PBR route-map (down) on FTD 2130

jrsouzajr · ‎12-23-2022

Hi,
I'm configuring a PBR with SLA monitor, route track and two news default routes. I already configured with flexconfig and applied them.
Route-map and features SLA monitor, route track was verified, and base-config were correct.
I had to create two new default routes to forwarding both next hops, but the environment already had a default route with metric 1 (VCS-E - Internet) and I want to use such as primary default route to PBR the others default route created which I'm using route track. (portchannel13).
Therefore, with this configuration it would be possible to see a positive state (up), but the default route in final configuration is being VCS-E and isn't portchannel13. How can I to resolve this problem?

Below, the outputs:

route-map RM_PBR_xxxx-MOBILE_2, permit, sequence 10
Match clauses:
ip address (access-lists): ACL_PBR_xxxx-MOBILE

Set clauses:
ip next-hop verify-availability 172.17.62.75 1 track 2 [down]
ip next-hop verify-availability 172.17.62.76 2 track 1 [down]
----------------------------------------------------------------

> show access-list ACL_PBR_xxxx-MOBILE
access-list ACL_PBR_xxxx-MOBILE; 1 elements; name hash: 0x9a5b319a
access-list ACL_PBR_xxxx-MOBILE line 1 extended permit object-group ProxySG_ExtendedACL_90194396285 object RedeWiFixxxx any (hitcnt=2) 0x9520cedc
access-list ACL_PBR_xxxx-MOBILE line 1 extended permit ip 172.31.252.0 255.255.254.0 any (hitcnt=2) 0x25cb00ed
---------------------------------------------------------------------------------------------------------

> show running-config route
route Port-channel13 0.0.0.0 0.0.0.0 172.17.62.76 2 track 1
route Port-channel13 0.0.0.0 0.0.0.0 172.17.62.75 2 track 2
route VCS-E_Internet 0.0.0.0 0.0.0.0 179.106.221.225 1
--------------------------------------------------------------------

> show running-config track
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
------------------------------------------------

> show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 172.17.62.76
Interface: Port-channel13
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 172.17.62.75
Interface: Port-channel13
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
---------------------------------------------------------
> show running-config interface Port-channel 11.12
!
interface Port-channel11.12
vlan 20
nameif xxxx
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.32.1 255.255.255.224
policy-route route-map RM_PBR_xxxx-MOBILE_2
--------------------------------------------------------------------

> show route 172.17.62.75

Routing entry for 172.17.62.72 255.255.255.248
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Routing Descriptor Blocks:
* directly connected, via Port-channel13
Route metric is 0, traffic share count is 1

> show route 172.17.62.76

Routing entry for 172.17.62.72 255.255.255.248
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via ospf 1
Routing Descriptor Blocks:
* directly connected, via Port-channel13
Route metric is 0, traffic share count is 1
--------------------------------------------------------------------------

> show arp | include 172.17.62.76|172.17.62.75
Port-channel13 172.17.62.75 20cf.ae56.3402 11751
Port-channel13 172.17.62.76 6c03.0966.4b82 11901

regards,
thanks!

MHM Cisco World · ‎12-23-2022

route Port-channel13 0.0.0.0 0.0.0.0 172.17.62.76 2 track 1
route Port-channel13 0.0.0.0 0.0.0.0 172.17.62.75 2 track 2

this meaning you have SW connect FTD to two router and all three share same subnet?
if yes why you dont config hsrp in router and point FTD to VIP of HSRP ?

and for your other config I will check the track using same source and update you.

MHM Cisco World · ‎12-23-2022

I run lab and without static route the track is UP since it direct connect.
and also the traffic (specific traffic match ACL) is use PBR and if both track failed then it will use RIB (VCS-E_Internet).

for other traffic it will use the default route with lowest AD.
and you can use track1 and track2 to detect the reachability of two path (optional since it direct connect as I assume)

jrsouzajr · ‎12-23-2022

Hi,

Ok, but my problem is that if I not to use a default route, all traffic to going forwading for VCS-E_Internet.
In FMC the default route VCS-E is used either to other routes. I would like that to reach next-hop 172.17.62.75 and 172.17.62.76 throught route-map via PBR created. Anyway, I will to have more than one default route:
RIB: VCS-E metric 1
PBR: portchannel13 metric 2 with route track e SLA monitor assigned.
If I remove two default routes point to interface portchannel13 (172.17.62.75 / 172.17.62.76), how can I to insert route track? because track is inserted in field during configuration default route.

