Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
5
Replies

VPN failover ISSUE

shobaloju rilwan
Level 1
Level 1

‎08-07-2015 06:38 AM - edited ‎03-05-2019 02:01 AM

Hi there,

I am currently

working on a Site-to-Site VPN deployment that is suppose to failover between a

primary ISP and Secondary ISP link. Such that when the primary link fails, i

VPN tunnel should be setup with the backup link as seen in the config below.

no ip domain lookup

no ipv6 cef

!

multilink

bundle-name authenticated

!

!

!

crypto pki

trustpoint TP-self-signed-3774726989

enrollment

selfsigned

subject-name

cn=IOS-Self-Signed-Certificate-3774726989

revocation-check

none

rsakeypair

TP-self-signed-3774726989

!

!

crypto pki

certificate chain TP-self-signed-3774726989

certificate

self-signed 01

3082022B 30820194

A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355

04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D

33373734 37323639 3839301E 170D3134 30383037 31313537

33335A17 0D323030

31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D

5369676E 65642D43 65727469 66696361 74652D33 37373437

32363938 3930819F

300D0609 2A864886 F70D0101 01050003 818D0030 81890281

81009DA9 06C13433

E0459C4C E831D26E 1F6C29A5 5194B01E A32B2369 7E68482F

334EF1F9 4E80CF86

7D4DC04C 50421FB9 ABB6F495 E5099AEA 88C062EA 7D5BE2E6

B10E0310 DF023D66

4FE4F442 8C3AC598 D98A6C3E 95A6CD3B 14F0565C 1419084B

EDEA0B0E DC27B648

1042B2EE C6632C6C EB34BBE8 AE8954F8 D7DF5C22 828A5B84

FD510203 010001A3

53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680

140E4495 EB877A9D 8112223E 8D753185 C0E1868E 03301D06

03551D0E 04160414

0E4495EB 877A9D81 12223E8D 753185C0 E1868E03 300D0609

2A864886 F70D0101

05050003 81810011 55EBE02A 1A587EDC BBBFDDAF 16CCF215

DE90029B 5EE588B7

BFF7CB9D 9BA9C113 E5B09638 D97F913F 168351A9 22F936D5

E320236E 9CD682C6

D8CDC400 8B59E201 B39E27F2 242FFFA9 D9E1490B 42A2ADF4

1F2FD4F5 3270EE0E

85C56769 DD49F84C C90D9384 7D2501D2 466E9EAB ED0B5D2A

3A990C6D 81BB7913

99B991C3 1574C1

quit

license udi pid

CISCO2911/K9 sn FCZ183271CG

license boot module

c2900 technology-package securityk9

license boot module

c2900 technology-package datak9

!

!

!

redundancy

!

!

!

!

!

!

track 100 interface

GigabitEthernet0/1 ip routing

delay down 10 up 20

!

!

crypto isakmp

policy 1

encr 3des

authentication

pre-share

group 2

!

crypto isakmp

policy 2

encr aes

hash md5

authentication

pre-share

group 2

crypto isakmp key lets1 address 41.X.X.X

crypto isakmp key lets1 address 41.X.X.X

!

!

crypto ipsec

transform-set HQ_MD5 esp-aes esp-md5-hmac

mode tunnel

crypto ipsec

transform-set HQ_MD5_Backup esp-aes esp-md5-hmac

mode tunnel

!

!

!

crypto map

SDM_CMAP_1 1 ipsec-isakmp

description Tunnel

to41.X.X.X

set peer

41.X.X.X

set transform-set

HQ_MD5

match address 101

crypto map

SDM_CMAP_1 2 ipsec-isakmp

description Tunnel

to41.X.X.X

set peer

41.X.X.X

set transform-set

NCC_MD5

match address 102

!

crypto map

SDM_CMAP_2 1 ipsec-isakmp

description Tunnel

to41.X.X.X

set peer

41.X.X.X

set transform-set

HQ_MD5_Backup

match address 105

crypto map

SDM_CMAP_2 2 ipsec-isakmp

description Tunnel

to41.X.X.X

set peer

41.X.X.X

set transform-set

HQ_MD5_Backup

match address 106

!

