route-map, match track clause not failing

liranh · ‎07-09-2015

Hello to all,

I've been dealing with an issue regarding route-map statement with "match track" clause still being hit while the track is down.

I'm trying to configure a PBR that will apply only if i have a dialer connection. If the dialer connection is down the normal route table should apply.
I have established a connection for dialer1 and virtual-ppp1. All traffic is routed through virtual-ppp1 and only one part of my LAN should be routed through dialer1.

Here is my configuration -

````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````
route-map dialer1 permit 10
description route_via_dialer1
match ip address route_via_dialer1
match track 10
set interface Dialer1

ip access-list extended route_via_dialer1
permit ip object-group dialer1_ip_range any

ip sla 10
icmp-echo 10.10.3.191 source-interface dialer 1
tag ** Ping monitoring to ISP Via Dialer1_DSL_Line and change routes in case of ping failure **
frequency 65
timeout 65000
ip sla schedule 10 life forever start-time now

track 10 ip sla 10

ip route 0.0.0.0 0.0.0.0 virtual-PPP1

````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````

I've set up 2 PC's, one at each network segment, and I ran 'ping 8.8.8.8' .
I ran 'debug ip policy' while both connection are up. The traffic is routed as it should.
When I disconnect the line from the modem I see that the traffic from my dialer1_ip_range is still being routed to interface dialer1 and ofcourse that not possible and I get 'Request time out'.
I checked the status for the track 10 and I see that it's down.

What have I missed?

George Rizk · ‎12-21-2015

I too am facing the exact same issue? Anyone manage to solve this?

gully300gully300 · ‎02-27-2017

I'm also having the same issue using 15.6(2)T2, has anyone resolved this yet?

paul driver · ‎12-21-2015

Hello

I cannot see your acl however a basic PBR would with oblect tracking and ip sla would be something like this:

Let say your PBR next-hop is 20.20.20.20
your static default is your virtual ppp interface
PBR subnet is 10.10.10.0/24

ip route 0.0.0.0 0.0.0.0 virtual-PPP1

ip access-list extended STAN
remark source subnet for PBR
permit ip 10.10.10.0 0.0.0.255 any

ip sla 10
icmp-echo 10.10.3.191 source-interface dialer 1 -- or source-ip x.x.x.x
ip sla schedule 10 life forever start-time now

track 10 rtr 10 reachability
delay down 5 up 5 (optional)

route-map PBR permit 10
match ip address STAN
set ip next-hop verify-availability 20.20.20.20 track 1 10

int x/x
description Lan facing subnet
ip policy route-map PBR

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

George Rizk · ‎12-21-2015

Hi Paul,

I don't see any issues with his original config at all. I have posted the same issue over here as I feel MATCH TRACK in the ROUTE-MAP has bugs in it and for the life of me I can't find anyone who has actually used it successfully.

I will re-post my issue here which is exactly the same as Liranh's

=======

Here is what I wan't PBR to do:
VOIP ROUTE-MAP = Use GigabitEthernet0/0 Internet connection as default and fall back to Dialer1 if GigabitEthernet0/0 is not working
GENERAL ROUTE-MAP = Use Dialer0 as default and fall back to GigabitEthernet0/0 if Dialer0 is not working
GENERAL-EPO ROUTE-MAP = Use Dialer1 as default and fallback to GigabitEthernet0/0 if Dialer1 is not working

Here is the code:

no ip domain-lookup
ip domain-name DOMAIN.LOCAL

ip sla 1
icmp-echo 192.231.203.132 source-interface Dialer0
timeout 2000
frequency 5
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 192.231.203.3 source-interface Dialer1
timeout 2000
frequency 5
ip sla schedule 2 life forever start-time now

ip sla 3
icmp-echo 192.189.54.17 source-interface GigabitEthernet0/0
timeout 2000
frequency 5
ip sla schedule 3 life forever start-time now

track 10 ip sla 1 reachability
delay down 2 up 2
!
track 20 ip sla 2 reachability
delay down 2 up 2
!
track 30 ip sla 3 reachability
delay down 2 up 2
!
bridge irb
ip cef
!
spanning-tree mode pvst
interface GigabitEthernet0/0
Description AAPT
ip address 10.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly in
no shutdown
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no shutdown
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.0.254 255.255.255.0
ip helper-address 192.168.0.10
ip nat inside
ip flow ingress
ip flow egress
ip tcp adjust-mss 1412
ip virtual-reassembly
ip policy route-map GENERAL
no shutdown

