Correcting or disabling branch router internet connectivity testing

  • 2
  • Question
  • Updated 3 years ago
  • (Edited)
I've recently deployed a branch router at a remote site for the first time, and for the most part things are going smoothly. I followed the Branch On Demand Evaluation Guide with only a handful of alterations (WPA2 Personal on the wireless network rather than going to the trouble of setting up RADIUS.) The IPSec tunnel is up, traffic is routing properly through the tunnel, clients are resolving hosts at the central office from the remote branch, etc.

The main trouble I'm having is with internet access at the branch. Periodically the router will flag the internet as down and display the following message to clients:



It appears the internet connection at the remote office is slightly flaky, and blinks out for a moment or two on a semi-regular basis. Unfortunately, after the branch router (correctly) determines the internet is down, it never seems to set it back to "up" again. The message remains until the branch router is rebooted.

While the message is being displayed to clients I can ssh into the branch router over the IPSec tunnel from the central office and successfully ping website domain names from the branch router. Running a traceroute from the branch router to a website reveals the expected route through the branch's modem. All traffic routed over the IPSec tunnel continues to function while "the internet" is "down" according to the branch router.

If I try to ping Google by name from a client machine at the remote branch I get returns from the branch router, but if I set the DNS on the client machine to something like Google's DNS servers I get returns from Google's actual IP addresses. Despite this, actually trying to browse to any website while using Google's DNS servers results in the branch router intercepting the connection and displaying the above message, even after clearing browser and DNS caches.

Ideas? Something I've set incorrectly? Pointers on how to disable the check? Suggestions on the breed of goat to sacrifice?
Photo of Greg Moore

Greg Moore

  • 16 Posts
  • 1 Reply Like

Posted 3 years ago

  • 2
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
Hi Greg,

May I know if you're still experiencing this issue? We have one site in Germany that have this once in a while. Reboot of the router was a temporary fix.

Thanks...
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I'd like to know if the internet check can be disabled as well. 

I just had a situation where the internet was suspended for an overdue bill. When service was restored the router did not detect that the internet was up again. It took a reboot to get things working again. 

I feel like the router should be able to detect that service has been restored on it own.

Here are a few details in case it helps:

Service is Verizon FIOS.

When VZ suspends an account they block HTTP/HTTPS traffic and redirect it to an account suspension notice. The VPN tunnel stayed up and the computers could ping through the tunnel and out the corporate internet connection. However when they tried to browse the internet the router redirected them to the "No Internet" page. Technically they should have been able to browse the internet through the VPN tunnel but got the error page instead. 

My biggest complaint with this process is that I had to reboot the router to restore service. It should come back on its own.
(Edited)
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
By default, the BR will only ping its gateway as proof that the BR can connect to the internet.  In this case, VZ is maintaining some connectivity so it can redirect you as needed.  The BR would not see the difference between the redirected state and normal operation in its default mode.

To change the BR connectivity checking behavior, add an IP Tracking for WAN policy that pings something on the internet, and remove the gateway check.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
It seems like the BR has another/additional mechanism for verifying connectivity. I never loose the ability to ping the gateway. The BR acts like it can sense something is wrong along port 80/443. Maybe it can't reach hivemanager on that port? Either way, something other than "it can't ping the gateway" or an internet host (as suggested) is happening.

My VPN tunnel is up, I can remote to the machines, but the _router_ is hijacking my web traffic. Our users get the internet from the VPN tunnel (back to main office). It's very frustrating that the router is blocking the traffic when it could technically flow on through the VPN tunnel.
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Are you sure that you have your routing policy set for "Tunnel All" and not "Split Tunnel"?  Because it sounds like your routing policy is set to "Split Tunnel".
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
Thanks for the reply. I'll give that a shot.
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
In our case, we have a wan tracking attached to eth0 sending ping to two public dns servers using multi-destination logic "AND". Still once in while, it is redirecting browser to "Internet Connectivity is Temporary Available" page.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I'm still having issues with the "unavailable" page. I would really like a way to turn off that functionality.