cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1540
Views
0
Helpful
8
Replies

1811 Dual Wan + Failover + Host on backup Static route on not working

dlandriscina
Level 1
Level 1

Hey Guys,

So I set up my dual wan with failover which works perfectly.. basically what I need is for the server which is 10.107.67.10 to be dedicated to ISP1  and all other traffic on the 10.107.67.0 /24 network to use ISP2 as primary and then if it fails to go over to ISP1.  Everything seems to work except for the server which I created a static route for .. it seems to always go through ISP2 eventhough I have a deny in the ACL.  Please help me out here.. It's so simple but I dont know why its being such a headache.  Attached is the config..  Thanks!!

8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

Hi,

on f0 use ip local policy route-map director instead of ip policy route-map director

Regards.

alain.

Don't forget to rate helpful posts.

hi Alain,

Thanks for the response.  unfortunately this did not solve the problem..

2 things to note also - - ip local policy route-map director doesnt attach to the F0 interface it goes on the global config.

When I brought up the ISP2 interface, it disconnected me from my vpn connection.

any other ideas?

margalla
Cisco Employee
Cisco Employee

The policy routing needs to be applied to the ingress interface where the traffic you want to policy route enters the router.

In this case traffic sourced from 10.107.67.10 should be arriving on Vlan1, so:

!
interface FastEthernet0
....

no ip policy route-map director
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
...

  ip policy route-map director

!

Then see what happens.

hi, still not working.. i am convinced that the problem has to lie in the ip route statements.. i think the default route is messing it up somehow because once the backup interface is turned on.. the 10.107.67.10 server does not route through the original ISP1 gateway anymore regardless of this statement

ip route 10.107.67.10 255.255.255.255 <>

dlandriscina wrote:

ip route 10.107.67.10 255.255.255.255 <>

That route is saying the destination 10.107.67.10 is reached via ISP1.

  I don't think that's correct. The server is in Vlan 1 I believe.

  You should remove that command.

Once you've done that bring up both ISP connections, stop all other traffic in your network, and get:

1: show ip route

2: show ip nat stat

3: show route-map director

4: debug ip policy

       ping somewhere from 10.107.67.10

5: undebug all

6: show route-map director

i removed that route..  also attached is the output you requested. The address that i am pinging is one of the dns servers to ISP 1

thanks

The PBR is working:

  Policy routing matches: 3127 packets, 389419 bytes <===

Jan 28 05:32:43.778 PCTime: IP: s=10.107.67.10 (Vlan1), d=65.106.1.196, len 60, FIB policy match
Jan 28 05:32:43.778 PCTime: IP: s=10.107.67.10 (Vlan1), d=65.106.1.196, g=<>, len 60, FIB policy routed <===

  Policy routing matches: 3131 packets, 389715 bytes <===

You have "ip verify unicast reverse-path" on F0.

Since there is no route via F0 the router might be dropping any return traffic arriving on that interface.

Try removing that command.

After that you might need to check on your NAT and firewall to see that they aren't doing something wrong.

margalla - removing that command made it work perfectly...

another question for you - I cant connect via VPN anymore.. i also tried changing the interface on the virtual template to the the main active interface Fastethernet1.. but no go?? any ideas?

Review Cisco Networking for a $25 gift card