!
interface GigabitEthernet0/1.2
encapsulation dot1Q 7
ip flow ingress
ip virtual-reassembly
ip address 192.168.7.254 255.255.255.0
ip helper-address 192.168.0.10
ip nat inside
ip tcp adjust-mss 1412
ip policy route-map GENERAL-EPO
no shutdown
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 100
ip address 192.168.100.254 255.255.255.0
ip helper-address 192.168.0.10
ip nat inside
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1412
ip policy route-map VOIP
no shutdown
!
interface ATM0/0/0
description INT1
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface ATM0/1/0
description INT2
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp chap hostname username
ppp chap password 0 password
ppp pap sent-username username password 0 password
ppp ipcp dns request
ppp ipcp address accept
no cdp enable
ip rtp header-compression iphc-format
!
interface Dialer1
bandwidth inherit
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 0
dialer-group 2
ppp chap hostname username
ppp chap password 0 password
ppp pap sent-username username password 0 password
ppp ipcp dns request
ppp ipcp address accept
no cdp enable
ip rtp header-compression iphc-format
!
no ip nat service sip udp port 5060
ip nat inside source route-map INT1 interface Dialer0 overload
ip nat inside source route-map INT2 interface Dialer1 overload
ip nat inside source route-map INT3 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.0.10 25480 interface Dialer0 25480
ip nat inside source static tcp 192.168.0.30 443 interface Dialer0 25443
ip route 192.231.203.132 255.255.255.255 Dialer0
ip route 192.231.203.3 255.255.255.255 Dialer1
ip route 192.189.54.17 255.255.255.255 10.0.0.1
ip route 0.0.0.0 0.0.0.0 Dialer0 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 track 20
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 30
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1.1
ip flow-export version 5
ip flow-export destination 192.168.0.10 29996
!
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 11 permit 192.168.7.0 0.0.0.255
access-list 12 permit 192.168.100.0 0.0.0.255
access-list 100 remark (Access List for Default VLAN1)
access-list 100 permit gre 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark (Access List for Default VLAN7)
access-list 101 permit gre 192.168.7.0 0.0.0.255 any
access-list 101 permit ip 192.168.7.0 0.0.0.255 any
access-list 102 remark (Access List for Default VLAN100)
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map VOIP permit 10
match ip address 102
match track 30
set interface GigabitEthernet0/0
!
route-map VOIP permit 20
match ip address 102
match track 20
set interface Dialer1
!
route-map GENERAL permit 10
match ip address 100
match track 10
set interface Dialer0
!
route-map GENERAL permit 20
match ip address 100
match track 30
set interface GigabitEthernet0/0
!
route-map GENERAL-EPO permit 10
match ip address 101
match track 20
set interface Dialer1
!
route-map GENERAL-EPO permit 20
match ip address 101
match track 30
set interface GigabitEthernet0/0
!
route-map INT1 permit 10
match ip address 10
match interface Dialer0
!
route-map INT2 permit 10
match ip address 11
match interface Dialer1
!
route-map INT3 permit 10
match ip address 12
match interface GigabitEthernet0/0
!

bridge 1 protocol ieee
!
line con 0
!
line aux 0
!
line vty 0 4
access-class 23 in
privilege level 15
login
transport input all
transport output all
!
!
!
end

Note that I am using the support IOS software release for the new "MATCH TRACK" feature.

Here is the MATCH TRACK Cisco article which doesn't really give too much away.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr-match-track-object.html

Am using Cisco IOS software 15.4(3)M as well.

liranh · ‎11-22-2016

I am still strugling with this issue.

Did anyone managed to get it to work?

George Rizk · ‎11-22-2016

I gave up on using MATCH TRACK in the route MAP and had to look at alternative solutions for my triple WAN connection.

its a pity because I feel this command could be very useful if it actually worked as documented by Cisco.

liranh · ‎11-22-2016

Agree.

I'll keep this post alive in hope that some day this issue will resolve.