08-24-2012 10:39 AM - edited 03-04-2019 05:21 PM
I have been working on IP SLA fail over and as soon as I get the fail over ISP to work I have not been able to get the primary to come back online. Any help is much appreciated.
cisco#show run
Building configuration...
Current configuration : 6299 bytes
!
! No configuration change since last restart
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$JU98$x8FeB7L/1.RmuhwTF79U0.
!
no aaa new-model
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2244275386
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2244275386
revocation-check none
rsakeypair TP-self-signed-2244275386
!
!
crypto pki certificate chain TP-self-signed-2244275386
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323434 32373533 3836301E 170D3132 30353138 30323034
35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32343432
37353338 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C625 9AAC3817 6C0BD1B3 AA8E3B88 5F5FFE48 153097E8 2EAE8BF4 8737CF78
504CF62F 62CC8A7D EEBF7F37 17045F4B 2D87ECD1 F94CED93 002EA112 D381E86C
B452FF83 223FFB1E 3B663DD1 33E787CD 9324AD50 854353A5 BB949DF3 29C4C0F1
0864614E 7A5ED128 40D0DCC9 106A360C 34A19FB0 55F9108A A89048C5 4A32D981
E1DD0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16636973 636F2E61 72726F77 64657369 676E732E 636F6D30
1F060355 1D230418 30168014 7D988EFE 28B0D950 11276945 949A5684 1BE5B166
301D0603 551D0E04 1604147D 988EFE28 B0D95011 27694594 9A56841B E5B16630
0D06092A 864886F7 0D010104 05000381 81004625 5F9C2281 7F602CD0 C95418DC
A2CF35A4 8920360D 3D6CDCA7 003CD350 2D6AAE5D 27D34919 6FF5FC88 EDD472BC
63E47C25 818A717C C06BD364 CF0E9498 ECB0476E A68993E9 F726A5D4 2B212645
99B523A1 EE2C7935 24378CA5 1A45D6CB DDED1680 D4AE5FF3 6C46CE78 AABEE5D7
FE0629EF 26CF1222 94C59142 7FC05837 3013
quit
no ip source-route
!
!
ip dhcp excluded-address 10.1.10.1 10.1.10.14
!
ip dhcp pool ccp-pool1
import all
network 10.1.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 10.1.10.2
!
!
ip cef
no ip bootp server
ip domain name arrowdesigns.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX160787GR
!
!
username xxxxxx privilege 15 secret 5 $1$zP.3$5bok6jGATGcH0SiZoSk5z0
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
track 100 ip sla 100 reachability
delay down 10 up 20
!
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 1.1.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 10.1.10.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map isp1 interface GigabitEthernet0 overload
ip nat inside source route-map isp2 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 100
ip route 0.0.0.0 0.0.0.0 2.2.2.1 10
!
ip sla 100
icmp-echo 8.8.8.8 source-interface GigabitEthernet0
timeout 500
threshold 500
frequency 3
ip sla schedule 100 life forever start-time now
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 10 permit 10.1.10.0 0.0.0.255
no cdp run
!
!
!
!
route-map isp2 permit 110
match ip address 10
match interface FastEthernet8
!
route-map isp1 permit 110
match ip address 10
match interface GigabitEthernet0
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
08-24-2012 10:46 AM
I am newb but.... trying to help
You are monitoring 8.8.8.8. If it is unreachable it fails over?
When it fails over is it still unreachable?
We had out monitor IP actually outside our network (isp's first hop) and made a static route to it so it would only try to use one link? Make sense? Kinda?
08-25-2012 06:57 AM
Fail over actually works by sending it to the second route/interface. However the first default route will not work any longer. Even from a fresh boot up.
08-24-2012 12:05 PM
Hi,
do this:
ip access-list extended PING_GOOGLE
permit icmp any host 8.8.8.8
route-map PING_GOOGLE
match ip address PING_GOOGLE
set ip next-hop 1.1.1.x where 1.1.1.x is next-hop on the primary interface
exit
ip local policy route-map PING_GOOGLE
By the way your static routes should be pointing to next-hop not to directly connected IP, is there a typo somewhere ?
Regards.
Alain
Don't forget to rate helpful posts.
08-25-2012 06:59 AM
regarding the next hop, yes. I was not exactly thorough when I cleansed the IP info. I have the next hop set to the gateway of ISP, not internal. I will try the config. I will be working on this today after 4:00 so if you are connected I would appreciate any input.
08-25-2012 09:33 AM
Hi,
just let us know how it went.
Regards.
Alain
Don't forget to rate helpful posts.
08-25-2012 06:00 PM
I still have no success. I believe the error to somehow be in the tracking object since when I show ip route track-table it returns that the state is down but this is not accurate.
10-07-2012 03:51 PM
Hello Matt,
I had the same problem also you have added a default route of all 0 for both of the ISPs this way your router will always
Be able to reach 8.8.8.8 either from ISP one or ISP two there for the tracking object will never go down to let the second ISP to tack over.
You will need to add a static route for the Google DNS that point’s to the first ISP
Like the following:
IP route 8.8.8.8 255.255.255.255.255 1.1.1.2
Hope this will Help
Ahmed Sonba
10-06-2019 10:06 AM
This is a seriously old thread however thank you. It fixed my issue. I knew that it was with the static routes but didn't know how to sort it out. This corrected an ISR 4331 for those who are searching for an answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide