Solved: Re: ISR 4331 - Load Balancing 2 WAN ISPs using IP SLA Tracks not worki

varunoberoi · ‎01-06-2022

I have a Cisco ISR 4331 and I have setup 2 internet connections with 2 WANs. When both ISPs are working, the connection works just fine, the load is balanced between the two. When one ISP fails, half DHCP clients stop working, obviously.

My default running configuration is

ip route 0.0.0.0 0.0.0.0 dialer 1

ip route 0.0.0.0 0.0.0.0 dialer 2

When one fails, I have to manually do

no ip route 0.0.0.0 0.0.0.0 dialer1

or dialer 2, depending on which ISP has failed.

With this command all clients start working again.

I wanted to automate this using IP SLA TRACKS, so I did the following configuration:

ip sla 1
icmp-echo 8.8.8.8 source-interface dialer 1
threshold 500
timeout 500
frequency 2
exit

ip sla 2
icmp-echo 8.8.8.8 source-interface dialer 2
threshold 500
timeout 500
frequency 2
exit

track 1 ip sla 1 reachability
exit
track 2 ip sla 2 reachability
exit

ip sla schedule 1 start-time now life forever
ip sla schedule 2 start-time now life forever

I was going to use Event Manager Applet and setup the commands that I will need to run for the 4 possibilitiies, namely ISP1 is down, ISP1 is up, ISP2 is down and ISP2 is up. But before writing those, I wanted to check if the tracks are working fine.

They are not. This is what happens:

Initial conditions ->

Running configuration:

ip route 0.0.0.0 0.0.0.0 dialer 1

ip route 0.0.0.0 0.0.0.0 dialer 2

ISP1 is UP

ISP2 is UP

Then,

IP SLA 1 state = up

IP SLA 2 state = up

Test 1: Force fail ISP 1

Console shows that IP SLA 1 state is now down

To enable all clients access to internet, I run the command

no ip route 0.0.0.0 0.0.0.0 dialer 1

As soon as I run it, IP SLA 1 state becomes Up! It should not.

Since the IP SLA 1 configuration state that the source-interface must be dialer 1 (ISP 1), and dialer 1 is still down, IP SLA state must not become Up when I run the command "no ip route 0.0.0.0 0.0.0.0 dialer 1". It is using dialer 2 to ping 8.8.8.8 and I don't understand why!

Any guidance will be appreciated. Thanks.

balaji.bandi · ‎01-06-2022

in addition to that i use EEM to make that action based on event generated : ( do you have NAT in place then you need to clear the NAT too)

event manager applet DIALER1_DOWN
event syslog pattern "Line protocol on interface Dialer1, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer1"
action 4.0 cli command "end"
!
event manager applet DIALER1_UP
event syslog pattern "Line protocol on interface Dialer1, changed state to up"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer1"
action 4.0 cli command "end"
!
event manager applet DIALER2_DOWN
event syslog pattern "Line protocol on interface Dialer2, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer2"
action 4.0 cli command "end"
!
event manager applet DIALER1_UP
event syslog pattern "Line protocol on interface Dialer2, changed state to up"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer2"
action 4.0 cli command "end"

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MichaelMcCoy · ‎01-06-2022

Hello,

I am not 100% on this topic and I am sure more seasoned vets will correct me if I'm wrong (please do) but I would try to get the following a try for your dialer 2 configuration.

ip sla 2
icmp-echo 8.8.4.4 source-interface dialer 2
threshold 500
timeout 500
frequency 2
exit

Making the change to a different IP address may which is still a google address, may help.

balaji.bandi · ‎01-06-2022

in addition to that i use EEM to make that action based on event generated : ( do you have NAT in place then you need to clear the NAT too)

event manager applet DIALER1_DOWN
event syslog pattern "Line protocol on interface Dialer1, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer1"
action 4.0 cli command "end"
!
event manager applet DIALER1_UP
event syslog pattern "Line protocol on interface Dialer1, changed state to up"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer1"
action 4.0 cli command "end"
!
event manager applet DIALER2_DOWN
event syslog pattern "Line protocol on interface Dialer2, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer2"
action 4.0 cli command "end"
!
event manager applet DIALER1_UP
event syslog pattern "Line protocol on interface Dialer2, changed state to up"
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer2"
action 4.0 cli command "end"

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

varunoberoi · ‎01-06-2022

Thanks, I did not know this. Will try this method as well.

One question, only one of these methods should work right? Don't see the point in setting up both.

varunoberoi · ‎01-10-2022

This was easiest by far! No need to troubleshoot any further. Thanks!

Georg Pauwen · ‎01-06-2022

Hello,

that is odd indeed. Can you post your full running configuration ? The below script has been suggested and tested before, you might want to compare that to what you have (LAN IP addressing is arbitrary, obviously):

interface Dialer1
description Link to ISP1
ip address negotiated
ip nat outside
!
interface Dialer2
description Link to ISP2
ip address negotiated
ip nat outside
!
interface GigabitEthernet0/2
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
ip sla 1
icmp-echo 8.8.8.8 source interface Dialer1
timeout 500
threshold 500
frequency 2
!
ip sla 2
icmp-echo 8.8.8.8 source interface Dialer2
timeout 500
threshold 500
frequency 2
!
ip sla schedule 1 start-time now life forever
ip sla schedule 2 start-time now life forever
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 1 interface Dialer2 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
event manager applet ISP_1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer1
action 4.0 cli command "exit"
action 5.0 cli command "clear ip nat translation *"
action 6.0 cli command "end"
!
event manager applet ISP_1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer1
action 4.0 cli command "exit"
action 5.0 cli command "clear ip nat translation *"
action 6.0 cli command "end"
!
event manager applet ISP_2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer2
action 4.0 cli command "exit"
action 5.0 cli command "clear ip nat translation *"
action 6.0 cli command "end"
!
event manager applet ISP_2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer2
action 4.0 cli command "exit"
action 5.0 cli command "clear ip nat translation *"
action 6.0 cli command "end"

varunoberoi · ‎01-06-2022

This is exactly what I have, but some other routes as well. I have 2 VPN connections with this and supporting deny and allow entries. Maybe something from that is interfering but I cannot figure it out how. I just haven't setup the event manager configuration yet as unless the tracks work properly, there is no point automatically running commands, they just mess things up even more.

Complete running configuration:

OrionHisar#sh run
Building configuration...


