1811 Dual Wan + Failover + Host on backup Static route on not working

dlandriscina · ‎01-25-2011

Hey Guys,

So I set up my dual wan with failover which works perfectly.. basically what I need is for the server which is 10.107.67.10 to be dedicated to ISP1 and all other traffic on the 10.107.67.0 /24 network to use ISP2 as primary and then if it fails to go over to ISP1. Everything seems to work except for the server which I created a static route for .. it seems to always go through ISP2 eventhough I have a deny in the ACL. Please help me out here.. It's so simple but I dont know why its being such a headache. Attached is the config.. Thanks!!

cadet alain · ‎01-26-2011

Hi,

on f0 use ip local policy route-map director instead of ip policy route-map director

Regards.

alain.

Don't forget to rate helpful posts.

dlandriscina · ‎01-26-2011

hi Alain,

Thanks for the response. unfortunately this did not solve the problem..

2 things to note also - - ip local policy route-map director doesnt attach to the F0 interface it goes on the global config.

When I brought up the ISP2 interface, it disconnected me from my vpn connection.

any other ideas?

margalla · ‎01-26-2011

The policy routing needs to be applied to the ingress interface where the traffic you want to policy route enters the router.

In this case traffic sourced from 10.107.67.10 should be arriving on Vlan1, so:

!
interface FastEthernet0
....

no ip policy route-map director
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
...

ip policy route-map director

!

Then see what happens.

dlandriscina · ‎01-27-2011

hi, still not working.. i am convinced that the problem has to lie in the ip route statements.. i think the default route is messing it up somehow because once the backup interface is turned on.. the 10.107.67.10 server does not route through the original ISP1 gateway anymore regardless of this statement

ip route 10.107.67.10 255.255.255.255 <>

margalla · ‎01-27-2011

dlandriscina wrote:
ip route 10.107.67.10 255.255.255.255 <>

That route is saying the destination 10.107.67.10 is reached via ISP1.

I don't think that's correct. The server is in Vlan 1 I believe.

You should remove that command.

Once you've done that bring up both ISP connections, stop all other traffic in your network, and get:

1: show ip route

2: show ip nat stat

3: show route-map director

4: debug ip policy

ping somewhere from 10.107.67.10

5: undebug all

6: show route-map director

dlandriscina · ‎01-28-2011

i removed that route.. also attached is the output you requested. The address that i am pinging is one of the dns servers to ISP 1

thanks

margalla · ‎01-28-2011

The PBR is working:

Policy routing matches: 3127 packets, 389419 bytes <===

Jan 28 05:32:43.778 PCTime: IP: s=10.107.67.10 (Vlan1), d=65.106.1.196, len 60, FIB policy match
Jan 28 05:32:43.778 PCTime: IP: s=10.107.67.10 (Vlan1), d=65.106.1.196, g=<>, len 60, FIB policy routed <===

Policy routing matches: 3131 packets, 389715 bytes <===

You have "ip verify unicast reverse-path" on F0.

Since there is no route via F0 the router might be dropping any return traffic arriving on that interface.

Try removing that command.

After that you might need to check on your NAT and firewall to see that they aren't doing something wrong.

dlandriscina · ‎01-30-2011

margalla - removing that command made it work perfectly...

another question for you - I cant connect via VPN anymore.. i also tried changing the interface on the virtual template to the the main active interface Fastethernet1.. but no go?? any ideas?