cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

318
Views
0
Helpful
13
Replies
Highlighted
Beginner

No internet access through dialer when failing over

Hi all,

 

I've setup an ISR 4331 with a leased line and a PPPOE dial up line as backup. I have set IP SLA so when the leased line is unplugged the default route then changes to the PPPOE line but i cannot get any internet access from the lan through the PPPOE line. I have plugged a laptop into the PPPOE line directly and can dial up and access the internet fine and i can ping 8.8.8.8 from the Cisco fine as well so i'm happy that the PPPOE line itself is ok.

The odd thing is that firstly if i try sh ip nat translations there is nothing from the lan and secondly i have put an access list with overload on the leased line and then one for the dialer line (both the same entries) but even when the leased line is unplugged there are ONLY hits on the leased line ACL as though the LAN traffic is still trying to go through there ? again i've confirmed with sh ip route that the default route is updated.

Any ideas ?

 

Thanks

13 REPLIES 13
Highlighted
VIP Mentor

Re: No internet access through dialer when failing over

Can we have your config to look, or check part of the failover, have you making nat changes and clearing the NAT table?

 

you can achieve this with EEM Script example  from my notes:

 

event manager applet NAT-RESET

event track 1 state any

action 0.1 cli command "enable"

action 0.2 wait 2

action 0.3 cli command "clear ip nat translations forced"

action 0.4 syslog msg "NAT translation cleared after track state change"

 

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Mentor

Re: No internet access through dialer when failing over

Hello

This most doubt would depend on your existing configuration, the nat timeouts should cover the failover but they could be tweak to accommodate anyway.
Can you post (in an attached file) your existing configuration please.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Hall of Fame Guru

Re: No internet access through dialer when failing over

We do need to see the configuration to help us determine what the issue might be. In particular we would be looking to see how address translation is set up. Do you have 2 statements for the translations referencing an access list and pointing to the outbound interface? Or does your address translation use route maps, which reference both the access list and the outbound interface. When doing translation for 2 interfaces the approach that uses route maps is much better than the approach that just references the access list and the interface.

HTH

Rick
Highlighted
Beginner

Re: No internet access through dialer when failing over

Yep, sorry for the delay. Here is the config although we did not set this up originally but i've added the IP SLA bits:

 


testunit#sh run
Building configuration...


Current configuration : 21593 bytes
!
! Last configuration change at 09:29:16 GMT Mon Jun 22 2020 by techadmin
! NVRAM config last updated at 08:40:50 GMT Mon Jun 22 2020 by techadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname testunit
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Y1st$Y7mKB1FxUfEpukhM9Mf39.
enable password 7 044F18130D204747584B56
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network grouplist local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock calendar-valid
!
!
!
!
!
!
!
!
!
!
!

 

no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
auto-rollover 365
eku server-auth client-auth
database url flash:ca
!
crypto pki trustpoint TP-self-signed-1621321660
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1621321660
revocation-check none
rsakeypair TP-self-signed-1621321660
!
crypto pki trustpoint ca-server
revocation-check crl
rsakeypair ca-server
!
crypto pki trustpoint router
enrollment url http://82.83.236.114:80
fqdn secure.corp.co.uk
ip-address 82.83.236.114
subject-name CN=site locale,OU=user-vpn,O=corp
revocation-check crl
rsakeypair router
auto-enroll regenerate
hash sha512
!
!
!
crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server
!
crypto pki certificate chain TP-self-signed-1621321660
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363231 33323136 3630301E 170D3139 31313037 31313234
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323133
32313636 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D5B0 9052E8A8 E5186DE5 3F38E4B8 FE8AD6D2 0756A524 72033AC7 2CE557E5
C48771FD 4116684F 17D9BC08 FF2F080D BBB89CE6 ADB10E9F 1CA8F9FA 8FE5AFB1
2DCF75EF B00D8501 20AEB428 54B84130 5F72A607 82E79CC6 744C8C75 E2FE8409
8433A732 118CC236 F3FB692F FA8046FA 64C6DFC2 E0DD4F47 0DB39C1A 060E5AE4
168D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140FD254 E0AD5D4D 5D94C1EF 46B850D9 D6854214 C4301D06
03551D0E 04160414 0FD254E0 AD5D4D5D 94C1EF46 B850D9D6 854214C4 300D0609
2A864886 F70D0101 05050003 81810042 AAE1C07E 20D4799C AF953040 E842A896
55218BF1 73246AAB A0D0B7DF 52F34515 1C7F21D3 78E0EFC2 780B1C7B 4B3A72E4
3980E673 A9616141 4877BA92 94DDA51E DA6F617B 00384EF9 7A761C91 B5CBEEDD
72B4D9FE 55AD27A5 FE84C727 AD8DC786 C8E41298 371EC5AA 49E582B7 280F0389
D9F1FF8C 920D5CBA 933B2044 9CFF9D
quit
crypto pki certificate chain ca-server
certificate ca 01
30820506 308202EE A0030201 02020101 300D0609 2A864886 F70D0101 0D050030
14311230 10060355 04031309 63612D73 65727665 72301E17 0D313931 31303731
32303335 325A170D 33393131 30383132 30323532 5A301431 12301006 03550403
13096361 2D736572 76657230 82022230 0D06092A 864886F7 0D010101 05000382
020F0030 82020A02 82020100 C22F2892 ECF29BDA 457E089E 2241B051 6B281008
D42F77E6 4BE07A66 A27C596C 09EC3E59 4A704F6A 2C11D533 F84EAAC7 40AE9142
37B5C7D9 B52AAE6C B2E336C1 9A1612DD 8C7C6CDB 8064B36E C94B2241 26151D24
067D167A 7E347B78 1C035B74 79937106 DCE9E719 26854B63 C2A45E76 C5742DEA
188FB10B 53A2BE72 975D304A 7D5323B0 076257AD 8D034522 ED7F89EE 5CC7E3ED
33306A12 EA14292C 564C65AD C7B318AE E8089491 A4411159 AD62B4D1 D9842718
69639319 A5E91D0D DFB916A1 85504A51 5E562461 B3E03F83 44AA9637 5C08C584
6A86CBBA FA12A9C5 E90754C5 2AEB9550 37C6F8EC D6580E48 A9B30159 19156777
29FC751A 6FB882FB 359B8DC5 82923F3A EA338C3A 513BC089 2D2B6337 8ED732A9
54F8919B 9DAA288A 6FE64FB8 BE261777 6BE4AE46 AEAB8E66 2A828EFB 495BF427
B51CB67D 7279FDDE DC3A23CA 11AD0D22 9B234DB8 E7CBE72D E84509D9 875AD88B
3C8C797D 40E26524 3D427D9F C3670106 6D4A5F1D C5821162 C2E38C56 8CB812E1
29E6FF91 FA7EE20C CBC38EAF 8513B0A8 F029D827 6F4D8991 21ADDF99 1C642D2D
