04-01-2011 01:35 AM - edited 03-04-2019 11:56 AM
Good Morning People,
I am writing to get some advice and best practices on putting IP SLA's up. Here is my configuration:
I have one 2911 ISR 2 router with two internet lines- One is a cable line (which is connected via ethernet to the providers onsite 1800 router) and the other is a standard ADSL line.
I have a route-map which looks at the source of the traffic (determines whether its staff traffic or server traffic) and splits them accordingly. The Staff go through the ADSL and the servers go through the Cable.
I am trying to get to a position where if one line fails, all traffic goes through the other and vice versa. I have got the route-maps set up to do this using track objects:
route-map r01 permit 20
match ip address SERVERTRAFFIC
set ip next-hop verify-availability x.x.x.x(Cable Gateway) 10 track 1
set ip next-hop verify-availability x.x.x.x(ADSL Gateway) 20 track 2
!
route-map r01 permit 30
match ip address STAFFTRAFFIC
set ip next-hop verify-availability x.x.x.x(ADSL Gateway) 10 track 2
set ip next-hop verify-availability x.x.x.x(Cable Gateway) 20 track 1
This works as I want it to. The problem I am having is the IP SLA's - I have noticed that the IP SLA gets reported down every so often for roughly 5 seconds at a time then comes back up. This is going to cause a big problem when I start setting up the corporate Site-Site VPNS. Here is my config for the IP SLA
ip sla 1 (This tracks the cable connection)
icmp-echo 4.2.2.1
timeout 2500
threshold 2000
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2 (This tracks the ADSL connection)
icmp-echo 4.2.2.2
timeout 2500
threshold 2000
frequency 10
ip sla schedule 2 life forever start-time now
The way I have currently done it is to ping the DNS servers of a major ISP and force the ping through the appropriate connection by using a static route. So for example, 4.2.2.1 is forced through the Cable connection by a route in my routing table: S 4.2.2.1 [1/0] via x.x.x.x(Cable Gateway)
So, looking at my logs I see the connection dip:
1
4/1/11
9:05:20.000 AM
Apr 1 09:05:20 192.168.50.1 1000: Apr 1 08:05:19.610: %TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
2
4/1/11
9:05:10.000 AM
Apr 1 09:05:10 192.168.50.1 999: Apr 1 08:05:09.610: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
3
4/1/11
8:28:51.000 AM
Apr 1 08:28:51 192.168.50.1 970: Apr 1 07:28:50.426: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
4
4/1/11
8:28:41.000 AM
Apr 1 08:28:41 192.168.50.1 968: Apr 1 07:28:40.426: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
5
3/31/11
10:41:10.000 PM
Mar 31 22:41:10 192.168.50.1 943: Mar 31 21:41:10.032: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
6
3/31/11
10:41:00.000 PM
Mar 31 22:41:00 192.168.50.1 942: Mar 31 21:41:00.032: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
7
3/31/11
10:12:47.000 PM
Mar 31 22:12:47 192.168.50.1 941: Mar 31 21:12:46.791: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
8
3/31/11
10:12:42.000 PM
Mar 31 22:12:42 192.168.50.1 940: Mar 31 21:12:41.791: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options
As you can see, this is for 10 seconds and 5 seconds at a time.
Is there a better way of doing what I am wanting to do? I wouldn't have thought it was the DNS servers that are dissapearing for a few seconds now and then but is there a more stable remote host to ping? Any help would be magic as I need to get this problem sorted.
I appreciate any input.
Thank you very much
Tim
04-01-2011 06:33 AM
Have you tried a different sla
http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsudpe.html#wp1027258
If you use 53 then an ISP DNS will reply on that they may be policing ICMP packets
04-01-2011 08:08 AM
Makes a lot of sense to do that in regards to the possible policing of ICMP echos.
I'm having a bit of trouble getting the UDP echo to work though. I've created the SLA and it is failing
IPSLA operation id: 3
Type of operation: udp-echo
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 15:06:37.177 GMT Fri Apr 1 2011
Latest operation return code: No connection
Number of successes: 0
Number of failures: 8
Operation time to live: Forever
Using the SLA:
ip sla 3
udp-echo 4.2.2.1 53
threshold 2000
timeout 2500
frequency 10
ip sla schedule 3 life forever start-time now
I've looked on the firewall and on the Self-Out zone I have allowed all ICMP, TCP and UDP traffic with inspect and no other traffic is being blocked. Do you see any problem with this?
04-02-2011 01:53 AM
Hi
having re-read the ip sla for udp that's not going to work. How well do you know your ISP's the reason is if you have a good relationship then they may provide you with an IP in that you can ping without police else I would look at trying tcp sla to the isp's website.
04-04-2011 01:25 AM
Thank you for your suggestions. I think a HTTP IP SLA would suffice, but I am then running into the problems of how to actually force the correct HTTP get request out the correct interface. Remember, I have a cable and ADSL line (both static IP's) - I don't think it's possible to force a http request out of a particular port. I was getting past this problem on the icmp echo with static routes.
I think I am trying to achieve the impossible with this! Yet it sounds like a likely use case.
04-12-2011 02:09 AM
I have sorted the issue after talking to Cisco TAC.
The correct solution to this would be to use the Delay command on the Track unit that the IP SLA is associated to.
You can specify how many seconds to delay before the IP SLA forces the tracking to be up or down.
08-18-2012 02:12 PM
Would you be willing to post your tracking and SLA portion of the final configuration?
08-25-2012 03:08 AM
First of all, take note of your interval for the IP SLA - mine is set to ping every 15 seconds:
ip sla 12
icmp-echo 194.168.4.100
timeout 9000
frequency 15
Then, bind a track object that monitors the IP SLA with a delay up and delay down - ensure the seconds of the delay are multiples of the IP SLA frequency, or else it'll flap like a migrating bird.
The following code doesn't 'Down' the Track Object until the IP SLA has timed out 5 consecutive times and and doesn't 'Up' the Track object unless the ping returns successful atleast twice;
track 12 ip sla 12 reachability
delay down 60 up 15
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide