Despite the very high availability of the icom Connectivity Suite - VPN, a redundant instance can preserve availability in the event of a rare failure of the primary instance.

The icom Connectivity Suite - VPN is a service of INSYS icom for the simple and secure network connection of locations, plants, control centers and mobile devices via a VPN network.

Note This Configuration Guide only applies to routers of INSYS icom running under the icom OS operating system. These include the router series MRX, MRO, ECR, SCR as well as MIRO and MIROdul.

Situation

You are using the icom Connectivity Suite - VPN and would like to take further action to avoid unexpected downtime.

Solution

Various technologies ensure that each instance of the icom Connectivity Suite - VPN has a very high level of availability. However, the permanent availability of the icom Connectivity Suite - VPN may be limited by short-term failures of individual elements of the instance. For critical applications, a secondary instance hosted in another data center can be used, to which the router switches in the event of a failure of the primary instance. A fallback function regularly checks the return of the primary instance and switches back to it if it is available again.

Caution Increasing the availability of the icom Connectivity Suite - VPN through redundant instances is not possible for instances configured to connect to routers in mainland China (China VPN).

The following Configuration Guide shows the requirements for the secondary instance and how to configure a router registered in the icom Connectivity Suite - VPN accordingly.

Important The primary and secondary icom Connectivity Suite - VPN instances described here remain separate networks. Therefore, all devices necessary for redundant communication via the secondary instance (e.g. used during a failure of the primary instance) must be properly licensed and configured, as described in this Configuration Guide.

It is assumed that you * have already registered an account for the icom Connectivity Suite - VPN, as described in this Configuration Guide, * have added the router to the icom Connectivity Suite - VPN as described in this Configuration Guide, and * have configured the router to connect to the icom Connectivity Suite - VPN as described in this Configuration Guide.

Ordering a secondary instance

  1. Contact the INSYS icom sales department and order another instance of the icom Connectivity Suite - VPN. Mention that you want to use the secondary instance for a redundant operation and to be hosted in a different data center than your primary instance.

INSYS icom will ensure that both instances are hosted in different data centers.

Note This secondary instance is not intended for a simultaneous operation with the primary instance, but as a backup in case the primary instance is not available.

Reconfiguring the connection to the icom Connectivity Suite - VPN

Routers configured to connect to the icom Connectivity Suite - VPN before Q2 2023 must be reconfigured to enable secure redundancy operation. If the router was configured for operation with the icom Connectivity Suite - VPN after Q1 2023, this step can be skipped.

  1. Open the portal of the icom Connectivity Suite for your primary instance:

  2. Select the Devices tab.

  3. Go to the row of the router to be configured and click on Download (tray arrow down) in the Manage column.

  4. Click on INSYS Router Configuration and save the configuration file on your computer. [2]

  5. Open the web interface of the router: https://192.168.1.1/ui/index.html [3]

  6. Click on the cog outline AdministrationProfiles page in the ASCII configurations section on icon: file-upload[] and upload the previously downloaded ASCII configuration file.

  7. Click on   SUBMIT  .

  8. Click on the cog outline AdministrationProfile page in the ASCII configurations section behind the previously uploaded configuration file on cog.

  9. Then click on cog in the action area that opens and then on   APPLY ASCII CONFIGURATION  . [4]

  10. Click on   ACTIVATE PROFILE  cog white   [5]

The profile updated with the ASCII configuration file will be activated and the router will connect again now to this instance of the icom Connectivity Suite – VPN.

Adding the router to the secondary instance of the icom Connectivity Suite - VPN

The router must also be added to the secondary instance of the icom Connectivity Suite, which will then provide a configuration file for the connection.

  1. Open the portal of the icom Connectivity Suite for your secondary instance in another browser: [6].

  2. Add the router as described in this Configuration Guide.

  3. In the row of the newly added router, click on Download (tray arrow down) in the Manage column.

  4. Click on INSYS Router Configuration and save the configuration file to your computer.

Configuring the router for a connection to the secondary instance of the icom Connectivity Suite - VPN

The configuration file of the secondary instance must be uploaded to the router. It configures a second OpenVPN connection to the secondary instance of the icom Connectivity Suite there and also creates the associated routes and filter rules. It also adds an update server for the secondary instance. The OpenVPN connection to the secondary instance will be added to the existing WAN chain and must be manually moved to a second WAN chain that will be used to establish the connection to the secondary instance.

  1. Open the web interface of the router: https://192.168.1.1/ui/index.html

  2. Click in the cog outline AdministrationProfiles menu in the ASCII configurations section on plus and upload the previously downloaded ASCII configuration file of the secondary instance.

  3. Click on   SUBMIT  .

  4. Click on the cog outline AdministrationProfile page in the ASCII configurations section behind the previously uploaded configuration file of the secondary instance on cog.

  5. Then click on cog in the action area that opens and then on    APPLY ASCII CONFIGURATION  .

  6. Click on pencil behind the WAN chain wan1 on the lan NetworkWAN / Internet page to edit this WAN chain.
    cg en ics instance redundancy 01

  7. Click on content copy at the top right to copy this WAN chain.
    cg en ics instance redundancy 02

  8. Click on   SUBMIT  .

  9. Click on pencil behind the WAN chain wan1 again to edit this WAN chain.
    cg en ics instance redundancy 03

  10. Delete the third interface of the WAN chain openvpn2 by clicking on trash in the Starting position 3 field.
    cg en ics instance redundancy 04

  11. Click on MORE chevron down in the Starting position 2 field of the second interface of the WAN chain openvpn1 at the bottom and select the WAN chain wan2 under Failure WAN chain. [7].
    cg en ics instance redundancy 05

  12. Click on   SUBMIT  .

  13. Click on pencil behind the WAN chain wan2 to edit this WAN chain.

  14. Change the Description of the wan chain: [Startup] WAN2 (suggestion)

  15. Delete the second interface of the WAN chain * openvpn1* by clicking on trash in the Starting position 2 field.

  16. Click on MORE chevron down in the Starting position 2 field of the current second interface of the WAN chain openvpn2 at the bottom and select the WAN chain wan1 under Failure WAN chain.

  17. Check the option Limit lifetime, enter a lifetime for this WAN chain and select under WAN chain upon expiry wan1 as WAN chain. [8].
    cg en ics instance redundancy 06

  18. Click on   SUBMIT  .
    cg en ics instance redundancy 07

  19. Activate the profile with a click on   ACTIVATE PROFILE  cog white  .

The router now has two WAN chains, wan1 and wan2, the first of which starts the OpenVPN connection to the primary instance of the icom Connectivity Suite and the second of which starts the OpenVPN connection to the secondary instance. If the OpenVPN connection to the primary instance of the icom Connectivity Suite is detected as broken, the second WAN chain will be started, which establishes an OpenVPN connection to the secondary instance of the icom Connectivity Suite. In order to avoid continuous operation with the secondary instance, this WAN chain will be disconnected again after a certain time has elapsed and the WAN chain wan1 will be restarted, which starts an OpenVPN connection to the primary instance of the icom Connectivity Suite. If the primary instance is available again, operation will return to normal via the primary instance; if it is not yet available again, there will be another temporary switch to the secondary instance.

Note To ensure the availability of the devices in times of unexpected downtime of the icom Connectivity Suite, it is important that you regularly test the connection of the devices to the secondary instance to ensure that it is available when you need it. Regular testing provides the additional benefit of regular updates which help to ensure the reliability of the configuration.
Note An improvement of the availability via a redundancy of the WAN connection, for example by a second cellular connection via another provider or an additional LAN connection can be realised in a similar way using WAN chains. Refer to this Configuration Guide for this.
Note However, the setup described in this Configuration Guide does not yet ensure a secure configuration for the icom Connectivity Suite - VPN since this depends on the router settings that have already been made. If more than one WAN chain or a VPN tunnel have already been configured for example, this may cause conflicts with the configuration file. A further manual editing of the configuration is necessary then. Instructions for this are available in the inline and online help of the router. Click the question mark (help) in the header of the classic web interface to show the inline help.
Note Due to the configuration of two update servers for the regular update of the data required for the OpenVPN connection, it can happen that errors are generated for the respective inaccessible update server of the currently disconnected instance of the icom Connectivity Suite when an attempt is made to access it. These errors cannot be avoided and can be ignored.

Troubleshooting

  • You can verify a successful connection when the state changes to online on the Devices tab of the icom Connectivity Suite. Please note that this may take up to a few minutes.

  • If it does not get online, check the following:

    • Condition of the cellular connection under view dashboard outline StatusDashboard (for an LTE router)

    • Condition of the OpenVPN connection under view dashboard outline StatusDashboard

    • OpenVPN Log in the view dashboard outline StatusLogs menu

  • Refer to the icom Connectivity Suite manual for more information.

Back to the Configuration Guides for the icom Connectivity Suite

Back to overview

1. Your partner link may differ from this link.
2. This is a regular ASCII configuration file for updating the profile of the router with the necessary settings.
3. Login depending on configuration
4. Applying an ASCII configuration file means that the open profile is supplemented by or modified by the configurations it contains. The opened profile will not be activated by this.
5. All settings are stored in profiles. Only the activation of a profile causes that the router takes on and executes the settings.
6. The secondary instance cannot be opened in the same browser window as the primary one and must be opened in another browser or, for example, in private mode of the same browser
7. If the connection check configured for this interface detects a connection failure, the WAN chain wan2 will be started, which is used to establish the connection to the secondary instance of the icom Connectivity Suite - VPN
8. The WAN chain for the connection to the secondary instance will be disconnected after the lifetime has expired and the WAN chain wan1 will be started, which is used to establish the connection to the primary instance of the icom Connectivity Suite - VPN