62CA0C71 70CC4094 434C5D61 B1F6243A 702CAA95 96601D49 498AD03E 290450D6
F123195F 0A41307A 5E743CBB 40A7B5E9 4E10F86E C48E63E3 3B21BF8B B48BDA9C
25E8EB06 5EBF831F 713A4B2E B93E2637 6D4081B0 9CA75727 F8D5C452 B2C6B0CD
6EE32751 FBEA92C9 6DCD20ED 02030100 01A36330 61300F06 03551D13 0101FF04
05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
16801414 0F531F84 1605FD4A 0C78CD68 823FFFD2 10D4B930 1D060355 1D0E0416
0414140F 531F8416 05FD4A0C 78CD6882 3FFFD210 D4B9300D 06092A86 4886F70D
01010D05 00038202 01008FD1 38B88CF7 D73FA1A2 35A49DA6 74DE359B C15E04C1
37C546E6 0D5D89EA B500E81B 66239CC9 080C6BF3 E2734916 6D7FAA6A 91EF019C
426D71A1 9C67DAAB 97C675A1 05CEF76B 4828ED0D 377705FB 7C726DD4 E03DFA32
F458C516 3373F475 D7E912D0 8685BB1F 9A99E9EA 50C70DF9 0CD5B1D9 B982FAB1
B423A19F 63A7BC64 DC308E42 B3BCEC3E A533823A 3612DCE8 F628CD6D F92A0B05
90ACD614 D0196D8E 6EB7CF60 8D8C08E1 C4F78701 A0E0290D 11A972C2 F089F072
C0B766F8 FA8A8921 932EA47E B4A9FF8B 2B08A708 8151E33B B6353001 0E3610E9
C0EAF2C5 EFB6F4B5 4CF7AC40 5E4A0CB7 DA7E3B40 1A5F8D9C 447F3369 DB5EB8C8
7A53E5DB FCF52270 CCDD9E98 A1FAB601 5E875CB8 12E852BB CF4B5541 21356E3F
2CBB1A9F 361F3FA9 7A45B8C7 DBA9B7AA E0101B79 4B215CE2 5FD8B43F 1F55BC3D
C71993C9 E2885711 F73BD7EE C5D3DE46 DAF83A47 7D2B359E ABDDCA9E 925FF6AF
4613BD38 9B3B8C6F 90A3D463 8FF89629 8F58FF9C C47D9C9F DAFEBFC0 F3A2997E
43B73338 1EAB9E95 DCD7FA4A B792530F 9DF9E96D 4C069A8A EC3DE39C 1D59ABBD
313CF8F4 AACDF2D5 4D80882A A49782B6 3C0B99F2 7BEE286F 4BC8DE6B 3EA4075B
7C4D35C1 D33ED40E 49AD24C9 73B13D8C C802D5C3 3360D2C2 C82FEC10 6C826D39
28C20B57 AF0F8158 83267026 AB3CF550 161F6471 951F669F 7A3978F9 A573F05C
62ADEC5A A60707F0 1043
quit
crypto pki certificate chain router
certificate 04
3082057E 30820366 A0030201 02020104 300D0609 2A864886 F70D0101 0D050030
14311230 10060355 04031309 63612D73 65727665 72301E17 0D323030 31323331
31333430 345A170D 33303031 32303131 33343034 5A308180 3110300E 06035504
0A130754 73756261 6B693111 300F0603 55040B13 08757365 722D7670 6E311630
14060355 0403130D 73697465 20416E6E 65736C65 79314130 1C06092A 864886F7
0D010908 130F3139 332E3139 352E3233 362E3131 34302106 092A8648 86F70D01
09021614 73656375 72652E74 73756261 6B692E63 6F2E756B 30820222 300D0609
2A864886 F70D0101 01050003 82020F00 3082020A 02820201 00B93A3A 1DB1FC3C
F5238348 A6402FD6 3DCB8458 134674BB 045CD692 AF24A136 6C1FB2E7 2264F4E6
EFD816C8 824E05E6 3846B977 11F927FC 1E6EDFE5 CBFE37AB 1DABCAC9 D7542A4E
4466A5A7 0B37C727 62A0A6B4 4ED54D6A 8F562D1D 5CB7DF52 4F8B6622 AB283879
F23C1697 40E530B8 0AE779C7 3844DAB4 23E7A187 9B4F9E1B 7CC47AA0 4990E352
26099698 BF1D4FF7 42474E49 14B2C200 9899C419 E1954B28 637679DA 85594801
6B2A1D7A C13B3968 B506245B B0E799CD 34B638EC 9901B266 DFCDAEA8 FB58218D
AEA2E784 BEB9A453 336B1808 BAE024D4 FCBA80DB D640D68D 96C05703 7EE4AB85
E4EE4F62 31ADF192 F9E76958 B5FB0BDC 6B4CD804 9184023D 58842A3D DBCC7805
1A0CBC7D 95EB551C 862D5BD9 36983C40 8D35CCF7 7A2C4914 76EE9A7E FF7F4587
7C1919D6 6192BB04 95B514BC 554B2F94 7D700E27 B81CC711 E7E88B87 13B032F5
B138BD7B EEBA716B 335D2318 D6F1D5B5 0A570645 25FDA24A A7E22941 5615B644
CD31A453 662363DD 2BF8AA73 A79DC844 0A9F1CAF 11660516 00CC2F45 EB102DE1
3904933D 6DC306CD 17D3A169 92420F49 88A509F2 B42A70DD 176FED88 686D4F72
A3447039 C285AC4D FD2DFEBD 741EA1C3 F3340248 F0DB2A65 D9230C5D 8E048ED6
E80BF682 242C525A DF80DACB BA915253 F9D36A7D 8DA63F64 708E617C 7CA9945E
48B2B37F CF341FC6 90E85231 C0F5765C 541A3890 F0F2BF69 BB020301 0001A36E
306C301D 0603551D 25041630 1406082B 06010505 07030106 082B0601 05050703
02300B06 03551D0F 04040302 05A0301F 0603551D 23041830 16801414 0F531F84
1605FD4A 0C78CD68 823FFFD2 10D4B930 1D060355 1D0E0416 04143C83 09FC1CD4
B1828EA6 B9D6803E 89EBCAB4 E803300D 06092A86 4886F70D 01010D05 00038202
01004A08 0B3446F4 4B34807A C2E1B9BC 19E97F95 73F69CCB 47336EDA 81F60773
55D2EAEC AEB58275 0C234BD8 0E9F8F76 9EFF3568 E116EBAA B10EE2A9 31DFB180
4EE8C45A 8053E70F 48A62BC3 1778215F 93FB1F5B EB3EC25A 745CE634 CDAC7B8F
81D9E29E 97F8E56C 1BFD3D2F 42F1C37C 3ECFE7C3 8A6DDB61 A6E9C2DD B3F62CBF
B85F4FFE 88853963 5099A666 972AAB7A 8A56E877 9E499642 A431544B 54909B91
7757EE92 E7DF8474 5C563967 206CD636 479C272C 9CA4136B B0C844A2 31634519
80CD53FA B60AC870 497BB829 CBD0EAF4 513E7043 449E7487 AE5150B8 B9779213
39F23C6D 434A37DB 85EDF0CE B92B38B4 10D5426A 6E3A909D D53B410A 6A209575
7BEEAF67 15B3CCB1 907C61E4 46B385C0 9E6704A7 F4BC5EC7 FDA0D0E9 39D19A48
B6DC552F 5DE792F5 8BEC104C B2AB7586 F92E57AC F530579F D5C51DE0 0AB4AD3B
C2F12327 BF669E84 1E3E2881 6DBB98A0 42EE8676 1889ECC2 E4490412 95A69122
684E1E13 7AF67F7D F58942C7 756B07C2 B43581CF D34BED06 CAB3FC5A E4823D3A
BAC291C5 378C95AB E4BA5855 C8E45EBD 1CFBDECF 6844C7E5 3C03F98F B2B2F033
29816A5D A7CADA64 D1BBAE4B 4FCC836D 8FD04228 CC4FC5B8 5B739CDC A6A7950D
9460E196 C9D258C2 E74618E7 8D8A9B5A CC883FC9 94E938C2 B8817544 2C409BC7
C9432C30 B5E490BE 1870C9E9 82C12705 04B7D730 42A70021 C26C6237 45091DB3 8B22
quit
certificate ca 01
30820506 308202EE A0030201 02020101 300D0609 2A864886 F70D0101 0D050030
14311230 10060355 04031309 63612D73 65727665 72301E17 0D313931 31303731
32303335 325A170D 33393131 30383132 30323532 5A301431 12301006 03550403
13096361 2D736572 76657230 82022230 0D06092A 864886F7 0D010101 05000382
020F0030 82020A02 82020100 C22F2892 ECF29BDA 457E089E 2241B051 6B281008
D42F77E6 4BE07A66 A27C596C 09EC3E59 4A704F6A 2C11D533 F84EAAC7 40AE9142
37B5C7D9 B52AAE6C B2E336C1 9A1612DD 8C7C6CDB 8064B36E C94B2241 26151D24
067D167A 7E347B78 1C035B74 79937106 DCE9E719 26854B63 C2A45E76 C5742DEA
188FB10B 53A2BE72 975D304A 7D5323B0 076257AD 8D034522 ED7F89EE 5CC7E3ED
33306A12 EA14292C 564C65AD C7B318AE E8089491 A4411159 AD62B4D1 D9842718
69639319 A5E91D0D DFB916A1 85504A51 5E562461 B3E03F83 44AA9637 5C08C584
6A86CBBA FA12A9C5 E90754C5 2AEB9550 37C6F8EC D6580E48 A9B30159 19156777
29FC751A 6FB882FB 359B8DC5 82923F3A EA338C3A 513BC089 2D2B6337 8ED732A9
54F8919B 9DAA288A 6FE64FB8 BE261777 6BE4AE46 AEAB8E66 2A828EFB 495BF427
B51CB67D 7279FDDE DC3A23CA 11AD0D22 9B234DB8 E7CBE72D E84509D9 875AD88B
