VPN Failover via WAN Virtualization

WAN Virtualization (aka Channel Bonding) enables point-to-point per packet load balancing across multiple Internet connections allowing for true WAN link bandwidth aggregation between sites.

VPN tunnels may be established within the bonded channels and will be aggregated over the multiple links. Failure of any of the WAN lines will not result in the loss of the tunnel since the traffic will continue to flow over all remaining links.

The purpose of this document is to provide an example for setting up WAN Virtualization between two sites. First, we plan the site numbers that will define each site. Chicago will be defined as Site 1 and is on the left side in the following diagram. Minneapolis will be defined as Site 2 and is on the right side of the diagram.



Go to WAN Virtualization under Advanced Setup.

Enter the appropriate Site Number for the local site. Next, under the Site Management section, the remote site(s) are defined with a Site Number and Site Name. The site name is a unique identifier used to distinguish between sites and should be easily recognizable. Naming sites by geographical location is a popular choice.

For our example below, the Chicago site is being configured with the Site Number of 1, the remote site as site number 2, and the remote site name is Minneapolis.

The configuration on the opposite site will mirror the configuration of site 1. For our example, the Minneapolis site will be configured with a Site Number of 2, the remote site number is 1, and the remote site name is Chicago.

After the settings are configured, click on the “Activate” button. To ensure the changes are permanent, the “Save Changes” box needs to be selected when clicking the “Activate” button. If the “Save Change” box is not selected, the Ecessa™ will revert to the previous settings after a reboot.

The Configure button between the Site Name and Delete button should now be active. Click on it to open the configuration pages unique to the site.

The Basic configuration page identifies the WAN addresses and LAN traffic used to communicate between the local and remote sites. Each Site- to-Site channel must be defined by entering theInitiation Point Addresses (local site) and End Point Addresses (remote site) that will be used. The Local and Remote configurations for a pairing should be mirror images.

Click the Add Entry button to create a new entry row for the corresponding section. Enter the appropriate values in the fields and click on the “Activate” button.

To delete an existing entry, click the “Delete” button for the corresponding row.

To modify an existing entry, change the values in the table and click on the “Activate” button. You can modify the settings for more than one entry at a time.

Local Configuration

Enter all local IP addresses to be included in the channel. This must be a minimum of one IP address in the channel. Uplink and Downlink speeds should be the actual line speed. On versions 10.3.5 and later, enable the Dynamic setting if the WAN entry is dynamic (DHCP/PPPoE) or if the WAN is behind a device that has a dynamic public IP.

Remote Configuration

Enter all IP addresses of the remote site to be included in the channel. Uplink and Downlink speeds should be the actual line speed. n versions 10.3.5 and later, enable the Dynamic setting if the WAN entry is dynamic (DHCP/PPPoE) or if the WAN is behind a device that has a dynamic public IP.

Site Encryption (Optional)

Use this section to create an IPSec security association to encrypt the tunnels. All tunnels will be automatically encrypted but tunnel encryption can be modified by going to the WAN Virtualization Advanced tab.

The VPN can also be viewed/modified by going to the VPN section of the user interface (Advanced Setup > VPN in the left-hand menu).

Dynamic Update (Prior to version 10.3.5)

The Dynamic Update box should be selected if the local endpoint IP addresses listed are dynamic (obtained via DHCP). This option allows those endpoints to be updated upon change. Enter the login information for the remote Ecessa™ to dynamically update the local endpoints to the remote site. Use the ‘user’ (not the ‘root’ user) account of that device to login over HTTPS (HTTPS must be enabled on the remote Ecessa™).

Routing traffic over WAN Virtualization tunnels (Versions 9.2 and later)

Starting in version 9.2, the static routes are used to send traffic over the WAN Virtualization tunnels instead of using the LAN Traffic Identification section in the WAN Virtualization basic tab. This is to streamline the routing table and make it easier to manage routing priorities.

To create the static route, set the source and destination networks and then enter the WAN Virtualization remote site name as the "Route" to use.

LAN Traffic Identification (Prior to version 9.2)

Send identified traffic from local LANs over the bonded channel to remote LANs. Any traffic identified by an entry is passed through channel bonding without modification to the destination site. Traffic is aggregated over all available tunnels, and will continue over remaining tunnels if any WAN links fail. This allows for the configuration of a VPN tunnel that is terminated at VPN servers on the LAN side of each Ecessa™.

Local Network/Netmask: The address and netmask of a local host or subnet which is on a LAN network configured on the local Ecessa.

Remote Network/Netmask: The address and netmask of a remote host or subnet which is on a LAN network configured on the remote Ecessa.

After you have identified your LAN tunnels, select the Allow identified LAN traffic through bonded lines box.

For our example, the first entry under Initiation Point Address on Site 1 is That is the first entry of the End Point Address on Site 2. Every entry on one site should be a mirror image on the opposite site.

Additionally, there is a Site-to-Site VPN connection going over channel bonding. No other traffic on either side of the LAN is allowed to use the Site-to-Site Line Bonding because a /32 mask is used. This is considered Ecessa’s best practice for security.




Once the basic configuration is completed for both sites, channel bonding should be enabled. Return to the main WAN Virtualization page and select the Enable WAN Virtualization box. Next, enable the sites under the Site Management section. Click on the “Activate” button and save the changes.


The Line Monitoring tab displays statistics for each of the tunnels.

Line Monitoring

Use this page to monitor various Site-to-Site statistics for a site. All statistics on this page can be refreshed by clicking the Refresh button. Optionally, all statistics can also be auto-refreshed periodically by enabling this feature in the Web Options->Site-to-Site page.

The first section contains the following items:

Enable Line Testing: Enable this checkbox to turn on line RTT and packet loss testing for this site.

Max Rtt: Maximum allowable round trip time. If round trip time of a tunnel is greater than Max Rtt then an alternative tunnel will be used if possible. A value of 0 is disabled.

Max Packet Loss: Maximum percentage of packet loss allowed. If packet loss through a tunnel is greater than Max Packet Loss then an alternative tunnel will be used if possible. A value of 100 is disabled.

The second section contains the following items:

Tunnel #: Index number of this tunnel. A “+” next to the index indicates this is a primary path for all non-statically routed traffic. All other tunnels without this designation are standby.

Weight: This is the relative weight of this tunnel for outbound channel bonding traffic load balancing (based on configured speeds).

IPA: Initiation Point Address as specified in the Local Configuration.

EPA: End Point Address as specified in the Remote Configuration.

Reordered (%): The current percentage of packets received out of order on this tunnel, and subsequently reordered (Reordered Mode Only).

pl (%): Packet loss as a percentage of received packets over this tunnel.

rtt (ms): Round trip time along this path (constantly updated).

Status: The status of the path from IPA to EPA which is either UP or DOWN.

RX/TX: The current byte count of packets received/transmitted on this tunnel.

The next section is Site-to-Site Static Route Statistics (Reordered Mode Only). This section can be expanded/collapsed by clicking the +/- icon next to the title. Each static route configured on the Advanced tab of the WAN Virtualization page is displayed. The TX Bytes column contains the current count of transmitted bytes for each static route.

To save changes to configurable items (Max Rtt, Max Packet Loss, etc) click the “Activate” button.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.