cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3738
Views
0
Helpful
8
Replies

IP SLA Fail Over not failing back

mcmattcole
Level 1
Level 1

I have been working on IP SLA fail over and as soon as I get the fail over ISP to work I have not been able to get the primary to come back online. Any help is much appreciated.

cisco#show run

Building configuration...

Current configuration : 6299 bytes

!

! No configuration change since last restart

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$JU98$x8FeB7L/1.RmuhwTF79U0.

!

no aaa new-model

!

!

!

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2244275386

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2244275386

revocation-check none

rsakeypair TP-self-signed-2244275386

!

!

crypto pki certificate chain TP-self-signed-2244275386

certificate self-signed 01

  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32323434 32373533 3836301E 170D3132 30353138 30323034

  35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32343432

  37353338 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C625 9AAC3817 6C0BD1B3 AA8E3B88 5F5FFE48 153097E8 2EAE8BF4 8737CF78

  504CF62F 62CC8A7D EEBF7F37 17045F4B 2D87ECD1 F94CED93 002EA112 D381E86C

  B452FF83 223FFB1E 3B663DD1 33E787CD 9324AD50 854353A5 BB949DF3 29C4C0F1

  0864614E 7A5ED128 40D0DCC9 106A360C 34A19FB0 55F9108A A89048C5 4A32D981

  E1DD0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603

  551D1104 1A301882 16636973 636F2E61 72726F77 64657369 676E732E 636F6D30

  1F060355 1D230418 30168014 7D988EFE 28B0D950 11276945 949A5684 1BE5B166

  301D0603 551D0E04 1604147D 988EFE28 B0D95011 27694594 9A56841B E5B16630

  0D06092A 864886F7 0D010104 05000381 81004625 5F9C2281 7F602CD0 C95418DC

  A2CF35A4 8920360D 3D6CDCA7 003CD350 2D6AAE5D 27D34919 6FF5FC88 EDD472BC

  63E47C25 818A717C C06BD364 CF0E9498 ECB0476E A68993E9 F726A5D4 2B212645

  99B523A1 EE2C7935 24378CA5 1A45D6CB DDED1680 D4AE5FF3 6C46CE78 AABEE5D7

  FE0629EF 26CF1222 94C59142 7FC05837 3013

        quit

no ip source-route

!

!

ip dhcp excluded-address 10.1.10.1 10.1.10.14

!

ip dhcp pool ccp-pool1

   import all

   network 10.1.10.0 255.255.255.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 10.1.10.2

!

!

ip cef

no ip bootp server

ip domain name arrowdesigns.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891-K9 sn FTX160787GR

!

!

username xxxxxx privilege 15 secret 5 $1$zP.3$5bok6jGATGcH0SiZoSk5z0

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

track 100 ip sla 100 reachability

delay down 10 up 20

!

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description $ETH-WAN$

ip address 2.2.2.2 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 1.1.1.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 10.1.10.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map isp1 interface GigabitEthernet0 overload

ip nat inside source route-map isp2 interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 100

ip route 0.0.0.0 0.0.0.0 2.2.2.1 10

!

ip sla 100

icmp-echo 8.8.8.8 source-interface GigabitEthernet0

timeout 500

threshold 500

frequency 3

ip sla schedule 100 life forever start-time now

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.1.10.0 0.0.0.255

access-list 10 permit 10.1.10.0 0.0.0.255

no cdp run

!

!

!

!

route-map isp2 permit 110

match ip address 10

match interface FastEthernet8

!

route-map isp1 permit 110

match ip address 10

match interface GigabitEthernet0

!

!

!

control-plane

!

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

8 Replies 8

Andrew Cormier
Level 1
Level 1

I am newb but.... trying to help

You are monitoring 8.8.8.8. If it is unreachable it fails over?

When it fails over is it still unreachable?

We had out monitor IP actually outside our network (isp's first hop) and made a static route to it so it would only try to use one link? Make sense? Kinda?

Fail over actually works by sending it to the second route/interface. However the first default route will not work any longer. Even from a fresh boot up.

cadet alain
VIP Alumni
VIP Alumni

Hi,

do this:

ip access-list extended PING_GOOGLE

permit icmp any host 8.8.8.8

route-map PING_GOOGLE

match ip address PING_GOOGLE

  set ip next-hop 1.1.1.x     where 1.1.1.x  is next-hop on the primary interface

exit

ip local policy route-map PING_GOOGLE

By the way your static routes should be pointing to next-hop not to directly connected IP, is there a typo somewhere ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

regarding the next hop, yes. I was not exactly thorough when I cleansed the IP info. I have the next hop set to the gateway of ISP, not internal. I will try the config. I will be working on this today after 4:00 so if you are connected I would appreciate any input.

Hi,

just let us know how it went.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I still have no success. I believe the error to somehow be in the tracking object since when I show ip route track-table it returns that the state is down but this is not accurate.

Hello Matt,

I had the same problem also you have added a default route of all 0 for both of the ISPs this way your router will always

Be able to reach 8.8.8.8 either from ISP one or ISP two there for the tracking object will never go down to let the second ISP to tack over.

You will need to add a static route for the Google DNS that point’s to the first ISP

Like the following:

IP route 8.8.8.8 255.255.255.255.255 1.1.1.2

Hope this will Help

Ahmed Sonba

This is a seriously old thread however thank you. It fixed my issue. I knew that it was with the static routes but didn't know how to sort it out. This corrected an ISR 4331 for those who are searching for an answer. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: