cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
780
Views
0
Helpful
6
Replies

Routing Config Issue

Joe Lee
Level 1
Level 1

All-

To make it easier to explain my problem, I am attaching the network diagram.

R1 is remote site that runs IPSec VPN and it setup the accordingly primary and failover L2L VPN to R2 and R7. R2 and R3 are in the data center, and R6 and R7 are in the seondary data cenetr. R3, R4, R5, and R6 are all connected to the MPLS cloud via BGP. All the router are running eBGP here, except the remote router R1.

R 2 and R7 are running the static route for the subnet in the remote site. My issue is...when the primary VPN down, the failover VPN switches as an actived mode. On the router R5, supposed the route to the subnet in the remote site R1, should be R5->R6->R7->R1, but the route still goes R5->R3->R2->R1.The crypto Phase I is up, but it appears there is the routing issue. Please advice how to adjust the routing so we can reach the remote site when the primary is down through the backup VPN.

Regards,

Joe

1 Accepted Solution

Accepted Solutions

smehrnia
Level 7
Level 7

Hi Joe,

Since R2 and R7 are using static routes to the remote subnet, when the route (VPN) goes down, they dont withdraw it from the routing table, causing a black hole in your network towards R1.

what you have to do is simply set up an IP SLA Echo that pings your R1 ip address constantly, and then bind the IP SLA tracker to your static route.

this way when there is reachability issues, such as link failure or whatever, your static route is withdrawn from the routing table and the other VPN takes control.

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

View solution in original post

6 Replies 6

smehrnia
Level 7
Level 7

Hi Joe,

Since R2 and R7 are using static routes to the remote subnet, when the route (VPN) goes down, they dont withdraw it from the routing table, causing a black hole in your network towards R1.

what you have to do is simply set up an IP SLA Echo that pings your R1 ip address constantly, and then bind the IP SLA tracker to your static route.

this way when there is reachability issues, such as link failure or whatever, your static route is withdrawn from the routing table and the other VPN takes control.

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

Thank you Soroush. Which router should I setup the IP SLA? Can you please provide me some detail on setting up the IP SLA Echo? Thanks again!

smehrnia
Level 7
Level 7

R 2 and R7 are running the static route for the subnet in the remote site.

as you said, R2 and R7 are responsible for R1 (remote) connection. so you have to set the ip sla on R2 and R7. then on both of these routers attach the ip sla to the static routes.

Example (but with different IOS versions the commands might slightly be different, you could look them up in cisco.com):

!! we assume that;  R1 = 10.1.1.1  -  subnets behind R1 are: 172.16.0.0/16  !!

config t

!

ip sla 1  OR  ip sla monitor 1

  icmp-echo 10.1.1.1 source-interface [if you need to source icmp-echo from a specific ip]

   timeout 2000

   frequency 2

! the frequency at which ping is sent, the smaller value, the faster networks knows abt the failure

ip sla schedule 1 life forever start now

!

track 1 rtr 1

!

ip route 172.16.0.0 255.255.0.0 10.1.1.1 track 1

----------------------------------------------------------------------


plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

Thank you Soroush. couple questions/concerns. 1) R1 is the customer router, most of them, we can't ping their router ip address. 2) Can we setup ip sla on  R2 to ping the R7 router, and on R 7 to ping the R2?

anytime.

for ip sla (echo) to work you have to use the links that u r concerned about, because this ping simply checks connectivity and if it is lost, route is withdrawn. if you dont use R2 - R1 and R7 - R1 links in ur ping, ip sla is no use then. you can ping anything that makes it pass those links.

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.

Thanks Soroush again. Due to unable to ping the router in seattle site, any options to solve my issue?

Review Cisco Networking for a $25 gift card