Re: Cisco 2951 VSEC - Dual WAN redundancy/failover

Chris9811 · ‎01-28-2019

Hello everyone,

i try to achieve with a Cisco 2951 a WAN redundancy/ failover. My Problem is that i have two different ISPs.

One is a cable Provider and the other one is a DSL-Provider.

I thought i can do it like it is described here: https://learningnetwork.cisco.com/docs/DOC-28612 .

But in my case that doesn't work. Only one ISP is reachable from outside. What i want is that both ISPs are reachable from outside. I tried a lot of configurations but i cant fin one that is working. So i hope someone here can help me out.

Here is my config:

track 1 ip sla 1 reachability
02.
delay down 10 up 10
03.
track 2 ip sla 2 reachability
04.
delay down 10 up 10
05.

06.
policy-map wan-queue-policy
07.
 class voip-class
08.
  priority percent 75
09.
 class class-default
10.
  fair-queue
11.
  random-detect
12.

13.
interface GigabitEthernet0/0
14.
 description WAN-Vodafone-Kabel
15.
 ip address dhcp
16.
 ip nat outside
17.
 ip virtual-reassembly in
18.
 zone-member security Internet
19.
 duplex auto
20.
 speed auto
21.
 no mop enabled
22.
 service-policy output wan-queue-policy
23.
 
24.
 
25.
interface GigabitEthernet0/1
26.
 ip address 192.168.83.254 255.255.255.0
27.
 no ip redirects
28.
 ip nat inside
29.
 ip virtual-reassembly in
30.
 zone-member security Trusted
31.
 duplex auto
32.
 speed auto
33.
 no mop enabled
34.
 service-policy input url-block-policy
35.
 
36.
 interface Ethernet0/0/0
37.
  no ip address
38.
  service-policy output wan-queue-policy
39.
 !
40.
 interface Ethernet0/0/0.7
41.
  encapsulation dot1Q 7
42.
  ip address dhcp
43.
  no ip redirects
44.
  no ip unreachables
45.
  no ip proxy-arp
46.
  ip mtu 1496
47.
  ip nat outside
48.
  ip virtual-reassembly in
49.
  zone-member security Internet
50.
  pppoe enable group global
51.
  pppoe-client dial-pool-number 1
52.
 
53.
 interface Dialer1
54.
  description WAN-Telekom VDSL
55.
  ip address negotiated
56.
  no ip redirects
57.
  no ip unreachables
58.
  ip flow ingress
59.
  ip nat outside
60.
  ip virtual-reassembly in
61.
  zone-member security Internet
62.
  encapsulation ppp
63.
  dialer pool 1
64.
  dialer-group 1
65.
  ppp authentication chap callin
66.
  ppp chap hostname 
67.
  ppp chap password 
68.
  no cdp enable
69.
  
70.
  ip sla 1
71.
   icmp-echo Next-Hop-IP-ISP1 source-interface GigabitEthernet0/0
72.
   threshold 2
73.
   timeout 1000
74.
   frequency 10
75.

76.
ip sla schedule 1 start-time now life forever 
77.
   
78.
  ip sla 2
79.
    icmp-echo Next-Hop-IP-ISP2 source-interface Dialer 1
80.
    threshold 2
81.
    timeout 1000
82.
    frequency 10
83.

84.
ip sla schedule 2 start-time now life forever 
85.
  
86.
  ip nat inside source route-map CABLE interface GigabitEthernet0/0 overload
87.
  ip nat inside source route-map VDSLV interface Dialer1 overload
88.
  
89.
  ip nat inside source static tcp 192.168.83.4 443 WAN-IP-ISP2 443 extendable
90.
  ip nat inside source static tcp 192.168.83.4 443 WAN-IP-ISP1 443 extendable
91.
  
92.
  ip route 0.0.0.0 0.0.0.0 gigabitehternet 0/0 Track 1  
93.
?? %Default route without gateway, if not a point-to-point interface, may impact performance ??
94.
  
95.
  ip route 0.0.0.0 0.0.0.0 Dialer 1 Track 2
96.
  
97.

98.
  route-map CABLE permit 10
99.
   match ip address 101 
100.
   match interface GigabitEthernet0/0
101.
   
102.
  route-map VDSLV permit 10
103.
   match ip adress 101
104.
   match interface Dialer 1

VIvanov · ‎01-29-2019

Are you trying to have both ISPs working at the same time?

Generally this kind of set up only provides redundancy but not concurrent connection with both ISPs to a webserver. As the set up at the end only allows one static route. If you are looking to have the webserver accessible from both paths you would need a more robust setup.

Also you should set the Admin distance on the routes to be higher for the less relevant path and only track the more relevant(bigger bandwidth) route that has a lower admin distance.

Chris9811 · ‎01-29-2019

Thank you for your reply.

Yes i am trying to have both ISPs working at the same time. And if one of them is in a "failstate" i want use the other one.

So can you give me a more robust setup?

I tried the Admin distance on the routes and it works perfect but only for failover.

VIvanov · ‎01-29-2019

Either two servers or two interfaces on the server would be the easiest solution, you could nat one interface to go out of the DSL and the other out of Cable. Usually when you get into something like this you are looking for BGP dual homed IP ranges.

How are your users connecting to the webserver URL or IP?

Chris9811 · ‎01-29-2019

Our Users are connected over a webserver URL to the our webserver.

Richard Burts · ‎01-29-2019

Originally I was not understanding the issue identified as " Only one ISP is reachable from outside." After a bit of thinking about it I believe that you are talking about access to a web server from outside and saying that the web server is accessible from outside through only a single ISP. Is that correct? If not then please clarify.

If that is a correct understanding then I suggest that the issue may be the static nat that you have configured:

  ip nat inside source static tcp 192.168.83.4 443 WAN-IP-ISP2 443 extendable
  ip nat inside source static tcp 192.168.83.4 443 WAN-IP-ISP1 443 extendable

the same inside address and the same port number do not translate to two different outside addresses.

There is something in the config that I would comment about.

  ip route 0.0.0.0 0.0.0.0 gigabitehternet 0/0 Track 1  
?? %Default route without gateway, if not a point-to-point interface, may impact performance ??

Yes a default route (or really any static route) which specifies an outbound interface but does not specify a next hop does have some performance impact. This is due to the fact that every thing that uses this route will be treated as a locally connected destination. And that means that the router will need to arp for every destination. So the impact has these aspects

1) arp for every destination means extra traffic going out the interface

2) it also means that the arp table gets larger so more memory is used

3) it also means that every 4 hours (by default) the entry will be refreshed so more cpu cycles to process lots and lots of refreshes.

Another factor is that for this to work it requires that the connected device (in this case the provider router) must enable proxy arp. Many organizations are disabling proxy arp because of the security concerns associated with it. So it is possible that the static route/default route may not work at all.

HTH

Rick

HTH

Rick

Chris9811 · ‎01-29-2019

Hello Richard,

thanks for your reply. Yes it correct. The problem what we have is an Exchange-Server and VPN access to our Network.

One ISP (the one with more bandwidth) has many problems with stability. The other one runs perfect but has not so much bandwidth.

The Exchange-Server for our users has the 192.168.83.4 (DNS mail.XXXXX) as inside IP.

We need to reach him over the following tcp ports from both ISPs: 443, 587,995, 25.

The VPN endpoint is our Router and we come in over IPSEC and SSL VPN (Webvpn).

So we need to reach port 500 and port 4500 udp from both ISPs.

What i want to reach is that we can contact this server and the "VPN" over both ISPs. So it is not so important if one of the ISPs is in a failstate.

With another Router (c896) which has only two Dialer interfaces (ISP1 - Dialer/ ISP2 Dialer) we have what i try to reach on the C2951 with one Dialer and one Gigabitethernet interface.

Here is the configuration for that one (Cisco c896):

track 1 ip sla 1 reachability
 delay down 30 up 30
 
 interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security Internet
 encapsulation ppp
 no ip route-cache cef
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 7 
 
 interface Dialer2
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security Internet
 encapsulation ppp
 no ip route-cache cef
 dialer pool 2
 dialer-group 2
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 7
 
 ip nat inside source route-map VDSL-nat interface Dialer2 overload
 ip nat inside source route-map VDSLV-nat interface Dialer1 overload
 ip nat inside source static tcp 172.30.25.112 25 37..3 25 extendable
 ip nat inside source static tcp 172.30.25.8 443 37.3 443 extendable
 ip nat inside source static tcp 172.30.25.200 5222 37..3 5222 extendable
 ip nat inside source static tcp 172.30.25.93 8433 37..3 8433 extendable
 ip nat inside source static tcp 172.30.25.93 8488 37..3 8488 extendable
 ip nat inside source static tcp 172.30.25.93 50001 37..3 50001 extendable
 ip nat inside source static tcp 172.30.25.90 52113 37..3 52113 extendable
 ip nat inside source static tcp 172.30.25.112 25 WAN-IP-ISP1 25 extendable
 ip nat inside source static tcp 172.30.25.8 443 WAN-IP-ISP1 443 extendable
 ip nat inside source static tcp 172.30.25.200 5061 WAN-IP-ISP1 5061 extendable
 ip nat inside source static tcp 172.30.25.200 5222 WAN-IP-ISP1 5222 extendable
 ip nat inside source static tcp 172.30.25.93 8433 WAN-IP-ISP1 8433 extendable
 ip nat inside source static tcp 172.30.25.93 8488 WAN-IP-ISP1 8488 extendable
 ip nat inside source static tcp 172.30.25.93 50001 WAN-IP-ISP1 50001 extendable
 ip nat inside source static tcp 172.30.25.90 52113 WAN-IP-ISP1 52113 extendable
 ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
 ip route 0.0.0.0 0.0.0.0 Dialer2 5 
 
 
 ip sla 1
 icmp-echo 208.67.222.222 source-interface Dialer1
 timeout 8000
 frequency 25
 ip sla schedule 1 life forever start-time now
 
 route-map VDSL-nat permit 10
 match ip address 101 102
 match interface Dialer2
 !
 route-map VDSLV-nat permit 10
 match ip address 101 102
 match interface Dialer1
 
 access-list 101 permit ip 172.30.25.0 0.0.0.255 any
 access-list 102 permit ip 10.10.10.0 0.0.0.255 any

So why does this one work? And the same configuration with Gigabitethernet instead of a Dialer not?

CISCO896VAG#sh ip route 
   Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
          E1 - OSPF external type 1, E2 - OSPF external type 2
          i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
          ia - IS-IS inter area, * - candidate default, U - per-user static route
          o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
          a - application route
          + - replicated route, % - next hop override, p - overrides from PfR

   Gateway of last resort is 0.0.0.0 to network 0.0.0.0

   S*    0.0.0.0/0 is directly connected, Dialer1
         10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
   C        10.10.10.0/24 is directly connected, Vlan250
   L        10.10.10.254/32 is directly connected, Vlan250
         37.0.0.0/32 is subnetted, 1 subnets
   C        37..3 is directly connected, Dialer2
         109.0.0.0/32 is subnetted, 1 subnets
   C        109..2 is directly connected, Dialer1
         172.30.0.0/16 is variably subnetted, 3 subnets, 2 masks
   C        172.30.25.0/24 is directly connected, Vlan1
   S        172.30.25.99/32 is directly connected, Virtual-Access8
   L        172.30.25.254/32 is directly connected, Vlan1
         185..0/32 is subnetted, 1 subnets
   C        185..10 is directly connected, Dialer1
   R     192.168.10.0/24 [120/1] via 192.168.20.1, 00:00:18, Tunnel0
         192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
   C        192.168.20.0/24 is directly connected, Loopback0
   L        192.168.20.2/32 is directly connected, Loopback0