Current configuration : 6017 bytes
!
! Last configuration change at 09:13:42 IST Fri Jan 7 2022
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname OrionHisar
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$2OEr$MswPaGxxxxxxxxxxUWnK9/
enable password orioxxxxxxx
!
no aaa new-model
clock timezone IST 5 30
!
ip dhcp excluded-address 10.1.0.3 10.1.0.150
!
ip dhcp pool LAN1
network 10.1.0.0 255.255.240.0
default-router 10.1.0.1
dns-server 10.1.0.2 218.248.114.193 8.8.8.8
!
ip dhcp pool SP0101
host 10.1.0.2 255.255.240.0
client-identifier 01f0.d4e2.e724.0b
default-router 10.1.0.1
dns-server 10.1.0.2 10.1.0.1
lease infinite
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid ISR4331/K9 sn FDO2329xxxx
license accept end user agreement
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username xxxxww21 privilege 15 password 0 Rxxxxww
username cisco privilege 15 password 0 Rxxxxxxxx
!
redundancy
mode none
!
crypto ikev2 proposal azure-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
crypto ikev2 proposal local-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy azure-vpn-policy
match address local 117.xxx.47.19
proposal azure-vpn-proposal
crypto ikev2 policy local-vpn-policy
match address local 117.xxx.47.19
proposal local-vpn-proposal
!
crypto ikev2 keyring azure-vpn-keyring
peer 52.140.xxx.62
address 52.140.xxx.62
pre-shared-key yxxxxxxxxxxxxxxxxxxxxxxxxxxQ
!
!
crypto ikev2 keyring hansi-vpn-keyring
peer 112.xxx.241.9
address 112.xxx.241.9
pre-shared-key ypF3Txxxxxxxxxxxxxxx/xxxxxxxxxxxRSpCCOQ
!
!
!
crypto ikev2 profile azure-vpn-profile
match address local 117.xxx.47.19
match identity remote address 52.xxx.116.62 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-vpn-keyring
lifetime 3600
dpd 10 5 on-demand
!
crypto ikev2 profile hansi-vpn-profile
match address local 117.xxx.47.19
match identity remote address 112.xxx.241.9 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local hansi-vpn-keyring
lifetime 28800
dpd 10 5 on-demand
!
!
!
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set azure-vpn-TransformSet esp-gcm 256
mode tunnel
crypto ipsec transform-set local-vpn-transformset esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile azure-vpn-IPsecProfile
set transform-set azure-vpn-TransformSet
set ikev2-profile azure-vpn-profile
!
!
!
crypto map hansi-vpn-crypto-map 100 ipsec-isakmp
set peer 112.xxx.241.9
set security-association lifetime seconds 28800
set transform-set local-vpn-transformset
set pfs group14
set ikev2-profile hansi-vpn-profile
match address 102
!
!
!
!
!
!
!
!
interface Tunnel10
ip address 169.254.0.1 255.255.255.255
ip tcp adjust-mss 1350
tunnel source 117.xxx.47.19
tunnel mode ipsec ipv4
tunnel destination 52.xxx.116.62
tunnel protection ipsec profile azure-vpn-IPsecProfile
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/2
ip address 10.1.0.1 255.255.240.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.1.100.1 255.255.255.0
negotiation auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname or1662xxxxxx3_nid@ftth.bsnl.in
ppp chap password 0 password
crypto map hansi-vpn-crypto-map
!
interface Dialer2
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username 9896476462 password 0 76462
!
ip nat inside source static tcp 10.1.0.2 3000 117.xxx.47.19 3000 extendable
ip nat inside source static tcp 10.1.0.2 4000 117.xxx.47.19 4000 extendable
ip nat inside source route-map wan1-nat interface Dialer1 overload
ip nat inside source route-map wan2-nat interface Dialer2 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.0.0.0 255.255.254.0 Tunnel10
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
threshold 500
timeout 500
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface Dialer2
threshold 500
timeout 500
frequency 10
ip sla schedule 2 life forever start-time now
access-list 100 deny ip 10.1.0.0 0.0.15.255 10.2.0.0 0.0.15.255
access-list 100 permit ip 10.1.0.0 0.0.15.255 any
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
access-list 101 permit esp host 52.140.116.62 host 117.xxx.47.19
access-list 101 permit udp host 52.140.116.62 eq isakmp host 117.xxx2.47.19
access-list 101 permit udp host 52.140.116.62 eq non500-isakmp host 117.xxx.47.19
access-list 102 permit ip 10.1.0.0 0.0.15.255 10.2.0.0 0.0.15.255
!
!
route-map wan2-nat permit 10
match ip address 100
match interface Dialer2
!
route-map wan1-nat permit 10
match ip address 100
match interface Dialer1
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password orioxxxx
login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Georg Pauwen · ‎01-07-2022

Hello,

the config looks clean. I guess it would work if you shut down Dialer 1 in addition to removing the route. If you put this in the EEM script, the IP SLA won't come up anymore. The entire config would look like this:

OrionHisar#sh run
Building configuration...


Current configuration : 6017 bytes
!
! Last configuration change at 09:13:42 IST Fri Jan 7 2022
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname OrionHisar
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$2OEr$MswPaGxxxxxxxxxxUWnK9/
enable password orioxxxxxxx
!
no aaa new-model
clock timezone IST 5 30
!
ip dhcp excluded-address 10.1.0.3 10.1.0.150
!
ip dhcp pool LAN1
network 10.1.0.0 255.255.240.0
default-router 10.1.0.1
dns-server 10.1.0.2 218.248.114.193 8.8.8.8
!
ip dhcp pool SP0101
host 10.1.0.2 255.255.240.0
client-identifier 01f0.d4e2.e724.0b
default-router 10.1.0.1
dns-server 10.1.0.2 10.1.0.1
lease infinite
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid ISR4331/K9 sn FDO2329xxxx
license accept end user agreement
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
username xxxxww21 privilege 15 password 0 Rxxxxww
username cisco privilege 15 password 0 Rxxxxxxxx
!
redundancy
mode none
!
crypto ikev2 proposal azure-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
crypto ikev2 proposal local-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy azure-vpn-policy
match address local 117.xxx.47.19
proposal azure-vpn-proposal
crypto ikev2 policy local-vpn-policy
match address local 117.xxx.47.19
proposal local-vpn-proposal
!
crypto ikev2 keyring azure-vpn-keyring
peer 52.140.xxx.62
address 52.140.xxx.62
pre-shared-key yxxxxxxxxxxxxxxxxxxxxxxxxxxQ
!
crypto ikev2 keyring hansi-vpn-keyring
peer 112.xxx.241.9
address 112.xxx.241.9
pre-shared-key ypF3Txxxxxxxxxxxxxxx/xxxxxxxxxxxRSpCCOQ
!
crypto ikev2 profile azure-vpn-profile
match address local 117.xxx.47.19
match identity remote address 52.xxx.116.62 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-vpn-keyring
lifetime 3600
dpd 10 5 on-demand
!
crypto ikev2 profile hansi-vpn-profile
match address local 117.xxx.47.19
match identity remote address 112.xxx.241.9 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local hansi-vpn-keyring
lifetime 28800
dpd 10 5 on-demand
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
crypto ipsec transform-set azure-vpn-TransformSet esp-gcm 256
mode tunnel
crypto ipsec transform-set local-vpn-transformset esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile azure-vpn-IPsecProfile
set transform-set azure-vpn-TransformSet
set ikev2-profile azure-vpn-profile
!
crypto map hansi-vpn-crypto-map 100 ipsec-isakmp
set peer 112.xxx.241.9
set security-association lifetime seconds 28800
set transform-set local-vpn-transformset
set pfs group14
set ikev2-profile hansi-vpn-profile
match address 102
!
interface Tunnel10
ip address 169.254.0.1 255.255.255.255
ip tcp adjust-mss 1350
tunnel source 117.xxx.47.19
tunnel mode ipsec ipv4
tunnel destination 52.xxx.116.62
tunnel protection ipsec profile azure-vpn-IPsecProfile
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/2
ip address 10.1.0.1 255.255.240.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.1.100.1 255.255.255.0
negotiation auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname or1662xxxxxx3_nid@ftth.bsnl.in
ppp chap password 0 password
crypto map hansi-vpn-crypto-map
!
interface Dialer2
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username 9896476462 password 0 76462
!
ip nat inside source static tcp 10.1.0.2 3000 117.xxx.47.19 3000 extendable
ip nat inside source static tcp 10.1.0.2 4000 117.xxx.47.19 4000 extendable
ip nat inside source route-map wan1-nat interface Dialer1 overload
ip nat inside source route-map wan2-nat interface Dialer2 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.0.0.0 255.255.254.0 Tunnel10
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
threshold 500
timeout 500
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface Dialer2
threshold 500
timeout 500
frequency 10
ip sla schedule 2 life forever start-time now
access-list 100 deny ip 10.1.0.0 0.0.15.255 10.2.0.0 0.0.15.255
access-list 100 permit ip 10.1.0.0 0.0.15.255 any
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
access-list 101 permit esp host 52.140.116.62 host 117.xxx.47.19
access-list 101 permit udp host 52.140.116.62 eq isakmp host 117.xxx2.47.19
access-list 101 permit udp host 52.140.116.62 eq non500-isakmp host 117.xxx.47.19
access-list 102 permit ip 10.1.0.0 0.0.15.255 10.2.0.0 0.0.15.255
!
route-map wan2-nat permit 10
match ip address 100
match interface Dialer2
!
route-map wan1-nat permit 10
match ip address 100
match interface Dialer1
!
event manager applet ISP_1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Dialer1"
action 4.0 cli command "shut"
action 5.0 cli command "exit"
action 6.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer1
action 7.0 cli command "exit"
action 8.0 cli command "clear ip nat translation *"
action 9.0 cli command "end"
!
event manager applet ISP_1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Dialer1"
action 4.0 cli command "no shut"
action 5.0 cli command "exit"
action 6.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer1
action 7.0 cli command "exit"
action 8.0 cli command "clear ip nat translation *"
action 9.0 cli command "end"
!
event manager applet ISP_2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Dialer2"
action 4.0 cli command "shut"
action 5.0 cli command "exit"
action 6.0 cli command "no ip route 0.0.0.0 0.0.0.0 Dialer2
action 7.0 cli command "exit"
action 8.0 cli command "clear ip nat translation *"
action 9.0 cli command "end"
!
event manager applet ISP_2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Dialer2"
action 4.0 cli command "no shut"
action 5.0 cli command "exit"
action 6.0 cli command "ip route 0.0.0.0 0.0.0.0 Dialer2
action 7.0 cli command "exit"
action 8.0 cli command "clear ip nat translation *"
action 9.0 cli command "end"
!
control-plane
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password orioxxxx
login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

varunoberoi · ‎01-08-2022

If i shut down the dialer 1, will the ISP_1_UP event ever get fired?

paul driver · ‎01-07-2022

Hello

@varunoberoi wrote:

Since the IP SLA 1 configuration state that the source-interface must be dialer 1 (ISP 1), and dialer 1 is still down, IP SLA state must not become Up when I run the command "no ip route 0.0.0.0 0.0.0.0 dialer 1". It is using dialer 2 to ping 8.8.8.8 and I don't understand why!

The rtr doesn't case how it reaches 8.8.8.8 as long as its reachable. So if upstream connection fails from dialer 1, This interface can still be active and if it is, it would still be able to reach 8.8.8.8 via the rtrs alternative default path (dialer 2)

You shouldn't require EEM scripting to do this, You would just require to negate that reachability via dialer 1

example:

ip sla 1
icmp-echo 8.8.8.8 source-dialer 1
timeout 1000
threshold 2000
frequency 15


ip sla schedule 1 start now life forever
track 10 rtr1 reachabilty

access-list 100 permit icmp host <source ip> host 8.8.8.8 echo

route-map ipsla 
match ip address 100
set ip next-hop (next hop of dialer 1)
set interface Null0




ip local policy route-map ipsla




ip route 0.0.0.0 0.0.0.0 dialer 1 <nexthop ip> track 10 name primary link
ip route 0.0.0.0 0.0.0.0 dialer 2 <nexthop ip> 2 name backup link

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

varunoberoi · ‎01-08-2022

Your solution, though a bit confusing, might work, but it sets a WAN as primary and another as backup. I want to load balance both while they are working and shift entire load to one in case the other fails.

Georg Pauwen · ‎01-08-2022

Hello,

what about shutting the dialer in the EEM script as well, as suggested ?

varunoberoi · ‎01-08-2022

Was just typing a reply to you while you replied here.

In case you haven't seen it. My question is, say ISP 1 fails, and I shut down dialer 1. In some time, the ISP 1 is back alive but since dialer 1 is shut, the router doesn't establish connection. So will the event, ISP_1_UP, ever get fired?

balaji.bandi · ‎01-08-2022

There is 2 Options, it easy is to capture the event trigger and bring the interface up.

OP you did not mention NAT, you just mentioned shutdown the interface to fix the issue, but you need to clear the NAT table to get working, have you done that?

so EEM Script in the last you need to clear NAT table when you moving to different directions.

On another side, i noticed you manually shutdown for testing, what events you get, when the manual shutdown or when the dialer go down by nature of ISP side, that events to get capture here, IP SLA should do that work for you, but additional suggestion made by me EEM.

Check some example :

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/200785-ISP-Failover-with-default-routes-using-I.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help