Tunnel Server Selection
The VPN Gateway receives information on which tunnel-server target IP addresses are available from the AT&T Administration Server. Both a Primary list and a Secondary list can be specified. The method by which the VPN Gateway uses these lists depends on the Service being used.
Managed VPN Services
With Managed VPN Services, the tunnel servers can be a mix of Cisco or AT&T SIG. The VPN Gateway will take both the primary and secondary lists of tunnel-server IP addresses and randomize each list. The secondary list is then appended to the primary list and an attempt will be made to connect to each server from the top of the list down, until a tunnel is successfully established. If no connection has been successful by the time the end of the list is reached, the connection attempt will be considered a failure. For persistent or traffic-initiated tunnels, the connection sequence will repeat at 30 seconds, plus a random interval of up to 60 seconds later, with a newly randomized list.
ANIRA
With ANIRA, the target tunnel server IP addresses are on the AT&T VIG which consists of several blades, each with a separate IP address. A primary and a secondary list of tunnel servers are maintained and processed separately. The goal is to always connect the user to the blade that will provide the best and most efficient service: least latency, least system load. The results from each blade test are sorted based on the results of the test probe are sorted in the following manner:
- For each separate AT&T VIG site, the blades are sorted from most to least favorable.
- The first connection attempt will be made to the overall most favorable blade. If that fails, the most favorable blade at an alternate AT&T VIG site will be attempted.
The most favorable blade from each AT&T VIG site is tried first, followed by the second most favorable at each site, continuing if necessary until a connection is established or all blades have been exhausted.
Transitions Between Primary and Secondary Servers
Configuration values controlling the speed of transition back to a Primary Tunnel Server from a Secondary Tunnel Server are also defined in the VPN Gateway Profile in the AT&T Administration Server. Account administrators define the Backup TEP Max Time as the maximum session time the VPN Gateway can be connected to a secondary tunnel endpoint. Backup TEP Idle Time is also defined by the Account Administrator to define the maximum duration a connection to a secondary tunnel endpoint can be idle. When either time expires, the connection to the Secondary Tunnel Server is dropped and the VPN Gateway will retry all the Primary Tunnel Servers before returning the connection to a Secondary Tunnel Server. These values force the VPN Gateway to re-attempt the Primary Tunnel Server on regular intervals as set by the Account Administrator in the VPN Gateway Device Profile.
When connected to a Secondary Tunnel Server, Secondary Tunnel Endpoint Session Timeout values (if configured) are visible on the VPN Connected page of the VPN Gateway web interface.