cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4669
Views
0
Helpful
30
Replies

IP SLA problems

rasoftware
Level 1
Level 1

have this config

ip sla 1

icmp-echo 62.6.200.5

timeout 1000

threshold 2

frequency 3

ip sla schedule 1 life forever start-time now

track 100 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 "our-next-hop" track 100

ip route 0.0.0.0 0.0.0.0 Dialer0 254

ip nat inside source route-map ispA interface FastEthernet0 overload

ip nat inside source route-map ispB interface Dialer0 overload

access-list 40 remark IPs for NAT policy

access-list 40 permit 192.0.0.0 0.255.255.255

access-list 101 permit icmp any host 62.6.200.5 echo

route-map LOCAL_POLICY permit 10

match ip address 101

set interface FastEthernet0

!

route-map ispB permit 10

match ip address 40

match interface Dialer0

!

route-map ispA permit 10

match ip address 40

match interface FastEthernet0

!

The track doesn seem to work, when I have default route to metric 1 and no track it works.

I have this config working where I have two DSL ports but this has 1 DSL and 1 FE.

Will this work?

30 Replies 30

I have a problem with my IP sla on a router with two ISPs (ISP A and ISP B). A= boradband, B= T1. I have tested the failover in the past by disabling the primary interface and it worked. Yesterday ISP A went down partially and the failover to T1 didin't happened. Maybe because the tracking was done on ISP A gateway and that IP was reachable even though the ISP A was down.

I have made some modification to my config to see if I can fix this, but it looks like unless I specify a static default route with no tracking option to my ISP A, the traffic keep going through T1.  In my current config, I have added an "P local Policy Route-MAP" and I also changed the IP being tracked to my ISP's DNS address.

Someone please review my attached config and advise what is wrong with my config. Thanks,

Shuja

###################################################################

term len 0

TQI-WN-RT2911#sh run

Building configuration...

Current configuration : 7720 bytes

!

! Last configuration change at 20:54:18 UTC Sun Oct 28 2012 by admin

! NVRAM config last updated at 20:54:18 UTC Sun Oct 28 2012 by admin

! NVRAM config last updated at 20:54:18 UTC Sun Oct 28 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TQI-WN-RT2911

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

!

!

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp remember

!

!

ip domain name TQI.com

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2562258950

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2562258950

revocation-check none

rsakeypair TP-self-signed-2562258950

!

!

crypto pki certificate chain TP-self-signed-2562258950

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353632 32353839 3530301E 170D3131 30393236 32333335

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363232

  35383935 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E64D 71673902 BC3D62F5 56A26C5D 1FC393A5 1B44B7E9 8B248303 B3DC089E

  30D8E3BD 4965B46B 4495F49D CB63CFC3 D14E8C0E 318C02B6 FBEBCC2A ED275932

  2EAC8476 A6B134B4 1B9371F3 C91470AE 1D8C4DC6 570050BD 97891569 D197CA39

  D4CCDA38 7572410C C36C35AF E87F4811 15E9E9D4 7D980BBA 0B5C882F 21DFC91E

  8C030203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1490A807 266EC76C FFC7030F 42BB3049 4BEC91AC EC301D06

  03551D0E 04160414 90A80726 6EC76CFF C7030F42 BB30494B EC91ACEC 300D0609

  2A864886 F70D0101 05050003 81810003 B0DF4CC1 FB0E7E0C 59E37631 74C56079

  020EA9A3 0E81E811 AA964452 886FA451 45700D11 5C148D20 F4C2628E 272BA7A6

  95D4DBAA 259E9441 C4F8BD49 C293B9B3 5C24C5E2 D2DE97F9 0229C07D 91D2D6D0

  151C80B0 A0875447 ABC4642F 25278066 9D7F0E6F 8020EA95 902D1423 FAA386D9

  ECCAB08C F6B56855 FA0654EF 612BDB

            quit

!

!

username admin privilege 15 password 7 141F13050806sdfds25242F

!

redundancy

!

!

!

!

