I’ve got a couple of small sites with USGs connected back to a USG Pro4 at HQ with site to site VPNs. I’m having an issue where I get an alert that the 4 has failed over to the secondary internet, and then usually it falls back to primary WAN pretty quick. If I go in and disable the site to site VPN and then enable it, the VPN comes back up.
I have a few questions. Since HQ has dual WAN, has anyone set up dual site to site VPNs and then prioritized a route?
Anything else I should consider?
I’m not opposed to putting in a EdgeRouter since the USG might not be the best fit. I didn’t know that I would have to edit a json file to get the dual WAN working with site to site VPNs on the Pro 4. I have a UNMS controller, so I could still manage firmware updates if I stay with the Ubiquiti stack. I’d rather not go outside that line if I don’t have to.
The other day I saw that Ubiquiti has a power adapter thing that will let you power cycle your ISP modem power. That might actually fix the problem if it can monitor one ISP connection or another. If it’s just looking for when the internet is totally down, that shouldn’t happen since I have a backup internet connection.
This is why we don’t use USG for sites that need VPN, they are just not that solid of a product for that. Our preference for more complex networks is pfsense.
Would you consider PFsense at HQ and USG at the remote sites? Would they play well with each other? I have 30 sites on EdgeRouters or USGs, so I would rather keep the USGs at the remote sites. Also one of the remote sites is 4 hours away, so it would be real nice if I didn’t have to make a trip to swap out a router.
They should work fine together, but it has been a while since I tested them.
I finally got to the bottom of this. Kept the USG. Had to manually enable Dead Peer Detection through a .json file.
(insert disclaimer about .json file here - I know but all the other sites and gear is Unifi, so I’m more willing to do custom .json than manage a whole new vendor)