CISCO896VAG#ping 8.8.8.8 source dialer 1
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
   Packet sent with a source address of 185..10 
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
   CISCO896VAG#ping 8.8.8.8 so
   CISCO896VAG#ping 8.8.8.8 source di
   CISCO896VAG#ping 8.8.8.8 source dialer 2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
   Packet sent with a source address of 37..3 
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
   CISCO896VAG#

ISP1ISP2

Richard Burts · ‎01-30-2019

It seems to me that your 896 has the same issue about static address translation

 ip nat inside source static tcp 172.30.25.112 25 37..3 25 extendable
 ip nat inside source static tcp 172.30.25.112 25 WAN-IP-ISP1 25 extendable

If you say that it does work to access the server over both ISP connections then I am surprised and do not understand how it is doing that.

I do notice one significant difference in the configuration of both routers. In your config for 2951 the 2 static default routes have the same administrative distance and so both would be active in the routing table at the same time. But the config of the 896 applies an AD on the second static default route

 ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
 ip route 0.0.0.0 0.0.0.0 Dialer2 5

The result of this is that your routing table has only 1 of the routes active

   Gateway of last resort is 0.0.0.0 to network 0.0.0.0
   S*    0.0.0.0/0 is directly connected, Dialer1

This makes me wonder if both dialers are really active at the same time. It looks to me like it would be one dialer or the other.

Your test specifying the source was using ping. I wonder what results you would get if you did a similar test specifying the source for traceroute rather than ping.

HTH

Rick

HTH

Rick

Chris9811 · ‎01-30-2019

Ok. So normally it wouldn't work on both routers?

On that router we have the AD on the second static route for failover.

 ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
 ip route 0.0.0.0 0.0.0.0 Dialer2 5

But yesterday i found out that i can ping out from both interfaces and i can reach our Exchange over both.

So how i have to configure my router to achieve a " Dual WAN" ? Is this possible with only one IP subnet?

And here is the output from the traceroute:

CISCO896VAG#traceroute 8.8.8.8 source dialer 1
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  * 
  2  *  *  * 
  3  *  *  * 
  4  *  *  * 
  5  *  *  * 
  6  *  *  * 
  7  *  *  * 
  8  *  *  * 
  9  *  *  * 
 10  *  *  * 
 11  *  *  * 
 12  *  *  * 
 13  *  *  * 
 14  *  *  * 
 15  *  *  * 
 16  *  *  * 
 17  *  *  * 
 18  *  *  * 
 19  *  *  * 
 20  *  *  * 
 21  *  *  * 
 22  *  *  * 
 23  *  *  * 
 24  *  *  * 
 25  *  *  * 
 26  *  *  * 
 27  *  *  * 
 28  *  *  * 
 29  *  *  * 
 30  *  *  * 
CISCO896VAG#traceroute 8.8.8.8 source dialer 2
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  * 
  2  *  *  * 
  3  *  *  * 
  4  *  *  * 
  5  *  *  * 
  6  *  *  * 
  7  *  *  * 
  8  *  *  * 
  9  *  *  * 
 10  *  *  * 
 11  *  *  * 
 12  *  *  * 
 13  *  *  * 
 14  *  *  * 
 15  *  *  * 
 16  *  *  * 
 17  *  *  * 
 18  *  *  * 
 19  *  *  * 
 20  *  *  * 
 21  *  *  * 
 22  *  *  * 
 23  *  *  * 
 24  *  *  * 
 25  *  *  * 
 26  *  *  * 
 27  *  *  * 
 28  *  *  * 
 29  *  *  * 
 30  *  *  *

But now i am totaly confused!?

Richard Burts · ‎01-30-2019

I am surprised that ping does work but traceroute does not work. At this point I do not have an explanation for that, other than that perhaps your providers have some filtering in place that denies the traceroute traffic (or perhaps denies the traceroute responses coming back).

And it occurs to me that it is less important to test on traffic originated inside and going outside. The real test would be to originate traffic from outside attempting to get inside to the server. Note that vpn would be much easier assuming that the router is acting as the vpn head end since vpn traffic would get to the router on both public addresses and not need any translation.

HTH

Rick

HTH

Rick