!

track 1 ip sla 1 reachability

delay down 10 up 20

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ############ address 173.161.255.241 255.255.255.240

!

crypto isakmp client configuration group EASY_VPN

key $#############

dns 10.10.0.241 10.0.0.241

domain ttqi.com

pool EZVPN-POOL

acl VPN+ENVYPTED_TRAFFIC

save-password

max-users 50

max-logins 10

netmask 255.255.255.0

crypto isakmp profile EASY_VPN_IKE_PROFILE1

   match identity group EASY_VPN

   client authentication list default

   isakmp authorization list default

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile EASY_VPN_IPSec_PROFILE1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile EASY_VPN_IKE_PROFILE1

!

!

crypto map VPN_TUNNEL 10 ipsec-isakmp

description ***TUNNEL-TO-FAIRFIELD***

set peer 173.161.255.241

set transform-set ESP-3DES-SHA

match address 105

!

!

!

!

!

interface Loopback1

ip address 10.10.30.1 255.255.255.0

!

interface Tunnel1

ip address 172.16.0.2 255.255.255.0

ip mtu 1420

tunnel source GigabitEthernet0/0

tunnel destination 173.161.255.241

tunnel path-mtu-discovery

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Optonline  WAN secondary

ip address 108.58.179.205 255.255.255.248 secondary

ip address 108.58.179.202 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map VPN_TUNNEL

!

interface GigabitEthernet0/1

description T1 WAN Link

ip address 64.7.17.100 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN

ip address 10.10.0.1 255.255.255.0 secondary

ip address 10.10.0.3 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

tunnel mode ipsec ipv4

tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1

!

!

router eigrp 1

network 10.10.0.0 0.0.0.255

network 10.10.30.0 0.0.0.255

network 172.16.0.0 0.0.0.255

!

router odr

!

router bgp 100

bgp log-neighbor-changes

!

ip local policy route-map IP-SLA-ROUTE-POLICY

ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay 65535

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map OPTIMUM-ISP interface GigabitEthernet0/0 overload

ip nat inside source route-map T1-ISP interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.10.0.220 3389 64.7.17.100 3389 extendable

ip nat inside source static tcp 10.10.0.243 25 108.58.179.202 25 extendable

ip nat inside source static tcp 10.10.0.243 80 108.58.179.202 80 extendable

ip nat inside source static tcp 10.10.0.243 443 108.58.179.202 443 extendable

ip nat inside source static tcp 10.10.0.220 3389 108.58.179.202 3389 extendable

ip nat inside source static tcp 10.10.0.17 12000 108.58.179.202 12000 extendable

ip nat inside source static tcp 10.10.0.16 80 108.58.179.205 80 extendable

ip nat inside source static tcp 10.10.0.16 443 108.58.179.205 443 extendable

ip nat inside source static tcp 10.10.0.16 3389 108.58.179.205 3389 extendable

ip route 0.0.0.0 0.0.0.0 108.58.179.201 track 1

ip route 0.0.0.0 0.0.0.0 64.7.17.97 100

!

ip access-list extended VPN+ENVYPTED_TRAFFIC

permit ip 10.10.0.0 0.0.0.255 any

permit ip 10.0.0.0 0.0.0.255 any

permit ip 10.10.30.0 0.0.0.255 any

!

ip sla 1

icmp-echo 167.206.112.138 source-interface GigabitEthernet0/0

threshold 100

timeout 200

frequency 3

ip sla schedule 1 life forever start-time now

access-list 1 permit 10.10.0.0 0.0.0.255

access-list 2 permit 10.10.0.0 0.0.0.255

access-list 100 permit ip 10.10.0.0 0.0.0.255 any

access-list 101 permit icmp any host 167.206.112.138 echo

access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***

access-list 105 permit gre host 108.58.179.202 host 173.161.255.241

!

!

!

!

route-map T1-ISP permit 10

match ip address 100

match interface GigabitEthernet0/1

!

route-map OPTIMUM-ISP permit 10

match ip address 100

match interface GigabitEthernet0/0

!

route-map IP-SLA-ROUTE-POLICY permit 10

match ip address 101

set ip next-hop 108.58.179.201

set interface Null0

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

TQI-WN-RT2911#

###################################################################

Review Cisco Networking for a $25 gift card