3C8C797D 40E26524 3D427D9F C3670106 6D4A5F1D C5821162 C2E38C56 8CB812E1
29E6FF91 FA7EE20C CBC38EAF 8513B0A8 F029D827 6F4D8991 21ADDF99 1C642D2D
62CA0C71 70CC4094 434C5D61 B1F6243A 702CAA95 96601D49 498AD03E 290450D6
F123195F 0A41307A 5E743CBB 40A7B5E9 4E10F86E C48E63E3 3B21BF8B B48BDA9C
25E8EB06 5EBF831F 713A4B2E B93E2637 6D4081B0 9CA75727 F8D5C452 B2C6B0CD
6EE32751 FBEA92C9 6DCD20ED 02030100 01A36330 61300F06 03551D13 0101FF04
05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
16801414 0F531F84 1605FD4A 0C78CD68 823FFFD2 10D4B930 1D060355 1D0E0416
0414140F 531F8416 05FD4A0C 78CD6882 3FFFD210 D4B9300D 06092A86 4886F70D
01010D05 00038202 01008FD1 38B88CF7 D73FA1A2 35A49DA6 74DE359B C15E04C1
37C546E6 0D5D89EA B500E81B 66239CC9 080C6BF3 E2734916 6D7FAA6A 91EF019C
426D71A1 9C67DAAB 97C675A1 05CEF76B 4828ED0D 377705FB 7C726DD4 E03DFA32
F458C516 3373F475 D7E912D0 8685BB1F 9A99E9EA 50C70DF9 0CD5B1D9 B982FAB1
B423A19F 63A7BC64 DC308E42 B3BCEC3E A533823A 3612DCE8 F628CD6D F92A0B05
90ACD614 D0196D8E 6EB7CF60 8D8C08E1 C4F78701 A0E0290D 11A972C2 F089F072
C0B766F8 FA8A8921 932EA47E B4A9FF8B 2B08A708 8151E33B B6353001 0E3610E9
C0EAF2C5 EFB6F4B5 4CF7AC40 5E4A0CB7 DA7E3B40 1A5F8D9C 447F3369 DB5EB8C8
7A53E5DB FCF52270 CCDD9E98 A1FAB601 5E875CB8 12E852BB CF4B5541 21356E3F
2CBB1A9F 361F3FA9 7A45B8C7 DBA9B7AA E0101B79 4B215CE2 5FD8B43F 1F55BC3D
C71993C9 E2885711 F73BD7EE C5D3DE46 DAF83A47 7D2B359E ABDDCA9E 925FF6AF
4613BD38 9B3B8C6F 90A3D463 8FF89629 8F58FF9C C47D9C9F DAFEBFC0 F3A2997E
43B73338 1EAB9E95 DCD7FA4A B792530F 9DF9E96D 4C069A8A EC3DE39C 1D59ABBD
313CF8F4 AACDF2D5 4D80882A A49782B6 3C0B99F2 7BEE286F 4BC8DE6B 3EA4075B
7C4D35C1 D33ED40E 49AD24C9 73B13D8C C802D5C3 3360D2C2 C82FEC10 6C826D39
28C20B57 AF0F8158 83267026 AB3CF550 161F6471 951F669F 7A3978F9 A573F05C
62ADEC5A A60707F0 1043
quit
license udi pid ISR4331/K9 sn FDO21041AT4
license boot suite FoundationSuiteK9
!
spanning-tree extend system-id
!
username techadmin privilege 15 password 7 065E0334424A0C0B5D4F4A0923051E
username scsupport privilege 15 password 7 1501040A10292A30796166
username corpict privilege 15 secret 5 $1$CXwV$CUAMtm8.f6o1GkOzXbUE/1
username techuk password 7 094A1F1B4A07470A
!
redundancy
mode none
!
crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14
!
crypto ikev2 policy default
match fvrf any
proposal default
!
!
crypto ikev2 profile staff
match certificate staff-certificate-map
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint router
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 10
!
no crypto ikev2 http-url cert
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.5.03040-webdeploy-k9.pkg sequence 1
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
authentication pre-share
lifetime 28800
crypto isakmp key LvkBGk97v6 address 159.8.76.101
crypto isakmp key @jasdjgGJUIH87!* address 194.151.5.229
crypto isakmp key LvkBGk97v6 address 169.50.134.244
!
!
crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set NLSET esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set ESP-3DES-SHA1
!
!
crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff
!
!
crypto map NLVPN 20 ipsec-isakmp
set peer 194.151.5.229
set transform-set NLSET
match address 101
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 100.65.192.193 255.255.255.252
ip mtu 1350
ip nat outside
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 159.8.76.101
tunnel protection ipsec profile VTI
!
interface Tunnel1
description DR Tunnel
no ip address
ip mtu 1350
ip nat outside
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 169.50.134.244
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0/0
description LeasedLine
ip address 82.83.236.114 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description BTFTTC
no ip address
ip nat outside
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/2
description corp LAN
ip address 192.168.2.10 255.255.192.0
negotiation auto
!
interface GigabitEthernet0/0/2.1
description Guest DHCP LAN
encapsulation dot1Q 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.1.1.28 255.255.255.0
shutdown
negotiation auto
!
interface Virtual-Template1
no ip address
!
interface Virtual-Template10 type tunnel
description Cisco AnyConnect ikev2
ip unnumbered GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
ip address negotiated
!
interface Dialer1
ip address 127.221.10.212 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname 01623758680@b2bdsl
ppp chap password 7 065002007F65034F2F4105
ppp pap sent-username 01623758680@b2bdsl password 7 07592C6D7D2213533D441C
crypto map NLVPN
!
ip local pool vpnusers 192.168.10.1 192.168.10.50
ip nat inside source static 192.168.2.111 100.65.192.117
ip nat inside source static 192.168.2.110 100.65.192.118
ip nat inside source static 192.168.2.112 100.65.192.119
ip nat inside source static 192.168.3.35 100.65.192.120
ip nat inside source static 192.168.2.107 100.65.192.121
ip nat inside source static 192.168.3.29 100.65.192.122
ip nat inside source static 192.168.3.30 100.65.192.123
ip nat inside source static 192.168.3.28 100.65.192.124
ip nat inside source static 192.168.3.32 100.65.192.125
ip nat inside source static 192.168.3.38 100.65.192.126
ip nat inside source static 192.168.3.40 100.65.192.127
ip nat inside source static 192.168.2.108 100.65.192.128
ip nat inside source static 192.168.3.6 100.65.192.134
ip nat inside source static 192.168.3.25 100.65.192.151
ip nat inside source static 192.168.3.26 100.65.192.152
ip nat inside source static tcp 192.168.2.9 8888 82.83.236.114 656 extendable
ip nat inside source static tcp 192.168.2.222 5555 82.83.236.114 5555 extendable
ip nat inside source static tcp 192.168.2.2 5003 82.83.236.114 35003 extendable
ip nat inside source static tcp 192.168.2.2 5090 82.83.236.114 35090 extendable
ip nat inside source list 100 interface Tunnel0 overload
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip nat inside source list 103 interface Dialer1 overload
ip forward-protocol nd
ip ftp source-interface GigabitEthernet0/0/0
ip ftp username tech
ip ftp password 7 051B071C325B411B1D
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 82.83.236.113 track 10
ip route 0.0.0.0 0.0.0.0 82.83.236.113
ip route 0.0.0.0 0.0.0.0 127.221.10.213 200
ip route 177.3.137.109 255.255.255.255 Tunnel0
ip route 177.3.137.110 255.255.255.255 Tunnel0
ip route 177.3.137.111 255.255.255.255 Tunnel0
ip route 177.3.137.112 255.255.255.255 Tunnel0
ip route 177.3.137.113 255.255.255.255 Tunnel0
ip ssh authentication-retries 2
ip ssh version 2
ip scp server enable
!
!
ip access-list extended TAC
permit ip any host 192.168.2.18
permit ip host 192.168.2.18 any
!
ip sla 1
icmp-echo 82.83.236.113 source-interface GigabitEthernet0/0/0
threshold 2
timeout 100
frequency 3
ip sla schedule 1 life forever start-time now
logging trap notifications
logging facility local0
logging host 192.168.2.18
access-list 1 permit 192.40.0.0 0.192.255.255
access-list 20 permit 192.168.0.0 0.0.63.255
access-list 100 permit ip 192.168.0.0 0.0.63.255 177.3.137.108 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 177.3.137.110 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 177.3.137.112 0.0.0.1
access-list 100 permit ip host 100.65.192.229 177.3.137.108 0.0.0.1
access-list 100 permit ip host 100.65.192.229 177.3.137.110 0.0.0.1
access-list 100 permit ip host 100.65.192.229 177.3.137.112 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 177.3.137.108 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 177.3.137.110 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 177.3.137.112 0.0.0.1
access-list 101 permit ip 192.168.0.0 0.0.63.255 any
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit ip 192.168.0.0 0.0.63.255 any
access-list 103 permit ip any any
access-list 103 permit icmp any any
access-list 103 deny ip 192.168.0.0 0.0.63.255 192.168.64.0 0.0.63.255
access-list 175 deny ip 192.168.0.0 0.0.63.255 192.168.64.0 0.0.63.255
access-list 175 permit ip 192.168.0.0 0.0.63.255 any
dialer-list 1 protocol ip permit
!
snmp-server community public RO
snmp-server community private RW
!
!
!
!
control-plane
!
banner motd ^CC
WARNING: IF YOU ARE NOT AUTHORIZED TO ACCESS THIS SYSTEM OR IF YOU
INTEND TO USE THIS SYSTEM BEYOND THE SCOPE OF YOUR AUTHORIZATION,
DISCONNECT IMMEDIATELY.
This computer system is for authorized users only. Individuals
using this system without authority, or in excess of their
authority, are subject to having all of their activities monitored
and recorded by system personnel. In the course of monitoring
individuals improperly using this system or in the course of system
maintenance, the activities of authorized users may also be
monitored. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
monitoring information and logs as evidence to law enforcement
officials. Crimes may be prosecuted to the fullest extent possible
under state and federal law.
^C
!
line con 0
password 7 105A1A0C071619025D5679
stopbits 1
line aux 0
stopbits 1
line vty 0
privilege level 15
password 7 014B0A11550F031D7914160B360423
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
!
end

testunit#

Highlighted
Beginner

Re: No internet access through dialer when failing over

I've changed to route maps to test that and i can now get a PING response from the dialer FTTC line so that looks promising however when it now fails over to the FTTC (dialer 1) i lose DNS on the line even though i can ping 8.8.8.8 ? The odd thing is that when it's on the primary leased line connection i get internet and DNS works fine but i can't get a ping back from 8.8.8.8 ? I've used route maps referencing access list 101 for both so not sure if i've broke something else now.

Hoping this helps.

 

Thanks

 

 

Highlighted
Beginner

Re: No internet access through dialer when failing over

Ignore that...just rebooted the Cisco (i save the config first) and now it gives me search results when i type something into Google but then when i click on the web link it then says DNS_PROBE_FINISHED_NO_INTERNET but if i play a you tube video when it's connected to the leased line and then unplug it so it fails over to the FTTC line the You Tube video carries on (well past any buffer) so it looks like it might just be a DNS issue now although i've got 8.8.8.8 set as the DNS on the PC so i'm a little stumped
Highlighted
Beginner

Re: No internet access through dialer when failing over

So it looks like if there's any session established (either a ping or streaming video etc) and i pull the leased line then it fails over to the FTTC line and carries on but if i try to start anything new (again either a ping or browsing etc) then it doesn't work ?
Highlighted
Hall of Fame Guru

Re: No internet access through dialer when failing over

I find it puzzling that it seems that an existing session will continue when there is a failover but new sessions will not start. I wonder if it has anything to with the static nat translations what are translating to addresses associated with the tunnel? Perhaps a fresh copy of the config might help us understand what is going on.

HTH

Rick
Highlighted
VIP Mentor

Re: No internet access through dialer when failing over

Hello,

 

I haven't followed the entire thread, but I noticed an error in your configuration that will make your failover fail:

 

ip route 0.0.0.0 0.0.0.0 82.83.236.113 track 10

 

needs to be:

 

ip route 0.0.0.0 0.0.0.0 82.83.236.113 track 1

Highlighted
Hall of Fame Guru

Re: No internet access through dialer when failing over

Good catch by @Georg Pauwen. But that is not the only issue impacting failover. Note the 2 versions of the same static default route

ip route 0.0.0.0 0.0.0.0 82.83.236.113 track 10
ip route 0.0.0.0 0.0.0.0 82.83.236.113

Even when the track is corrected and it correctly removes its version of the default route the other one would still remain in the routing table and prevent the floating route from being inserted. 

 

HTH

Rick
Highlighted
VIP Mentor

Re: No internet access through dialer when failing over

Good catch as well !

 

Curious to know if it works if both these lines are fixed...

Highlighted
VIP Mentor

Re: No internet access through dialer when failing over

yes, nice good catch both, the track, and duplicate should give users to fix the issue, if not we need to ask the user to post the latest config to review and inputs.

BB
*** Rate All Helpful Responses ***
Highlighted
Hall of Fame Guru

Re: No internet access through dialer when failing over

The original poster has told us that they are able to make it fail over to the backup but have issues "then it fails over to the FTTC line and carries on but if i try to start anything new (again either a ping or browsing etc) then it doesn't work ?" I hope that they will fix the items we have identified and then post the updated config so that we can look for other issues. 

HTH

Rick