Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
1
Replies

Failover between Serial (MPLS) and Ethernet (VPN)

DMALTENFORT
Level 1
Level 1

‎12-30-2011 05:44 AM - edited ‎03-04-2019 02:47 PM

Greetings all,

So here is the challenge I am comming up against.  I have a 1941 router with the security  licence.  I am setting up both a T1 wic that connects to my enterprise MPLS cloud and one of the two gig interfaces that will connect to my home office through a VPN tunnel to a ASA 5520.  I have tried multiple solutions though my gues is that I am making this WAY more difficult than it needs to be.  What I am trying to create is a primary on the serial interface and then a failover through the VPN.

Any thoughts, suggestions are VERY welcome!

So far, I have tried to:

     Track the serial interface and then set the default route, based on the tracking

     Create an IP SLA to echo the gateway of the serial interface to change the routing

     Started to create HSRP between the two interfaces though I could not figure out if / how a standby could be put into a sub-interface on the serial

The SLA seems to be working somewhat.  The problem is that it is not transparent and sometimes even needs me to clear the VPN tunnel to get things back to smoothly through the serial interface.

Like I said, I am guessing that I am going about this in a WAY to complicated way. 

track 20 interface GigabitEthernet0/1 line-protocol

!

track 123 ip sla 1 reachability

crypto map LEVY-CRYMAP 10 ipsec-isakmp

set peer 9.8.7.6 default

set transform-set ESP-AES-256-SHA

set pfs group1

match address CRYPTO-ACL

reverse-route

interface GigabitEthernet0/1

description $ES_LAN$

ip address 1.2.3.4 255.255.255.248

ip flow ingress

duplex auto

speed auto

crypto map LEVY-CRYMAP

ip route 0.0.0.0 0.0.0.0 1.2.3.4.174 15 track 20

ip route 0.0.0.0 0.0.0.0 5.6.7.8 153 track 123

ip access-list extended CRYPTO-ACL

permit ip 10.10.91.0 0.0.0.255 any

permit ip 10.14.91.0 0.0.0.255 any

permit ip host 10.30.91.1 any

deny   ip any any

ip sla 1

icmp-echo 5.6.7.8

ip sla schedule 1 life forever start-time now

event manager applet clearcrypto

event track 123 state any

action ds cli command "clear crypto sessions"

!

Thanks in advance,

David

Labels:
0 Helpful
1 Reply 1

Pawan Sharma
Level 1
Level 1

‎12-30-2011 10:59 AM

Hi,

May be you should remove track configuration and try to do it with IP SLA only and it should work. I am using Cisco 2921 with similar scenario and its working fine, the only difference I see is - i had configured my HO MPLS routers as IP SLA responder. May be you should try that as well.

Regards,

Pawan Sharma

http://www.ebrahma.com

Regards,
Pawan Sharma
https://itgears.io
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card