. 

itxnc

So in an Active/Passive scenario where you kill connections on fail back, is there any difference between Spill-over and least load?

Zyxel_Emily

Hi @itxnc,

The passive interface is activated only when all active interfaces fail.

If only two interfaces are in a trunk and one interface is set as passive, there is no difference between spillover and least load first because only one interface is set as active mode.

The difference between spillover and least load first is obvious when there are at least two active interfaces in the trunk: 2 active interfaces and 1 passive interface.

itxnc

Zyxel_Emily said:

Hi @itxnc,

The passive interface is activated only when all active interfaces fail.

If only two interfaces are in a trunk and one interface is set as passive, there is no difference between spillover and least load first because only one interface is set as active mode.

The difference between spillover and least load first is obvious when there are at least two active interfaces in the trunk: 2 active interfaces and 1 passive interface.

That's what I figured - but just wanted to make sure. Thanks!

blechkiste

itxnc said:

Suspect it was a lingering connection. I had not checked the 'Disconnect Connections Before Falling Back'

I also had used the wrong algorithm. Initially we'd used a cellular modem- which the KB says to use Weighted Round Robin for:

https://support.zyxel.eu/hc/en-us/articles/360001743233-How-to-configure-the-3G-LTE-Interface-on-the-ZyWALL-USG-as-a-WAN-Backup-

But the WAN Failover article says you have to use Spillover:

https://support.zyxel.eu/hc/en-us/articles/360005480394-WAN-Failover-via-trunk-of-a-USG

One weird thing - the video says to set the WAN1 Spillover value to something very high (say 100000kbps), but if you have the Egress value reduced so BWM works, you can't set it any higher than that (in my case 12000kbps). Not sure if it matters or not... 

Then another article says to use Least Load First...
https://support.zyxel.eu/hc/en-us/articles/360004076140-WAN-Failover-with-Mail-Alert-USG-Series-FW-4-10-

Go figure.. For now we're going to see how it works with Spillover and the spillover value at the max egress value (and 0 for WAN2). And disconnect connections on failback enabled.

I've just configured WAN Failover with a Mikrotik LtAP LTE6 AP on a USG 500 Flex, using Least Load First and it is working fine. Fully agree though hat there is a need for Zyxel to make this clearer and provide more details of the different algorithms in context of Failover.
I've also tried with Policy Routes and albeit technically working fine, I could not find a way to disconnect connections on failover WAN when failing back as it is possible for the failover trunk. And this could either become costly or lead to a throttled through-put, depending on your LTE data subscription.