!

!

!

!

interface Tunnel0

bandwidth 50012

ip address 10.1.1.2

255.255.255.0

ip mtu 1420

tunnel source

GigabitEthernet0/1

tunnel destination

41.X.X.X

tunnel

path-mtu-discovery

crypto map

SDM_CMAP_1

!

interface Tunnel1

bandwidth 49988

ip address 10.2.1.2

255.255.255.0

ip mtu 1420

tunnel source

GigabitEthernet0/1

tunnel destination

41.78.208.206

tunnel

path-mtu-discovery

crypto map

SDM_CMAP_1

!

interface Tunnel2

bandwidth 500012

ip address 10.3.1.2

255.255.255.0

ip mtu 1420

tunnel source

GigabitEthernet0/2

tunnel destination

41.78.208.206

tunnel

path-mtu-discovery

crypto map

SDM_CMAP_2

!

interface Tunnel3

bandwidth 499988

ip address 10.4.1.2

255.255.255.0

ip mtu 1420

tunnel source

GigabitEthernet0/2

tunnel destination

41.184.88.188

tunnel

path-mtu-discovery

crypto map

SDM_CMAP_2

!

interface

Embedded-Service-Engine0/0

no ip address

shutdown

!

interface

GigabitEthernet0/0

description

INSIDE_LEG

ip address

172.20.0.33 255.255.255.0

ip access-group 25

in

ip nat inside

ip

virtual-reassembly in

duplex auto

speed auto

!

interface

GigabitEthernet0/1

description HQ-ISP1

ip address

41.184.88.187 255.255.255.128

ip nat outside

ip

virtual-reassembly in

duplex auto

speed auto

crypto map

SDM_CMAP_1

!

interface

GigabitEthernet0/2

description

HQ-COOLLINK

ip address

41.78.X.X 255.255.255.252

ip nat outside

ip

virtual-reassembly in

duplex auto

speed auto

crypto map

SDM_CMAP_2

!

!

!

router eigrp 1

network 10.1.1.0

0.0.0.255

network 10.2.1.0

0.0.0.255

network 10.3.1.0

0.0.0.255

network 10.4.1.0

0.0.0.255

network 172.20.0.0

!

ip forward-protocol

nd

!

ip http server

ip http

access-class 25

ip http

authentication local

ip http

secure-server

ip http timeout-policy

idle 60 life 86400 requests 10000

!

ip nat inside

source route-map ISP1-PRIMARY interface GigabitEthernet0/1 overloa

d

ip nat inside

source route-map ISP2-secondary interface GigabitEthernet0/2 overl

oad

ip route 0.0.0.0

0.0.0.0 41.X.X.X track 100

ip route 0.0.0.0

0.0.0.0 41.78.X.X 10

!

ip sla auto

discovery

ip sla 100

icmp-echo 8.8.8.8

source-interface GigabitEthernet0/1

frequency 5000

ip sla schedule 100

life forever start-time now

access-list 23

permit 10.10.10.0 0.0.0.7

access-list 25

permit 172.20.0.0 0.0.0.255

access-list 100

permit ip 172.20.0.0 0.0.0.255 any

access-list 101

remark CCP_ACL Category=4

access-list 101

permit gre host 41.184.88.187 host 41.184.88.188

access-list 102

remark CCP_ACL Category=4

access-list 102

permit gre host 41.184.88.187 host 41.78.208.206

access-list 103

remark CCP_ACL Category=4

access-list 103

permit gre host 41.X.X.X host 41.78.208.206

access-list 104

remark CCP_ACL Category=4

access-list 104

permit gre host 41.X.X.X host 41.184.88.188

access-list 105

remark CCP_ACL Category=4

access-list 105

permit gre host 41.X.X.X host 41.78.208.206

access-list 106

remark CCP_ACL Category=4

access-list 106

permit gre host 41.78.208.202 host 41.184.88.188

!

route-map

ISP1-PRIMARY permit 10

match ip address

100

match interface

GigabitEthernet0/1

!

route-map

ISP2-secondary permit 10

match ip address

100

match interface

GigabitEthernet0/2

!

