Recognition of Primary Network Outage
The VPN Gateway monitors network connectivity using both VPN tunnel heartbeats or VPN traffic and by communicating with the primary network ISP Domain Name Servers (DNS). The VPN Gateway uses a DNS request to resolve the name ‘www.att.com’ to determine if network connectivity exists. The list of DNS servers used for testing is a combination of the DNS supplied by the broadband ISP, DNS profiled in the AT&T Administration Server Device Profile, and hard-coded default values within the VPN Gateway.
If a VPN tunnel is active, the DNS tests will not be issued as long as regular VPN tunnel heartbeats are successful, or tunnel traffic has been received within a 20-second window.
To increase efficiency and decrease network traffic associated with tunnel heartbeat attempts, the VPN Gateway will not send heartbeat attempts if VPN traffic was received in the heartbeat interval.
When using cellular, additional fields are available in the VPN Gateway Device Profile stored in the AT&T Administration Server to further limit unnecessary traffic and data charges related to VPN heartbeats. VPN Gateway devices using cellular for primary network connectivity can also define the Idle Wait Time (the duration the tunnel can be idle before sending heartbeats), the Retransmit Interval (the delay between heartbeat attempts), and the Maximum Retransmissions (the number of sent heartbeats).
Connection Testing
If an explicit network connectivity check is required, the VPN Gateway has two WAN testing options:
- The default option is to issue a DNS lookup of 'www.att.com.'
- A second option of issuing a health check to the AT&T authentication server is also available. The advantage of the health check is that DNS requests can be cached by some cable, DSL or cellular modems which can incorrectly return a positive response when the WAN is down.
The WAN test request is sent to each server every two seconds. If a WAN test fails, the VPN Gateway will send a test packet to the next server until the list is exhausted. The VPN Gateway will attempt to reach all servers in the list three times before assuming that the broadband connectivity has been lost. If the VPN tunnel is active over the primary network connection at the time an outage is determined, then the VPN tunnel is terminated.
Additional Information
If a network outage is cause by the interface link being removed then the VPN Gateway will bypass the WAN testing and immediately act upon the outage. This allows a faster response than waiting for the results of WAN tests that will fail.
If a primary network outage is recognized on a device that has not been automatically or manually configured for the dial or cellular backup feature, the browser interface for the VPN Gateway will display a message indicating the failure and the need to configure Dial Backup for connectivity.
If the user has an active VPN connection when the outage occurs, and they are using a Remote Access (PAT) Connection, applications may need to be restarted after the backup VPN connection has been established because the secure address assigned to the user will likely change when the tunnel is transitioned.
The VPN Gateway supports a dual IPv4/IPv6 stack. The WAN testing is performed for both IPv4 and IPv6 protocols on the WAN interface. Depending on configuration preferences and availability, IPv4 or IPv6 can be used to establish IPSec tunnels or communicate with other AT&T servers.
NOTE: The determination of when the backup interface should be used can be configured to use the loss of IPv4 or IPv6 connectivity on the WAN interface.