Anyway, I will to remove two default routes created and Let's see how its works and I update you.

jrsouzajr · ‎12-23-2022

Hi @MHM Cisco World

I only removed two default routes, after this I deployed. But yet I see route-map state: down.

> show running-config route all
route VCS-E_Internet 0.0.0.0 0.0.0.0 179.106.221.225 1
------------------------------------------------------------------
> show running-config route-map
!
route-map RM_PBR_xxxx-MOBILE_2 permit 10
match ip address ACL_PBR_xxxx-MOBILE
set ip next-hop verify-availability 172.17.62.75 1 track 2
set ip next-hop verify-availability 172.17.62.76 2 track 1

!
route-map PUBLICACION-xxxx1 permit 1
match ip address xxxx1-EXTERNAS

!
route-map PUBLICACION-xxxx2 permit 10
match ip address xxxx2-CONECTADAS
-------------------------------------------------------
> show route-map
route-map RM_PBR_xxxx-MOBILE_2, permit, sequence 10
Match clauses:
ip address (access-lists): ACL_PBR_xxxx-MOBILE

Set clauses:
ip next-hop verify-availability 172.17.62.75 1 track 2 [down]
ip next-hop verify-availability 172.17.62.76 2 track 1 [down]
-------------------------------------------------------------------------

MHM Cisco World · ‎12-23-2022

do you config
sla monitor schedule start now ?

jrsouzajr · ‎12-23-2022

Yes,
Both, ip sla and route track has been configured. I removed only two default routes. The IP SLA state was not changed.

below, output sla monitor:

> show sla monitor configuration

SA Agent, Infrastructure Engine-II

Entry number: 1

Owner:

Tag:

Type of operation to perform: echo

Target address: 172.17.62.76

Interface: Port-channel13

Number of packets: 1

Request size (ARR data portion): 28

Operation timeout (milliseconds): 5000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 60

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:
----------------------------------
Entry number: 2

Owner:

Tag:

Type of operation to perform: echo

Target address: 172.17.62.75

Interface: Port-channel13

Number of packets: 1

Request size (ARR data portion): 28

Operation timeout (milliseconds): 5000

Type Of Service parameters: 0x0

Verify data: No

Operation frequency (seconds): 60

Next Scheduled Start Time: Start Time already passed

Group Scheduled : FALSE

Life (seconds): Forever

Entry Ageout (seconds): never

Recurring (Starting Everyday): FALSE

Status of entry (SNMP RowStatus): Active

Enhanced History:

MHM Cisco World · ‎12-23-2022

show running-config sla monitor

can you share this

jrsouzajr · ‎12-23-2022

Yes,

MHM Cisco World · ‎12-23-2022

172.17.62.72 are this IP of the Port-channel 13 you use as source of echo ?

jrsouzajr · ‎12-23-2022

Not,

To portchannel 13 I'm using this below:

MHM Cisco World · ‎12-23-2022

all config from my view is OK, but still track is down!!
I check one point that can cause this issue,
are you config any icmp deny in PortChannel interface <icmp toward interface not icmp pass through interface> ???

jrsouzajr · ‎12-23-2022

All right, thanks for helping me this task and to confirm all config is OK.

So, haven't config any icmp deny in Portchannel Interface. I'm not configured any icmp deny but I will to check again. This was only tshoot that I didn't. In fact, this interface

jrsouzajr · ‎12-23-2022

sorry...... to be continue here:

All right, thanks for helping me this task and to confirm all config is OK.

Soo, I didn't have configured any icmp deny in Portchannel Interface. I'm not configuring any icmp deny, but I will to check again. This was a only troubleshooting that I didn't.
In fact, I tried a ping 172.17.62.75/172.17.62.76 which source is portchannel 13, but isn't works.
My workday is over and I will to back on monday 8:00AM. I update you again, its ok ?

Thank u so far bro, good night and Merry Christmas!

jrsouzajr · ‎01-30-2023

Hi

After tries unsuccessfully to solve the problem , I will opening ticket with support cisco (TAC) and to wait a update about this.