!

!

control-plane

!

!

alias exec s sh ip

int brief

banner exec ^C

% Password

expiration warning.

-----------------------------------------------------------------------

Cisco Configuration

Professional (Cisco CP) is installed on this device

and it provides the

default username "cisco" for one-time use. If you have

already used the

username "cisco" to login to the router and your IOS image

supports the

"one-time" user option, then this username has already expired.

You will not be

able to login to the router with this username after you exit

this session.

It is strongly

suggested that you create a new username with a privilege level

of 15 using the

following command.

username privilege

15 secret 0

Replace and with

the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration

Professional (Cisco CP) is installed on this device.

This feature

requires the one-time use of the username "cisco" with the

password

"cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO

CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco

IOS commands.

username privilege

15 secret 0

no username cisco

Replace and with

the username and password you want

to use.

IF YOU DO NOT

CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE

DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more

information about Cisco CP please follow the instructions in the

QUICK START GUIDE

for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line 2

no

activation-character

no exec

transport preferred

none

transport output

pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 25 in

privilege level 15

login local

transport input

telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input

telnet ssh

!

scheduler allocate

20000 1000

!

end

I have same

configuration on the router on both sites. The issue is that i have my VPN link

working on the Primary link but does not fail over to the secondary link when i

unpulg the primary.

Can anyone kindly

point me to what i have done wrong and the way to resolve this issue.

Thanks in advance

 

Labels:
0 Helpful
5 Replies 5

Martin Hruby
Level 1
Level 1

‎08-10-2015 04:53 AM

Hello

Either change your track object configuration to:
track 100 interface gigabitEthernet 0/1 line-protocol

or change the frequency of your IP SLA probe 100 to something more realistic, e.g. frequency 5 and configure your track object to:

track 100 ip sla 100 state

Please note: you need to stop the IP SLA probe before changing it's configuration and then restart it.

Best regards,
Martin

0 Helpful

shobaloju rilwan
Level 1
Level 1
In response to Martin Hruby

‎08-12-2015 03:17 AM

Thanks for your input, I have tried this out but it did not work. Meanwhile i have also tried to reconfigure my tracking as below

track 100 ip sla 100 reachability

delay down 10 up 20
!
track 200 ip sla 200 reachability

delay down 10 up 20
!
ip route 0.0.0.0 0.0.0.0 X.X.X.X track 1
ip route 0.0.0.0 0.0.0.0 X.X.X.X 200 track 2
ip route 4.2.2.2 255.255.255.255 X.X.X.X
ip route 8.8.8.8 255.255.255.255 X.X.X.X
!
ip sla 100
 icmp-echo 8.8.8.8 source-interface gi0/1
 threshold 500
 frequency 15
ip sla schedule 1 life forever start-time now
ip sla 200
 icmp-echo 4.2.2.2 source-interface gi 0/2
 threshold 500
 frequency 15
ip sla schedule 2 life forever start-time now

But i still do not have any luck. The secondary link takes over when the primary link fails on one side but it does not initiate a VPN connection with the other site with the secondary link. Even though i have an IPSEC GRE tunnel point to the other site.

However, when i manually remove the primary link on both sites, a VPN Link is setup with the secondary iSP link.

I expect that i shouldnt have to remove the primary link on both sides for it to work.

Please someone point me in the right direction.

Regards

0 Helpful

Martin Hruby
Level 1
Level 1
In response to shobaloju rilwan

‎08-12-2015 08:02 AM

Hello

It seems that in your definition of static routes you are tracking objects 1 and 2, but you only have tracking objects 100 and 200 configured.

Best regards,
Martin

0 Helpful

shobaloju rilwan
Level 1
Level 1
In response to Martin Hruby

‎08-12-2015 09:24 AM

Its is typo error. I am actually tracking 100 and 200.

0 Helpful

shobaloju rilwan
Level 1
Level 1
In response to shobaloju rilwan

‎09-01-2015 08:34 AM

Thank you all for your responses. I eventually implemented DMVPN to solve the problem. 

Regards 

0 Helpful
Customers Also Viewed These Support Documents