Needing some assistance with an IP SLA setup that I'm having some issues wrapping my head around. I have a router that has two connections to a remote site router. One connection from HQ-Rtr has a serial connection to an MPLS cloud using BGP as it's routing protocol. The other connection is an Ethernet connection to an ASA (which uses an IPSEC tunnel to the remote router). Here is what I'd like to do. I'd like to use the MPLS cloud connection as the primary connection. Once it fails, I would want the Ethernet connection to the ASA to kick in. However, I would like it to fall BACK over to the MPLS cloud connection in the event that the Serial connection comes back online.
With that said, I know I'll have to use IP SLA to make this work but I'm running into an issue getting it to fall BACK to the primary route. I'm not sure why. I'm basically doing the following:
track 1 ip sla 1 reachability
ip sla auto discovery
ip sla 1
icmp-echo a.a.a.a source-interface Serial1/0
ip sla schedule 1 life forever start-time now
ip route 188.8.131.52 255.255.255.0 x.x.x.x track 1 (learned via bgp from cloud, metric 20)
ip route 184.108.40.206 255.255.255.0 y.y.y.y 25
So, to me.....this says as long as I can ping a.a.a.a from source int s1/0, the route for network 220.127.116.11 should go to x.x.x.x. Then once it fails, it falls over to y.y.y.y. It requires the 25 cost so that it doesn't take precedence over the x.x.x.x route. Am I seeing this correctly so far? Then once x.x.x.x comes back online, it SHOULD fall back over to that one being it has the lower cost route of 20. Is this right?
Well regardless it's not working quite as expected so someone had mentioned something about setting another IP SLA up with a 'Boolean and' statement. I'm not 100% sure about this so if anyone can explain this to me and how it would work in the above scenario or why it would be done, then that would help also. Here is what they suggested:
track 2 list boolean and
object 1 not
and to change my routes to look like the following:
------Remove route for x.x.x.x all-together-------
ip route 18.104.22.168 255.255.255.0 y.y.y.y track 2
I'm guessing (and I do mean guessing) this says to monitor track 1 and if track 1 is NOT true (false) then apply the route for y.y.y.y?
Can someone take a look and help me with the concept, I guess maybe I'm in left field here but I'm struggling a bit on making this work.
Thanks in advance,
Solved! Go to Solution.
Okay I think the issue is this.
You are redistributing statics into BGP. So what happens is that when your MPLS link is up you receive the loopback via BGP and it has an AD of 20 so goes into the IP routing table because it has a better AD.
When the MPLS link fails your static route with an AD of 200 is placed into the IP routing table and redistributed into BGP.
When the MPLS link comes back up your router receives the same route from the PE router.
Now your MPLS router has two routes in BGP for the same destination and prefix.
The one from the PE has a weight of 0 but the static that was redistributed locally has a weight of 32768 because that is the weight assigned to locally generated routes.
The higher the weight the better so BGP sticks with the route via the ASA.
The usual solution to this is to modify the routes received from the PE so they have a weight > 32768 and so once the MPLS link comes back up they are preferred and installed in the IP routing table.
You can do that as a test if you want however you are just unfortunate in that you have hit this issue with your test because in production it wouldn't occur.
The reason being you would have a summary route or default static route pointing to your ASA so the more specific routes via MPLS are always used if they are available.
Hope that makes sense.
Why do you need IP SLA ?
IP SLA is usually used when you need to track a static route.
But you are using BGP on the MPLS link.
If you receive a default route from BGP then simply configure a static default route with an AD > 20 pointing to the ASA
If you don't receive a default route from BGP and you don't have local internet connectivity in that site just configure a static default route pointing to the ASA.
Either way if the MPLS link fails then you don't receive BGP routes any more so your default route is used and if the link comes back up you go back to MPLS.
The only downside is that BGP can take up to 3 minutes before it realises a neighbor is down and stops advertising routes but that is dependant on the timers ie. they can be reduced if the SP agrees to it.
But you also mention you are connected to MPLS via serial so if the other end went down your router would know about it immediately and remove the BGP routes.
Hey Jon! Thanks for responding.
So I've tried that and it fails over just fine....very fast actually.....but for some reason I can never get it to fall back. I've waited quite a while to have it fall back over, but its like it won't. I've set my cost on my route to be 200 to make sure that it was >20. Does the backup link HAVE to fail in order for it to fall back? In the production scenario the backup is a cellular link and obviously we want to try and not use that as much as possible and that's why even though the cellular is up, I'd rather fall back to MPLS if its working.
As soon as your router gets the BGP routes again it should prefer those and stop using the ASA.
It may be something to do with your configuration.
The backup link doesn't have to fail.
Is the internal interface of the router for the LAN and the inside interface of your firewall in the same IP subnet and if so what is the default gateway of the clients ?
The internal interface of the ASA is just a point to point (255.255.255.252) to which I have connected to the router I'm trying to perform the routes on. For instance:
This would be the router:
ip address 192.168.10 6 255.255.255.248
ip address 192.168.10.225 255.255.255.252
ASA would have an internal interface of 192.168.10.226. There is no default route assigned on this network. Basically statically mapping each subnet. So right now I'm just routing the loopback IP to test with.
Hopefully that makes sense.
Yes. No clients, just routing to other networks.
So it failed over to the backup link (cellular) and stayed there. I looked at the bgp routes in the router and the bgp route for the remote loopback, which is what I'm pinging, is not there. However, If I remove the static route to the asa with the cost 200, it immediately pops back in the table and shifts back over to the primary route like it should. It's like it's not seeing the BGP route until I remove that static.
Yes the BGP routes are covering all the remote networks and I am pinging one of them.
Okay, if the route received by BGP is the same prefix and mask then the BGP route should replace it.
But it would have to be for the same prefix and more importantly mask.
But that aside you don't need to do this. You simply configure a static default route pointing to the ASA.
Your router will always choose the more specific routes and as long as the MPLS link is up you will have those via BGP.
If the link fails your router will fall back to the default route.
Sorry, I mean just do a shutdown on the loopback interface.
I just tried it and it seems like if I shutdown the loopback interface and then look at the central side router (where I'm doing the failover routing also the other end of the MPLS cloud), the bgp route doesn't show up any longer. Once I enable it again, it shows up Does this sound correct?
If you shut the interface down it should no longer be advertised into BGP.
Apologies but you have totally lost me now :-)
Your MPLS routers should be advertising routes for their respective LAN subnets and any loopbacks for testing.
On the same MPLS router you just need a static default route or a summary address pointing to the ASA.
Is the central site setup the same way.
Do you have any L3 switches anywhere , are you doing any redistribution from or into BGP ?
I'm sorry. I know it's confusing. It's kind of a special case and I'm doing a half test in production. Ultimately here is what I have. I have a router at one of our remote locations and it has a loopback interface on it. This router, we will call Router A. Router A is in production. It has a serial connection to MPLS and then it's local network. His loopback IP address is x.x.1.164.
I'm trying to test with another router sitting here at my desk, we'll call router B. This device is set up the same (regarding IP's) as Router A as Router A will eventually be replaced with Router B. Router B's loopback is also x.x.1.164. This router has a cell card and also a Serial connection (however I can't use the serial because I don't have the circuit hear at my desk).
Then I have the router at the central side which I'm doing my routing from that I've been trying to work out. So what I was doing was 'shutting down' the loopback on Router A (production) and attempting to get the routes to shift over in order to use the cell card (Router B) through the asa connection.
Meanwhile I'm trying to do this while not taking down anything important on the production router, hence the loopback. :)
Maybe this makes more sense. That's why I said, when I shutdown the loopback, I was referring to shutting down the loopback on the production router (Router A). I realize that wouldn't make sense after I sent it. :( Sorry about that.