Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2771
Views
0
Helpful
10
Replies

Issue with IP SLA failover and OSPF/Static redistribution

Venky
Level 1
Level 1

‎08-16-2020 07:07 AM

We have 2 locations. Each location is having one ISP, one firewall and Cisco 9500 switch. Both locations are connected via backbone network with 10G P2P connection. I implemented IP SLA on both sides to track icmp and failover to other location if track is down. But even after ISP is back up at testing location, sites traffic is still trying to use other location. Initially I saw ping that I used in track are using different path to go out and I blocked it on firewall. But even after blocking, I think 9500 is thinking it is still active. I'm confused on what to block in advertisement. 

 

All remote locations terminate at Location 1 9500 switch and Location 1 is having 10 G pipe to Location 2. I was in assumption that track at Location 1 fails, it should switch to Location 2 based on ip route which is working fine. But fail back is not happeing.

 

Location 1 :-

 

track 8 ip sla 1 reachability

ip sla 1
icmp-echo 75.75.75.75 source-ip 10.168.2.1          ***interface IP on switch directly connected to Firewall***
ip sla schedule 1 life forever start-time now

 

router ospf 1
router-id 10.104.104.40
redistribute connected subnets
redistribute static subnets
network 10.104.104.0 0.0.0.255 area 0
network 10.10.0.252 0.0.0.3 area 0                                               ***backbone network***
network 10.168.2.0 0.0.0.15 area 0        ***OSPF network to firewall****
default-information originate                       ****remote locations to get default route connected only to this locations****

ip route 0.0.0.0 0.0.0.0 10.168.2.14 track 8  
ip route 0.0.0.0 0.0.0.0 10.10.0.253 10


 

Location 2 :-

 

track 8 ip sla 1 reachability

ip sla 1
icmp-echo 4.2.2.2 source-ip 10.168.2.17             ***this IP is on switch directly connected to firewall**
ip sla schedule 1 life forever start-time now


router ospf 1
router-id 10.201.20.200
redistribute connected subnets
redistribute static subnets
network 10.10.0.252 0.0.0.3 area 0          **between locations***
network 10.168.2.16 0.0.0.15 area 0         *Interconnect VLAN between switch and firewall***


ip route 0.0.0.0 0.0.0.0 10.168.2.30 track 8
ip route 0.0.0.0 0.0.0.0 10.10.0.254 10

I believe some filtering has to be done but not sure where to do.

Labels:
0 Helpful
10 Replies 10

Georg Pauwen
VIP
VIP

‎08-16-2020 07:52 AM

Hello,

 

with IP SLAs, it usually a good idea to configure a static route towards the IP address your are pinging. In your case that means:

 

Location 1

 

ip route 75.75.75.75 255.255.255.255 10.168.2.14

 

Location 2

 

ip route 4.2.2.2 255.255.255.255 10.168.2.30

 

What are you redistributing ? Post the full configs of both sides...

0 Helpful

Venky
Level 1
Level 1
In response to Georg Pauwen

‎08-16-2020 09:31 AM

Solution seems to be working fine but this route is also being redistributed in OSPF process due to which firewall is sending back it on to the same interface. 

 

Is there a way to block advertising this static route and advertise all other static routes into OSPF process ?

 

I was thinking about using distribution list to filter but I haven't done it before. If you can help that would be great. Thank you so much again for responding.

 

0 Helpful

Venky
Level 1
Level 1

‎08-16-2020 09:51 AM

redistribute connected subnets
redistribute static subnets

 

above configured on both sides in OSPF process. There are some internal networks which I removed. There is nothing special config than this.

0 Helpful

paul driver
VIP
VIP

‎08-16-2020 10:21 AM

Hello

@Venky  wrote:

But even after ISP is back up at testing location, sites traffic is still trying to use other location. Initially I saw ping that I used in track are using different path to go out and I blocked it on firewall. But even after blocking, I think 9500 is thinking it is still active. I'm confused on what to block in advertisement. 

 

ip sla 1
icmp-echo 75.75.75.75 source-ip 10.168.2.1 

 

ip route 0.0.0.0 0.0.0.0 10.168.2.30 track 8
ip route 0.0.0.0 0.0.0.0 10.10.0.254 10

What is possibly occurring is the tracked ip address is reachable via the secondary path as such the track is failing.

what you need to do is negate the tracked ip from being reached via the other path.


ip route 75.75.75.75 255.255.255.255 null 0 2


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Venky
Level 1
Level 1
In response to paul driver

‎08-16-2020 10:26 AM

Thank paul, this will work but this ip route will be redistributed into OSPF process we have redistribute commands under OSPF process. I need a way to block this specific ip route advertisement in OSPF process leaving all other routes advertised.

0 Helpful

paul driver
VIP
VIP
In response to Venky

‎08-16-2020 11:26 AM - edited ‎08-16-2020 11:28 AM

Hello

ip prefix-list 10 deny x.x.x.x/32

ip prefix-list 10 permit 0.0.0.0/0 le32

 

route-map static

match ip address prefix-list 10

 

router ospf xx

redistribute static route-map static subnets

 

sent from iphone 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP

‎08-16-2020 11:47 AM

Hello,

 

just a thought, but you can also use EEM scripts to cause the failover. The scripts would look like below:

 

Location 1

 

interface GigabitEthernet0/0
description Location 1 Link to ISP
ip address 10.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
description Link to Location 2
ip address 10.10.0.253 255.255.255.252
!
event manager applet SHUT_INT
even track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/0"
action 4.0 cli command "shut"
action 5.0 cli command "exit"
action 6.0 cli command "interface GigabitEthernet0/1"
action 7.0 cli command "no shut"
action 8.0 cli command "end"
!
event manager applet NO_SHUT_INT
even track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/0"
action 4.0 cli command "no shut"
action 5.0 cli command "exit"
action 6.0 cli command "interface GigabitEthernet0/1"
action 7.0 cli command "shut"
action 8.0 cli command "end"

 

Location 2

 

interface GigabitEthernet0/0
description Location 2 Link to ISP
ip address 10.168.2.17 255.255.255.0
!
interface GigabitEthernet0/1
description Link to Location 1
ip address 10.10.0.254 255.255.255.252
!
event manager applet SHUT_INT
even track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/0"
action 4.0 cli command "shut"
action 5.0 cli command "exit"
action 6.0 cli command "interface GigabitEthernet0/1"
action 7.0 cli command "no shut"
action 8.0 cli command "end"
!
event manager applet NO_SHUT_INT
even track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/0"
action 4.0 cli command "no shut"
action 5.0 cli command "exit"
action 6.0 cli command "interface GigabitEthernet0/1"
action 7.0 cli command "shut"
action 8.0 cli command "end"

0 Helpful

paul driver
VIP
VIP
In response to Georg Pauwen

‎08-16-2020 12:21 PM - edited ‎08-16-2020 12:22 PM

Hello

@Georg Pauwen  even though the script would be applicable it’s still tied to the ip sla tracking and this would probably fail due the the tracking seeing the tracked ip via its alternative path thus is won’t failover correctly 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP
In response to paul driver

‎08-16-2020 12:48 PM

With the script, there would never be an alternative path. The interface towards the other location would be 'shut'. That's the idea.

0 Helpful

paul driver
VIP
VIP
In response to Georg Pauwen

‎08-16-2020 03:35 PM - edited ‎08-17-2020 02:50 AM

Hello
Yes but for the eem script to work correctly it’s tied to ip sla tracking which relies on the reachability of the tracked ip 

The tracked ip would be reachable via the either default static which you wouldn’t want to happen.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card