05-03-2011 08:01 AM - edited 03-04-2019 12:15 PM
hi There
I am trying to set up an 1841 with dual ISP failover however it seems not to be working correctly and Im a bit stuck as to why. With a route in place of "ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx" all works fine, as soon as I delete that and add "ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx track 1" everything goes down and I am unable to ping 4.2.2.2 from int f0/0. I must be setting up the IP SLA incorectly ???? thanks in advance for any help. here is my config:-
ip sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 source-interface FastEthernet0/0
timeout 500
frequency 10
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
track 1 rtr 1 reachability
!
!
!
!
interface FastEthernet0/0
description WAN1
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN2
ip address yyy.yyy.yyy.yyy 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/0/0
duplex full
speed 100
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
description LAN
ip address aaa.aaa.aaa.aaa 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 track 1
ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.37 10
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/1 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit aaa.aaa.aaa.aaa 0.0.0.255
access-list 2 remark Internet access list 2
access-list 2 permit aaa.aaa.aaa.aaa 0.0.0.255
access-list 60 permit aaa.aaa.aaa.53
!
!
!
control-plane
!
!
!
line con 0
password 7 2041212312312321321313123112
line aux 0
line vty 0 4
password 7 02161232312313213123
login local
rotary 1
transport preferred ssh
transport input telnet
line vty 5
password 7 123123123123123
login local
Gordon
Solved! Go to Solution.
05-07-2011 02:29 AM
Hi Guys,
Your IP SLA looks good to me. 4.2.2.2 is not a direct connected network. Right? So you need to tell the router where it can ping 4.2.2.2. It must be in the RIB.
!
ip route 4.2.2.2 255.255.255.255 xxx.xxx.xxx.25
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 track 1
ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.37 10
!
Toshi
05-07-2011 02:13 AM
Can you refer the below link and modify the config.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml
05-07-2011 02:29 AM
Hi Guys,
Your IP SLA looks good to me. 4.2.2.2 is not a direct connected network. Right? So you need to tell the router where it can ping 4.2.2.2. It must be in the RIB.
!
ip route 4.2.2.2 255.255.255.255 xxx.xxx.xxx.25
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 track 1
ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.37 10
!
Toshi
05-10-2011 01:52 AM
Thanks very much to both of you for your help. I change the NAT a little as well and all is good now. One thing that im still trying to figure out is when I have a running ping to say 8.8.8.8, from a client PC, and I force failover to the backup line, the ping to 8.8.8.8 fails until the primary in reinstated despite the fact that I have WAN access?? I guess it is a NAT issue? could I solve this by clearing the NAT table when the failover occurs?
Anyway here is my falover config that runs great, and thx again for your help.
enable secret 5 $1$jYzP$JHBn4sdfsdfwdqwdq.vZrUn/
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address
!
ip dhcp pool Icon
network 192.168.1.0 255.255.255.0
domain-name iconx
default-router 192.168.1.x
dns-server 192.168.1.x 192.168.1.x 192.168.1.x
lease 1 2 1
!
ip dhcp pool 360
host 192.168.1.x 255.255.255.0
client-identifier 01xx.125a.4xc2.xx
client-name G360
!
!
ip domain name iconxxx.ccc
ip name-server 192.168.1.x
ip name-server 192.168.1.x
ip ssh port 2001 rotary 1 10
ip ssh version 2
ip sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2
timeout 100
frequency 1
ip sla monitor schedule 10 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-341xxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-341xxxxxx
revocation-check none
rsakeypair TP-self-signed-34xxxxxx
!
!
crypto pki certificate chain TP-self-signed-34xxxxxx
certificate self-signed 01
3082024B 308201B4 Axxxxx 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343134 36313633 3334301E 170D3130 30353034 30383335
35375A17 0D323030 31303130 30xxxxx0 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436
31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DAE8 218F8AD9 524DDB66 D0163CB4 0143F447 E6ABE46E EA7CEA98 FE130D67
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
77A3A0AD 9BAA3253 4E308B57 98E2415D 4E69872E 9DCA14C7 4DF9F9A1 45FB4E91
7CE0D01A 119422D9 CC665B14 05892A
quit
username gkonheiser privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
track 10 rtr 10 reachability
!
!
!
!
interface FastEthernet0/0
description swisscom WAN
ip address xxx.xxx.xxx.26 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Cablecom WAN
ip address yyy.yyy.yyy.38 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/0/0
duplex full
speed 100
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
description LAN
ip address 192.168.1.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 track 10
ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.37 20
ip route 4.2.2.2 255.255.255.255 xxx.xxx.xxx.25
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat1 interface FastEthernet0/0 overload
ip nat inside source route-map nat2 interface FastEthernet0/1 overload
i
!
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
snmp-server enable traps tty
!
route-map nat2 permit 10
match ip address 150
match interface FastEthernet0/1
!
route-map nat1 permit 10
match ip address 150
match interface FastEthernet0/0
!
route-map isp2 permit 10
match interface FastEthernet0/1
!
route-map isp1 permit 10
match interface FastEthernet0/0
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxxxxxxxxxxxxxxxxxxx
line aux 0
line vty 0 4
session-timeout 180
exec-timeout 180 0
password 7 06xxxxxxxxxxxxxxxxxxxx
login local
rotary 1
transport preferred ssh
transport input telnet
line vty 5
session-timeout 180
exec-timeout 180 0
password 7 0xxxxxxxxxxxxxxxxxxxxxx
login local
rotary 1
transport preferred ssh
transport input ssh
line vty 6 15
session-timeout 180
exec-timeout 180 0
password 7 0xxxxxxxxxxxxxxxxxxxxxxxxxx
login local
rotary 1
transport preferred ssh
transport input ssh
line vty 16 807
session-timeout 180
exec-timeout 180 0
password 7 1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
login local
rotary 1
transport preferred ssh
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178748
ntp update-calendar
ntp server 195.216.64.208 prefer
end
05-10-2011 02:33 AM
Hi,
I'm glad that you can manage to get fail-over work. As per your question, it might be a NAT problem. You can test fail-over and then clear NAT entry for testing. If it works, you might need to adjust NAT timeout for testing.
HTH,
Toshi
02-24-2013 12:08 AM
Dosent makes sense to add specific route for thetarget ip address
What is the difference between
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.25 track 10
and
ip route 4.2.2.2 255.255.255.255 xxx.xxx.xxx.25
Also
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1 !--- Enter this command in order to track a static route. !--- This is the static route to be installed in the routing !--- table while the tracked object is reachable. The value after !--- the keyword "track" is a tracking ID you specify. route backup 0.0.0.0 0.0.0.0 10.250.250.1 254 !--- Define the backup route to use when the tracked object is unavailable. !--- The administrative distance of the backup route must be greater than !--- the administrative distance of the tracked route. !--- If the primary gateway is unreachable, that route is removed !--- and the backup route is installed in the routing table !--- instead of the tracked route.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: