cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2921
Views
15
Helpful
28
Replies

IP SLA Failover

justinoleary911
Level 1
Level 1

someone please help

1 Accepted Solution

Accepted Solutions

Hello,

 

the track goes on the primary route:

 

ip route 0.0.0.0 0.0.0.0 50.225.187.209 track 1 <-- primary route
ip route 0.0.0.0 0.0.0.0 70.89.25.230 10 <-- secondary route with higher AD

View solution in original post

28 Replies 28

Hello,

 

do you want the spoke to access the Internet directly from the spoke (and not through the hub) ?

someone please help

Hello,

 

first of all, there seems to be a simple typo in your hub configuration, try and change that and see what happens; Fiber and fiber do not match, so it has to be either Fiber/Fiber or fiber/fiber (capitalized or non-capitalized):

 

ip nat inside source route-map Fiber interface GigabitEthernet0/0/0 overload

 

route-map fiber permit 10
match ip address 103
match interface GigabitEthernet0/0/0

Hello

Just to add also try...
no access-list 103

ip access-list 103 permit ip 192.168.110.0 0.0.0.255 any


res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hi paul,

 

are you saying to add this into the hub, and it should fix the issue?  

Hello

If applicable test it and see if it makes the difference,  In the current acl you have a lot going on and basically all what you want to do is specify the subnets required for translation.

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

 

I don't wan to be annoying, but your NAT statement refers to a non-existing route map, so nothing will work until you change that...

 

ip nat inside source route-map Fiber interface GigabitEthernet0/0/0 overload

 

should be

 

ip nat inside source route-map fiber interface GigabitEthernet0/0/0 overload

your not being annoying,  thank you for your help ,  ill post again after these changes are made.  thanks again  

Well that worked for the NAT issue and I am able to get to the internet at my hub site, However I am running into another problem with the tunnels coming up. and connecting to the spokes.

I have no Tunnel communication but they all say UP on both sides. This is for my Tunnel 1 config. Tunnel 0 is working when the line is live.


Thanks again for your help.

Hello,

 

I noticed a slight difference in your crypto configurations. Make sure they are exactly the same on both sides (for the sake of clarity, I have also changed the policy number). Since you are using the same profile for different tunnels, add the 'shared' keyword.

 

Here are the revised configs (changes in bold):

 

HUB

crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 30
!
crypto ipsec profile PremierIpsec
set security-association lifetime seconds 900
set transform-set strong
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 1200
ip ospf network broadcast
ip ospf priority 2
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile PremierIpsec shared
!
interface Tunnel1
ip address 10.0.1.1 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 1200
ip ospf network broadcast
ip ospf priority 2
ip ospf 1 area 0
ip ospf cost 5000
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile PremierIpsec shared

 

SPOKE

 

crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 30
!
crypto ipsec profile VanoreIpsec
set security-association lifetime seconds 900
set transform-set strong
!
interface Tunnel0
ip address 10.0.0.10 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp map multicast dynamic
ip nhrp map multicast 70.89.25.225
ip nhrp map 10.0.0.1 70.89.25.225
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip ospf network broadcast
ip ospf priority 0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile VanoreIpsec shared
!
interface Tunnel1
ip address 10.0.1.10 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp map multicast dynamic
ip nhrp map multicast 50.225.187.210
ip nhrp map 10.0.1.1 50.225.187.210
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.0.1.1
ip ospf network broadcast
ip ospf cost 5000
ip ospf priority 0
ip ospf 1 area 0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile VanoreIpsec shared

someone please help

someone please help

Hello,

 

my bad, I overlooked that your tunnels on the hub have different sources. What happens  if you just configure 'shared' on the spoke ?

someone please help

Review Cisco Networking for a $25 gift card