cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
208
Views
4
Helpful
4
Replies

Two VTI tunnels; traffic replies going out on the wrong tunnel

steven-charles
Level 1
Level 1

stevencharles_1-1732767781537.png

 

I have a remote office with two active VTI tunnels for redundancy, each tunnel connecting to a different datacenter.  EIGRP is running on everything (remote router and both FTD firewalls).

If ISP 1 is down, everything works via ISP 2.  Meaning I can still ping both server A and server B.
Vice versa if ISP 2 is down, I can also still ping both server A and server B.

The problem is when both ISPs are UP.  When EIGRP does its thing, the routing table on the remote router has both networks for server A & B advertised over tunnel 1.  When the remote office tries ping server B, it does not reply.  What happens is that server B does get the request (verified by packet capture), BUT it's sending the response out tunnel 2 (which was not the original source of the request and gets dropped by the firewall).

Is there a way to make sure the response goes back the same way the request came in?  Alternatively, if there's a way to only enable tunnel 2 on the remote router if tunnel 1 is down, that could be another solution.

1 Accepted Solution

Accepted Solutions

steven-charles
Level 1
Level 1

I was able to get it working the way I want by only having one tunnel active at a time on the remote office router.  Ideally I would prefer to have both tunnels active at the same time, but I'd rather make configuration changes on the remote office only, not the firewalls.  So this works out.

event manager applet ENABLE_BACKUP_TUNNEL
   description ENABLE BACKUP TUNNEL WHEN PRIMARY IS DOWN
   event syslog pattern ".Tunnel1. is down"
   action 1.0 cli command "enable"
   action 2.0 cli command "configure terminal"
   action 3.0 cli command "interface Tunnel2"
   action 4.0 cli command "no shutdown"
   action 5.0 cli command "end"
event manager applet SHUTDOWN_BACKUP_TUNNEL
   description DISABLE BACKUP TUNNEL WHEN PRIMARY IS UP
   event syslog pattern ".Tunnel1. is up"
   action 1.0 cli command "enable"
   action 2.0 cli command "configure terminal"
   action 3.0 cli command "interface Tunnel2"
   action 4.0 cli command "shutdown"
   action 5.0 cli command "end"

*The event pattern apparently doesn't like parentheses, which is why I have ".Tunnel1." instead of "(Tunnel1)"

View solution in original post

4 Replies 4

This sounds like a routing metric issue in which the metric from your DC (and potentially the destination location) knows the route via the direct path. This is referred to asynchronous routing, which I would assume is going on. As you are dealing with production traffic, I would caution against making changes without knowing the full impacts beforehand. 

Use the command "show ip eigrp topology" to determine whether YOUR preferred route is even meeting the feasibility condition as this will be your first indicator. Modifications to the metrics can be performed by adjusting bandwidth (not recommended) or delay. Consider the following:
1) Massive adjustments will result in the feasible successor being dropped as it will not meet the FC. 

2) You should adjust metrics to reflect appropriately for BOTH ends of your network to ensure synchronous traffic flows. 

You can find more information here: Cisco IOS IP Routing: EIGRP Command Reference - S through V [Support] - Cisco

Again- I would caution against making changes without knowing the impact. You can use the archive logging/config t revert timer method which will allow for automatic device recovery in the event of an unintended outage/disruption. 

Another (and probably more useful resource) is EIGRP Fundamentals > EIGRP | Cisco Press

Hi Friend 
I send you PM check it 

MHM

steven-charles
Level 1
Level 1

I was able to get it working the way I want by only having one tunnel active at a time on the remote office router.  Ideally I would prefer to have both tunnels active at the same time, but I'd rather make configuration changes on the remote office only, not the firewalls.  So this works out.

event manager applet ENABLE_BACKUP_TUNNEL
   description ENABLE BACKUP TUNNEL WHEN PRIMARY IS DOWN
   event syslog pattern ".Tunnel1. is down"
   action 1.0 cli command "enable"
   action 2.0 cli command "configure terminal"
   action 3.0 cli command "interface Tunnel2"
   action 4.0 cli command "no shutdown"
   action 5.0 cli command "end"
event manager applet SHUTDOWN_BACKUP_TUNNEL
   description DISABLE BACKUP TUNNEL WHEN PRIMARY IS UP
   event syslog pattern ".Tunnel1. is up"
   action 1.0 cli command "enable"
   action 2.0 cli command "configure terminal"
   action 3.0 cli command "interface Tunnel2"
   action 4.0 cli command "shutdown"
   action 5.0 cli command "end"

*The event pattern apparently doesn't like parentheses, which is why I have ".Tunnel1." instead of "(Tunnel1)"

Review Cisco Networking for a $25 gift card