Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
15
Replies

IP SLA and BGP

fahadkhalid91
Level 1
Level 1

‎11-22-2023 07:04 AM

I'm facing an issue with IP SLA. I have three ISP in my router with the Tracking. All the tracking working fine if link goes down the tracking also down and link shifted to other ISP as per preference. but recently I have configured VPN over bgp and I advertised one static route and other is through redistributed. when I check the tracking after the VPN configuration, if the ISP goes down the tracking is still up until I shut the physical interface. I have my following IP SLA and BGP config. I also have the static route from ISP-B and ISP-D. The VPN is configured with ISP-A and ISP-B. Furthermore, I have configured the same VPN on my backup router. but there I have configured VPN with ISP-C 1st and 2nd with ISP-A and there is no static Route with ISP-B on Router 2. When I check the IP SLA on Backup Router the Tracking was down when the link goes down. The Router is ISR4431

track 20 ip sla 20 reachability
!
track 30 ip sla 30 reachability
!
track 40 ip sla 40 reachability


ip route 0.0.0.0 0.0.0.0 ISP-A 20 name Internet track 20
ip route 0.0.0.0 0.0.0.0 ISP-B 30 name Internet-Sec track 30
ip route 0.0.0.0 0.0.0.0 ISP-C 40 name Internet-Ter track 40
ip route 0.0.0.0 0.0.0.0 ISP-D 50 name Internet


ip sla 20
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1/0
frequency 70
timeout 10000
threshold 2
ip sla schedule 20 life forever start-time now

ip sla 30 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1
frequency 70
timeout 10000
threshold 2
ip sla schedule 30 life forever start-time now

ip sla 40
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/2
frequency 70
timeout 10000
threshold 2
ip sla schedule 40 life forever start-time now

******* BGP **********


router bgp XXXX
bgp log-neighbor-changes
neighbor 172.18.10.2 remote-as XXXX
neighbor 172.18.11.2 remote-as XXXX


address-family ipv4
network X.X.X.X mask 255.255.255.248
redistribute static route-map ABC
neighbor 172.18.10.2 activate
neighbor 172.18.10.2 next-hop-self
neighbor 172.18.10.2 soft-reconfiguration inbound
neighbor 172.18.10.2 route-map PASS in

 

neighbor 172.18.11.2 activate
neighbor 172.18.11.2 next-hop-self
neighbor 172.18.11.2 soft-reconfiguration inbound
neighbor 172.18.11.2 route-map PASS in
exit-address-family


********** Route-MAP ***********

ip prefix-list AB seq 5 permit X.X.X.X/24
route-map ABC permit 10
match ip address prefix-list AB

Please if anyone has solution please let me know.

Labels:
0 Helpful
15 Replies 15

MHM Cisco World
VIP
VIP

‎11-22-2023 07:15 AM

Where you config vpn?

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 07:21 AM

Here is my VPN Config

 

********* CRYPTO PROPOSAL **********

crypto ikev2 proposal ABC
encryption aes-cbc-256
integrity sha256
PRF SHA256
group 20


******** CRYPTO POLICY *********
crypto ikev2 policy 18
match address local ISP-A
match address local ISP-B
proposal ABC

******** CRYPTO KEY ***********

crypto ikev2 keyring KEY-B
peer Site-B
address X.X.X.X
pre-shared-key local XXXXXXXX
pre-shared-key remote XXXXXXXX
!

****** CRYPTO PROFILE *******

crypto ikev2 profile Site-B
match identity remote address X.X.X.X X.X.X.X
authentication remote pre-share
authentication local pre-share
keyring local KEY-B
lifetime 86400

********* CRYPTO TRANSFORM SET *********

no crypto isakmp default policy
crypto ipsec transform-set TRANSFORM-B esp-aes 256 esp-sha256-hmac
mode tunnel


******** CRYPTO IPSEC ********

crypto ipsec profile SiteA-B
set security-association lifetime seconds 28800
set transform-set TRANSFORM-B
set pfs group20
set ikev2-profile Site-B

 

********* VTI TUNNEL *********
interface Tunnel 006
ip address 172.18.10.1 255.255.255.252
tunnel source GigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel protection ipsec profile SiteA-B

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to fahadkhalid91

‎11-22-2023 07:23 AM

********* VTI TUNNEL *********
interface Tunnel 21
ip address 172.18.11.1 255.255.255.252
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel protection ipsec profile SiteA-B

0 Helpful

MHM Cisco World
VIP
VIP
In response to fahadkhalid91

‎11-22-2023 07:31 AM

Add keepalive to vpn tunnel and check again if it down when ISP is down or not.

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 08:55 AM

Is it vpn tunnel keepalive conflict with Ip sla?

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to fahadkhalid91

‎11-22-2023 08:56 AM

Is the vpn tunnel keep alive  conflict with IP sla?.. I will check that

0 Helpful

MHM Cisco World
VIP
VIP
In response to fahadkhalid91

‎11-22-2023 09:07 AM

Track add remove defualt route 

Keepalive up/down the vpn interface 

So there is no conflict

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 10:20 AM

yes, I have a issue with IP sla when the isp was going down the tracking of that isp was still up until I shut the physical interface. I need a solution for this.

0 Helpful

MHM Cisco World
VIP
VIP
In response to fahadkhalid91

‎11-22-2023 10:25 AM - edited ‎11-22-2023 10:26 AM

First remove solved from my reply'

Un solved issue make all reply and they can help you with new idea.

Second I will check this case by lab and see how we can solve it

MHM

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 02:37 PM

Ok. I remove that tick that was mistakenly happend.

0 Helpful

paul driver
VIP
VIP

‎11-22-2023 08:02 PM

Hello

@fahadkhalid91 wrote:
when I check the tracking after the VPN configuration, if the ISP goes down the tracking is still up until I shut the physical interface

Your overhaul topology is not clear, however it looks like you have ebgp/ibgp peering ,As for your issue it sounds like the ipsla polled ip address is still being reached via an alternatice path as such the interface isnt being torn down. I see your static defaults require some seed metric applied to them to prioritise which is the most preffered, try the following:

example:
ip route 0.0.0.0 0.0.0.0 ISP-A 20 name Internet track 20 1
ip route 0.0.0.0 0.0.0.0 ISP-B 30 name Internet-Sec track 30 2
ip route 0.0.0.0 0.0.0.0 ISP-C 40 name Internet-Ter track 40 3
ip route 0.0.0.0 0.0.0.0 ISP-D 50 name Internet 4


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

fahadkhalid91
Level 1
Level 1
In response to paul driver

‎11-22-2023 08:38 PM

I think seed metric is only applicable on redistribution not on static route. Correct me if I'm wrong.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-25-2023 02:10 AM

Sorry for late reply I was busy 
anyway 
let start 
we use 8.8.8.8 as destination for traffic which track effect defualt route, 
if ip sla start work it check RIB for path to 8.8.8.8
here this is egg or chicken first 
to test we if I am right add 
ip route 8.8.8.8 255.255.255.255 x/x permanent 
this force router use path via x/x and the status for track effect defautl route via x/x

I think VPN not make issue.
MHM

0 Helpful

fahadkhalid91
Level 1
Level 1
In response to MHM Cisco World

‎11-27-2023 05:47 PM

Should I have to add static route 8.8.8.8 for 3 ISP?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card