06-21-2012 01:22 PM - edited 03-04-2019 04:45 PM
All-
To make it easier to explain my problem, I am attaching the network diagram.
R1 is remote site that runs IPSec VPN and it setup the accordingly primary and failover L2L VPN to R2 and R7. R2 and R3 are in the data center, and R6 and R7 are in the seondary data cenetr. R3, R4, R5, and R6 are all connected to the MPLS cloud via BGP. All the router are running eBGP here, except the remote router R1.
R 2 and R7 are running the static route for the subnet in the remote site. My issue is...when the primary VPN down, the failover VPN switches as an actived mode. On the router R5, supposed the route to the subnet in the remote site R1, should be R5->R6->R7->R1, but the route still goes R5->R3->R2->R1.The crypto Phase I is up, but it appears there is the routing issue. Please advice how to adjust the routing so we can reach the remote site when the primary is down through the backup VPN.
Regards,
Joe
Solved! Go to Solution.
06-21-2012 01:30 PM
Hi Joe,
Since R2 and R7 are using static routes to the remote subnet, when the route (VPN) goes down, they dont withdraw it from the routing table, causing a black hole in your network towards R1.
what you have to do is simply set up an IP SLA Echo that pings your R1 ip address constantly, and then bind the IP SLA tracker to your static route.
this way when there is reachability issues, such as link failure or whatever, your static route is withdrawn from the routing table and the other VPN takes control.
plz Rate if it helped,
Soroush.
06-21-2012 01:30 PM
Hi Joe,
Since R2 and R7 are using static routes to the remote subnet, when the route (VPN) goes down, they dont withdraw it from the routing table, causing a black hole in your network towards R1.
what you have to do is simply set up an IP SLA Echo that pings your R1 ip address constantly, and then bind the IP SLA tracker to your static route.
this way when there is reachability issues, such as link failure or whatever, your static route is withdrawn from the routing table and the other VPN takes control.
plz Rate if it helped,
Soroush.
06-21-2012 02:09 PM
Thank you Soroush. Which router should I setup the IP SLA? Can you please provide me some detail on setting up the IP SLA Echo? Thanks again!
06-21-2012 02:27 PM
R 2 and R7 are running the static route for the subnet in the remote site.
as you said, R2 and R7 are responsible for R1 (remote) connection. so you have to set the ip sla on R2 and R7. then on both of these routers attach the ip sla to the static routes.
Example (but with different IOS versions the commands might slightly be different, you could look them up in cisco.com):
!! we assume that; R1 = 10.1.1.1 - subnets behind R1 are: 172.16.0.0/16 !!
config t
!
ip sla 1 OR ip sla monitor 1
icmp-echo 10.1.1.1 source-interface [if you need to source icmp-echo from a specific ip]
timeout 2000
frequency 2
! the frequency at which ping is sent, the smaller value, the faster networks knows abt the failure
ip sla schedule 1 life forever start now
!
track 1 rtr 1
!
ip route 172.16.0.0 255.255.0.0 10.1.1.1 track 1
----------------------------------------------------------------------
plz Rate if it helped,
Soroush.
06-26-2012 10:56 AM
Thank you Soroush. couple questions/concerns. 1) R1 is the customer router, most of them, we can't ping their router ip address. 2) Can we setup ip sla on R2 to ping the R7 router, and on R 7 to ping the R2?
06-26-2012 11:47 AM
anytime.
for ip sla (echo) to work you have to use the links that u r concerned about, because this ping simply checks connectivity and if it is lost, route is withdrawn. if you dont use R2 - R1 and R7 - R1 links in ur ping, ip sla is no use then. you can ping anything that makes it pass those links.
Hope it Helps,
Soroush.
06-27-2012 08:45 AM
Thanks Soroush again. Due to unable to ping the router in seattle site, any options to solve my issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide