cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
315
Views
0
Helpful
7
Replies
Highlighted
Enthusiast

Route-Map Issue

Hello Experts,

 

I am facing issue with routing , specially with route-maps.

Background:

I have two ACLs , one for SAP and other for Rest traffic. SAP traffic must pass via MPLS and rest via Normal forwarding over internet VPN.

 

Issue: Once the internet lines are having packet loss then user from the location cant even login to SAP server which is in Headquarter even though we have a route-map for SAP traffic which should traverse via MPLS , and MPLS is working fine all the time.

 

What is causing SAP traffic to go over internet and not via MPLS.

here is the config from Remote location:

--------------------------------------------

hostname TESRCVPN1
!
!
!
vrf definition ISP1
rd 1:1
!
address-family ipv4
exit-address-family
!
vrf definition ISP2
rd 2:2
!
address-family ipv4
exit-address-family
!
!
!
skip
!
!
!
!
track 55 ip sla 55 reachability
!
track 100 ip sla 100 reachability
!
track 101 ip sla 101 reachability
!
!
crypto keyring ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key <key>
crypto keyring ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key <key>
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ts_hasel_aes esp-aes esp-sha-hmac
mode transport
!
!
crypto ipsec profile vpn_profile_hasel_aes
set transform-set ts_hasel_aes
!
crypto ipsec profile vpn_profile_hasel_aes_2
set transform-set ts_hasel_aes
!
!
!
!
!
!
interface Loopback0
description *** IP 10.55.0.1 ***
ip address 10.55.0.1 255.255.255.255
!
!
interface Tunnel56
description *** Spoke - Primary Cloud ***
bandwidth 15000
ip address 172.25.56.55 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Test12345
ip nhrp map 172.25.56.50 116.246.31.146
ip nhrp map multicast 116.246.31.146
ip nhrp map 172.25.56.56 106.120.192.42
ip nhrp map multicast 106.120.192.42
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.25.56.56 priority 1 cluster 5
ip nhrp nhs 172.25.56.50 priority 2 cluster 5
ip nhrp nhs cluster 5 max-connections 2
ip nhrp nhs fallback 5
ip tcp adjust-mss 1360
delay 3000
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel vrf ISP1
tunnel protection ipsec profile vpn_profile_hasel_aes_2 shared
!
interface Tunnel156
description *** Spoke - Secondary Cloud ***
bandwidth 4000
ip address 172.25.156.55 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Test12345
ip nhrp map 172.25.156.50 211.95.31.106
ip nhrp map multicast 211.95.31.106
ip nhrp map 172.25.156.56 111.203.39.34
ip nhrp map multicast 111.203.39.34
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.25.156.56 priority 1 cluster 6
ip nhrp nhs 172.25.156.50 priority 2 cluster 6
ip nhrp nhs cluster 6 max-connections 2
ip nhrp nhs fallback 5
ip tcp adjust-mss 1360
delay 3001
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 2
tunnel path-mtu-discovery
tunnel vrf ISP2
tunnel protection ipsec profile vpn_profile_hasel_aes shared
!
interface Tunnel556
bandwidth 18000
ip address 10.13.98.55 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.98.4 195.243.205.105
ip nhrp map multicast 195.243.205.105
ip nhrp map 10.13.98.5 212.185.41.197
ip nhrp map multicast 212.185.41.197
ip nhrp network-id 3
ip nhrp holdtime 300
ip nhrp nhs 10.13.98.4 priority 1 cluster 1
ip nhrp nhs 10.13.98.5 priority 2 cluster 1
ip nhrp nhs cluster 1 max-connections 2
ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 3
tunnel vrf ISP2
tunnel protection ipsec profile vpn_profile_hasel_aes shared
!
interface Tunnel5656
bandwidth 20000
ip address 10.13.198.55 255.255.255.0
no ip redirects
ip mtu 1400
ip flow monitor NTAmonitor input
ip nhrp authentication HA18BJ56
ip nhrp map 10.13.198.4 195.243.205.106
ip nhrp map multicast 195.243.205.106
ip nhrp map 10.13.198.5 212.185.41.198
ip nhrp map multicast 212.185.41.198
ip nhrp network-id 4
ip nhrp holdtime 300
ip nhrp nhs 10.13.198.4 priority 1 cluster 4
ip nhrp nhs 10.13.198.5 priority 2 cluster 4
ip nhrp nhs cluster 4 max-connections 2
ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 4
tunnel vrf ISP1
tunnel protection ipsec profile vpn_profile_hasel_aes_2 shared
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description *** To MPLS Device 172.24.55.2 ***
ip address 172.24.55.1 255.255.255.248
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description *** 2nd Provider, ISP2 ***
vrf forwarding ISP2
ip address 61.138.187.18 255.255.255.248
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
no cdp enable
!
interface GigabitEthernet0/2
description *** 1st Provider, ISP1 ***
vrf forwarding ISP1
ip address 123.172.16.170 255.255.255.248
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 100
!
interface GigabitEthernet0/0/0
description *** Failover ***
switchport access vlan 4
no ip address
!
interface GigabitEthernet0/0/1
description *** CHCWAFS1 10.55.3.201 ***
switchport access vlan 3
no ip address
no cdp enable
!
interface GigabitEthernet0/0/2
description *** CHNFPAN1 ***
switchport access vlan 6
no ip address
no cdp enable
!
interface GigabitEthernet0/0/3
description *** CHNFPAN2 ***
switchport access vlan 6
no ip address
no cdp enable
!
interface GigabitEthernet0/1/0
description *** Mngmt CHNFPAN1 10.55.6.100 ***
switchport access vlan 6
no ip address
no cdp enable
!
interface GigabitEthernet0/1/1
description *** Mngmt CHNFPAN2 10.55.6.101 ***
switchport access vlan 6
no ip address
no cdp enable
!
interface GigabitEthernet0/1/2
description *** Mngmt CHNFPANx Spare ***
switchport access vlan 6
no ip address
no cdp enable
!
interface GigabitEthernet0/1/3
description *** Mngmt CHCWAFS1 10.55.3.202 ***
switchport access vlan 3
no ip address
!
interface Vlan1
description *** Management VLAN 1 ***
no ip address
shutdown
!
interface Vlan3
description *** WAAS-GW 10.55.3.254 ***
ip address 10.55.3.254 255.255.255.0
!
interface Vlan4
description *** failover Vlan ***
ip address 10.55.4.252 255.255.255.0
standby 4 ip 10.55.4.254
standby 4 priority 110
standby 4 preempt
standby 4 authentication G@t4it
!
interface Vlan6
description *** Firewall Transfer VLAN ***
ip address 10.55.6.254 255.255.255.0
ip mtu 1300
ip tcp adjust-mss 1260
ip policy route-map GM_SAP
!
!
router eigrp 1
distribute-list prefix filter_eigrp out
network 10.13.98.0 0.0.0.255
network 10.13.198.0 0.0.0.255
network 10.55.0.0 0.0.255.255
network 172.25.56.0 0.0.0.255
network 172.25.156.0 0.0.0.255
redistribute static route-map static2EIGRP
passive-interface Loopback0
!
ip local policy route-map local_out
ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip tftp source-interface Vlan1
ip route 0.0.0.0 0.0.0.0 172.24.55.2 171 name MPLS_HQ
ip route 10.55.0.0 255.255.0.0 10.55.6.1
ip route 160.46.87.0 255.255.255.0 10.55.6.1 name Test-BBC
ip route 172.24.18.0 255.255.255.0 172.24.55.2 name MPLS_HQ
ip route vrf ISP1 0.0.0.0 0.0.0.0 123.172.16.169
ip route vrf ISP2 0.0.0.0 0.0.0.0 61.138.187.17
ip ssh version 2
!
ip access-list extended GM_OTHERS
permit ip 10.55.0.0 0.0.255.255 10.18.2.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.3.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.4.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.5.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.6.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.7.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.8.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.9.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.14.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.15.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.18.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.19.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.20.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.21.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.24.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.218.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.219.0 0.0.0.255
ip access-list extended GM_SAP
permit ip 10.55.0.0 0.0.255.255 10.18.10.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 10.18.11.0 0.0.0.255
permit ip 10.55.0.0 0.0.255.255 host 10.18.21.58
permit ip 10.55.0.0 0.0.255.255 host 10.18.20.121
permit ip 160.46.87.0 0.0.0.255 host 10.18.21.58
permit ip 160.46.87.0 0.0.0.255 host 10.18.20.121
permit ip 10.55.0.0 0.0.255.255 host 10.18.20.80
permit ip 10.55.0.0 0.0.255.255 host 10.18.21.81
ip access-list extended ISP1
permit ip host 123.172.16.170 any
ip access-list extended ISP2
permit ip host 61.138.187.18 any
ip access-list extended WAAS_OPT
deny tcp any any eq 8192
deny tcp any any eq 8194
remark Haselmuehl
permit tcp 10.18.0.0 0.0.255.255 any
permit tcp any 10.18.0.0 0.0.255.255
deny ip any any
ip access-list extended internet
remark Auto generated by CCP for NTP (123) 10.18.2.6
permit udp host 10.18.2.6 eq ntp host 61.138.187.18 eq ntp
permit gre any any
permit esp any any
permit udp any eq isakmp any eq isakmp
permit tcp host 62.153.226.20 any eq 22
permit tcp host 212.185.199.2 any eq 22
permit icmp host 62.153.226.20 host 61.138.187.18 echo
permit icmp host 62.153.226.20 host 61.138.187.18 traceroute
permit icmp host 62.153.226.20 host 123.172.16.170 echo
permit icmp host 62.153.226.20 host 123.172.16.170 traceroute
permit udp host 10.18.2.6 eq ntp host 123.172.16.170 eq ntp
permit icmp host 212.185.41.204 host 123.172.16.170 echo
permit icmp host 212.185.41.204 host 123.172.16.170 traceroute
permit icmp host 195.243.205.120 host 123.172.16.170 traceroute
permit icmp host 195.243.205.120 host 123.172.16.170 echo
!
!
ip prefix-list filter_eigrp seq 5 deny 10.18.2.0/24
ip prefix-list filter_eigrp seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list static2EIGRP seq 5 permit 10.55.0.0/16 le 32
ip sla 55
icmp-echo 172.24.18.6 source-interface GigabitEthernet0/0
threshold 300
timeout 1000
frequency 4
ip sla schedule 55 life forever start-time now
ip sla 100
icmp-echo 10.13.198.4 source-interface Tunnel5656
threshold 300
timeout 1000
frequency 4
ip sla schedule 100 life forever start-time now
ip sla 101
icmp-echo 10.13.198.5 source-interface Tunnel5656
threshold 300
timeout 1000
frequency 4
ip sla schedule 101 life forever start-time now
ip access-list logging interval 10
logging source-interface Loopback0
logging host 10.18.2.18
!
route-map GM_SAP permit 5
description *** Only SAP Traffic Allowed ***
match ip address GM_SAP
set ip next-hop verify-availability 172.24.55.2 1 track 55
!
route-map GM_SAP permit 6
description *** Only Other Traffic Allowed ***
match ip address GM_OTHERS
set ip next-hop verify-availability 10.13.198.4 1 track 100
set ip next-hop verify-availability 10.13.198.5 2 track 101
!
route-map GM_SAP permit 7
!
route-map local_out permit 10
match ip address ISP1
set ip next-hop 123.172.16.169
!
route-map local_out permit 20
match ip address ISP2
set ip next-hop 61.138.187.17
!
route-map static2EIGRP permit 10
match ip address prefix-list static2EIGRP
!

-------------------------------------------

 

Thanks in advance

 

7 REPLIES 7
Highlighted
Participant

What do the return routes look like from the headquarters to the branch, could they be using the VPN ?
Highlighted
VIP Collaborator

Hello,

 

When you ping your SAP address, what is latency? Greater than 300? If yes, it answer your issue, because all of your sla threshold is configured as below.

 

route-map GM_SAP permit 5
description *** Only SAP Traffic Allowed ***
match ip address GM_SAP
set ip next-hop verify-availability 172.24.55.2 1 track 55
!

ip sla 55
icmp-echo 172.24.18.6 source-interface GigabitEthernet0/0
threshold 300
timeout 1000

 

So, if your traffic sometimes goes greater than 300ms, you router-map will not be used, i suggest change this threshold from 300 to 400.

Jaderson Pessoa
*** Rate All Helpful Responses ***
Highlighted

Pessoa,

 

Thank you.

 

Are you sure that if the ping time of MPLS is above 300 then data will flow via normal forwarding on best route ? and not via MPLS ? 

Highlighted
VIP Mentor

Hello,

 

where is the IP address 172.24.18.6 in your network ? You are using this address for the icmp-echo operation, but it is not on the same subnet as the source, 172.24.55.1/29. Is it an option to use 172.24.55.2 as the icmp target in your SLA ?

Highlighted

172.24.18.6 is MPLS IP in HQ(PE).

 

172.24.55.1 (Remore router- CPE), 172.24.55.2(Remote location - PE)

 

we can 172.24.55.2 but its a direct connectivity and it will will be up all the time. How can we montior the HQ MPLS line from remote location MPLS fro tracking!

 

 

Highlighted
VIP Mentor

Hello,

 

does the IP SLA actually go down when the packet loss occurs ?

Highlighted

yes IP SLA 100 & 101 goes down when packet loss occurs on internet lines but IP SLA 55(MPLS tracking) is up most of the time.