09-29-2014 01:44 AM - edited 03-04-2019 11:51 PM
hi all,
i've been trying to make this work for few days now but can't seem to get IP SLA work and route over the backup IPsec VPN tunnel.
not sure if my EEM (not from me) is correct.
ip route 0.0.0.0 0.0.0.0 172.27.5.188 name Default track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 250 name Tunnel805
ip route 53.123.45.14 255.255.255.255 GigabitEthernet0/1 name Tunnel805
ip route 53.123.45.199 255.255.255.255 GigabitEthernet0/1 name Tunnel805
interface Loopback0
ip address 172.29.208.2 255.255.255.255
interface Tunnel805
ip vrf forwarding CUST1
ip address 172.17.208.222 255.255.255.252
tunnel source 172.29.208.2
tunnel destination 53.123.45.19
interface Serial0/0/0 <<< LINK1/MAIN
ip address 172.27.5.189 255.255.255.254
interface GigabitEthernet0/1 <<< LINK2
ip address dhcp <<< PUBLIC IP (SINGLE IP AS PER PLAN; EVEN W/ SHUT/NO SHUT)
duplex full
speed 100
no cdp enable
crypto map CMAP
ip sla 1
icmp-echo 172.27.5.188 source-interface Serial0/0/0
frequency 15
ip sla schedule 1 life forever start-time now
ip access-list extended TUNNEL805
permit ip host 172.29.208.2 host 53.123.45.199
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp key cisco address 53.123.45.14
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 53.123.45.14
set transform-set TSET
match address TUNNEL805
event manager applet LINK1_DOWN
event track 1 state down
action 1.0 syslog msg "Reply timed out; LINK1 is down"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "int g0/1"
action 5.0 cli command "no shutdown"
action 6.0 cli command "end"
action 7.0 syslog msg "Interface Gi0/1 Up"
event manager applet LINK1_UP
event track 1 state up
action 1.0 syslog msg "Ping received; LINK1 Link is up"
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "int g0/1"
action 5.0 cli command "shutdown"
action 6.0 cli command "end"
action 7.0 syslog msg "Interface Gi0/1 Down"
----
*Sep 29 07:41:41 UTC: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Sep 29 07:41:41.658 UTC: %HA_EM-6-LOG: LINK1_DOWN: Reply timed out; LINK1 Link is down
*Sep 29 07:57:53 UTC: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up
*Sep 29 07:57:53.106 UTC: %HA_EM-6-LOG: LINK1_UP: Ping received; LINK1 Link is up
*Sep 29 07:57:54.870 UTC: %HA_EM-6-LOG: LINK1_UP: Interface Gi0/1 Down
#sh track
Track 1
IP SLA 1 reachability
Reachability is Down
39 changes, last change 00:11:00
Delay up 60 secs, down 30 secs
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
EEM applet LINK1_UP
EEM applet LINK1_DOWN
#show ip route track-table
ip route 0.0.0.0 0.0.0.0 172.27.5.188 name Default track 1 state is [down]
#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/1
<SNIP>
#sh ip ro vrf CUST1
Routing Table: CUST1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 172.27.5.190 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.27.5.190
<SNIP>
#ping vrf CUST1 172.17.208.221
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.208.221, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
#sh crypto is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA\
09-29-2014 05:16 AM
John
I notice a couple of things in what you have posted.
- First I notice that while your configuration suggests that your default route should use the Serial interface that it is not for some reason and your current default is using Gig0/1
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/1
- Then I notice that the static routes that you configured using Gig0/1 just specify the interface and not a next hop. This is a potential problem since it can only work if the next hop supports proxy arp. And if it does work then it makes the router work harder. I recognize that since the interface is set to learn its IP via DHCP that configuring routes is more of a challenge but you might look for some alternatives. For example even if your router interface address may change it is likely that the upstream IP is stable and you might be able to use that in route statements. Also it is likely that the DHCP may advertise a default route that you might use.
- I did not look closely at the EEM but notice that it seems to be dependent on ping through the serial interface. If there is some issue with the serial interface (which would explain my point about which default route is being used) it could also explain issues with EEM.
HTH
Rick
09-29-2014 06:47 AM
hi rick,
should my static default route look like below?
ip route 0.0.0.0 0.0.0.0 dhcp 250 name Tunnel805
EEM and IP SLA look like it's working as it show TRACKING and HA syslogs (i felt like they're redundant through). i remembered my routing table changed and IP SLA kicked in as i was playing around with the static routes. i'm still finding a way to to put it back though.
09-29-2014 10:07 AM
John
I believe that this is much better for the backup default route. Can you do something for these static routes?
ip route 53.123.45.14 255.255.255.255 GigabitEthernet0/1 name Tunnel805
ip route 53.123.45.199 255.255.255.255 GigabitEthernet0/1 name Tunnel805
I am still curious about the primary static route and the serial interface. Is that working? do you see it in the output of show ip route? What do you get in show ip interface brief?
HTH
Rick
09-29-2014 04:47 PM
hi rick,
what change do you want me to do with the 2 static routes? i tried putting them as floating static route with AD of 250 and also put a track 1 at the end but nothing.
the primary route and serial interface are working fine. and yes, i can see it in the normal routing table. i'll try to lab this later and see how it goes.
09-29-2014 05:28 PM
John
I do not see any benefit in making those static routes floating. The real issue is that you have static routes that specify an Ethernet interface as the outbound interface without specifying any next hop information. As I tried to explain before this depends on the next hop device supporting proxy arp, and even if the next hop device does support proxy arp it makes the router work harder. What I suggest is that you specify a next hop (show arp and look for the IP associated with Gig0/1 that is not your address) rather than just the outbound interface.
HTH
Rick
09-29-2014 09:44 PM
hi rick,
i managed to make the IPsec VPN work by forcing the route to hop via dhcp IP.
ip route 53.123.45.14 255.255.255.255 dhcp
ip route 53.123.45.199 255.255.255.255 dhcp
i saw the ISP GW IP via the show arp but this might change in the future so i stick with the dhcp keyword.
#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
53.123.45.14 126.75.357.91 QM_IDLE 1001 ACTIVE
09-30-2014 04:23 AM
John
Thanks for posting back and letting us know that you got it to work and how you worked out the static routes. I agree that if it works with the dhcp parameter then it is better than discovering the provider IP address and using that. I have used the dhcp parameter with default routes before but not with network/subnet routes. So I leaned something from this :) And thanks for the rating.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide