Re: IP SLA and BGP

fahadkhalid91 · ‎11-22-2023

I'm facing an issue with IP SLA. I have three ISP in my router with the Tracking. All the tracking working fine if link goes down the tracking also down and link shifted to other ISP as per preference. but recently I have configured VPN over bgp and I advertised one static route and other is through redistributed. when I check the tracking after the VPN configuration, if the ISP goes down the tracking is still up until I shut the physical interface. I have my following IP SLA and BGP config. I also have the static route from ISP-B and ISP-D. The VPN is configured with ISP-A and ISP-B. Furthermore, I have configured the same VPN on my backup router. but there I have configured VPN with ISP-C 1st and 2nd with ISP-A and there is no static Route with ISP-B on Router 2. When I check the IP SLA on Backup Router the Tracking was down when the link goes down. The Router is ISR4431

track 20 ip sla 20 reachability
!
track 30 ip sla 30 reachability
!
track 40 ip sla 40 reachability

ip route 0.0.0.0 0.0.0.0 ISP-A 20 name Internet track 20
ip route 0.0.0.0 0.0.0.0 ISP-B 30 name Internet-Sec track 30
ip route 0.0.0.0 0.0.0.0 ISP-C 40 name Internet-Ter track 40
ip route 0.0.0.0 0.0.0.0 ISP-D 50 name Internet

ip sla 20
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1/0
frequency 70
timeout 10000
threshold 2
ip sla schedule 20 life forever start-time now

ip sla 30 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1
frequency 70
timeout 10000
threshold 2
ip sla schedule 30 life forever start-time now

ip sla 40
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/2
frequency 70
timeout 10000
threshold 2
ip sla schedule 40 life forever start-time now

******* BGP **********

router bgp XXXX
bgp log-neighbor-changes
neighbor 172.18.10.2 remote-as XXXX
neighbor 172.18.11.2 remote-as XXXX

address-family ipv4
network X.X.X.X mask 255.255.255.248
redistribute static route-map ABC
neighbor 172.18.10.2 activate
neighbor 172.18.10.2 next-hop-self
neighbor 172.18.10.2 soft-reconfiguration inbound
neighbor 172.18.10.2 route-map PASS in

neighbor 172.18.11.2 activate
neighbor 172.18.11.2 next-hop-self
neighbor 172.18.11.2 soft-reconfiguration inbound
neighbor 172.18.11.2 route-map PASS in
exit-address-family

********** Route-MAP ***********

ip prefix-list AB seq 5 permit X.X.X.X/24
route-map ABC permit 10
match ip address prefix-list AB

Please if anyone has solution please let me know.

MHM Cisco World · ‎11-22-2023

Where you config vpn?

fahadkhalid91 · ‎11-22-2023

Here is my VPN Config

********* CRYPTO PROPOSAL **********

crypto ikev2 proposal ABC
encryption aes-cbc-256
integrity sha256
PRF SHA256
group 20

******** CRYPTO POLICY *********
crypto ikev2 policy 18
match address local ISP-A
match address local ISP-B
proposal ABC

******** CRYPTO KEY ***********

crypto ikev2 keyring KEY-B
peer Site-B
address X.X.X.X
pre-shared-key local XXXXXXXX
pre-shared-key remote XXXXXXXX
!

****** CRYPTO PROFILE *******

crypto ikev2 profile Site-B
match identity remote address X.X.X.X X.X.X.X
authentication remote pre-share
authentication local pre-share
keyring local KEY-B
lifetime 86400

********* CRYPTO TRANSFORM SET *********

no crypto isakmp default policy
crypto ipsec transform-set TRANSFORM-B esp-aes 256 esp-sha256-hmac
mode tunnel

******** CRYPTO IPSEC ********

crypto ipsec profile SiteA-B
set security-association lifetime seconds 28800
set transform-set TRANSFORM-B
set pfs group20
set ikev2-profile Site-B

********* VTI TUNNEL *********
interface Tunnel 006
ip address 172.18.10.1 255.255.255.252
tunnel source GigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel protection ipsec profile SiteA-B

fahadkhalid91 · ‎11-22-2023

********* VTI TUNNEL *********
interface Tunnel 21
ip address 172.18.11.1 255.255.255.252
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel protection ipsec profile SiteA-B

MHM Cisco World · ‎11-22-2023

Add keepalive to vpn tunnel and check again if it down when ISP is down or not.

fahadkhalid91 · ‎11-22-2023

Is it vpn tunnel keepalive conflict with Ip sla?

fahadkhalid91 · ‎11-22-2023

Is the vpn tunnel keep alive conflict with IP sla?.. I will check that

MHM Cisco World · ‎11-22-2023

Track add remove defualt route

Keepalive up/down the vpn interface

So there is no conflict

fahadkhalid91 · ‎11-22-2023

yes, I have a issue with IP sla when the isp was going down the tracking of that isp was still up until I shut the physical interface. I need a solution for this.

MHM Cisco World · ‎11-22-2023

First remove solved from my reply'

Un solved issue make all reply and they can help you with new idea.

Second I will check this case by lab and see how we can solve it

MHM

fahadkhalid91 · ‎11-22-2023

Ok. I remove that tick that was mistakenly happend.

paul driver · ‎11-22-2023

Hello

@fahadkhalid91 wrote:
when I check the tracking after the VPN configuration, if the ISP goes down the tracking is still up until I shut the physical interface

Your overhaul topology is not clear, however it looks like you have ebgp/ibgp peering ,As for your issue it sounds like the ipsla polled ip address is still being reached via an alternatice path as such the interface isnt being torn down. I see your static defaults require some seed metric applied to them to prioritise which is the most preffered, try the following:

example:
ip route 0.0.0.0 0.0.0.0 ISP-A 20 name Internet track 20 1
ip route 0.0.0.0 0.0.0.0 ISP-B 30 name Internet-Sec track 30 2
ip route 0.0.0.0 0.0.0.0 ISP-C 40 name Internet-Ter track 40 3
ip route 0.0.0.0 0.0.0.0 ISP-D 50 name Internet 4

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

fahadkhalid91 · ‎11-22-2023

I think seed metric is only applicable on redistribution not on static route. Correct me if I'm wrong.

MHM Cisco World · ‎11-25-2023

Sorry for late reply I was busy
anyway
let start
we use 8.8.8.8 as destination for traffic which track effect defualt route,
if ip sla start work it check RIB for path to 8.8.8.8
here this is egg or chicken first
to test we if I am right add
ip route 8.8.8.8 255.255.255.255 x/x permanent
this force router use path via x/x and the status for track effect defautl route via x/x

I think VPN not make issue.
MHM

fahadkhalid91 · ‎11-27-2023

Should I have to add static route 8.8.8.8 for 3 ISP?