Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
3
Replies

ISP failure handling in TLOC extension

Cisco Freak
Level 4
Level 4

‎02-14-2020 12:08 PM

Hello Experts,

 

I have a query related to how ISP failure will be handled when we configure TLOC extension. 

 

In both the vEdges we have default route pointing to both ISP and TLOC peer. If internet2 fails, how vEdge1 will realize that there is problem in that path? I understand the BFD sessions through TLOC will go down and thus vEdge will stop sending traffic(traffic destined to routes which are learnt via OMP protocol which make use of BFD tunnel). 

 

The point that I want to clarify is that this will happen even to internet destined traffic? For example the Zscaler tunnel bound traffic from VPN 0. My understand is that the internet traffic has got nothing to do with the BFD sessions. 

 

Screen Shot 2020-02-14 at 11.53.01 AM.png

 

Config:

 

vEdge# sh run vpn 0 | i route
 ip route 0.0.0.0/0 <ISP IP>
 ip route 0.0.0.0/0 172.16.30.6 ----> This is TLOC peer IP
vEdge# sh run vpn 10 | i route
 ip ipsec-route 0.0.0.0/0 vpn 0 interface ipsec1 ipsec2 --> Zscaler tunnels
vEdge#

In the above config, when hosts in VPN 10 wants to reach Cisco.com, it will do inter-vpn routing to VPN0 IPSEC interface. But VPN0 has 2 default routes to ISP and TLOC peer. Now if vEdge2 WAN is down, won't the traffic to Cisco.com will be dropped at vEdge2?

Labels:
0 Helpful
3 Replies 3

Cisco Freak
Level 4
Level 4

‎02-18-2020 07:18 AM

Any help would be appreciated!

0 Helpful

Cisco Freak
Level 4
Level 4

‎02-21-2020 06:15 AM

Does anyone know the answer to this?

0 Helpful

cdipietro
Level 1
Level 1

‎02-21-2020 04:54 PM

In this situation the traffic will be sent to vedge2 because the TLOC extension is up, but the traffic will die at vedge2. It is not clear to me what vedge 2 actually tries to do with this traffic. I think it tries to do a NAT and send it back to vedge1.  The end result is that this traffic fails.

 

The way to fix this assuming you are running the appropriate version of code, is to setup a tracker on vedge1 tunnel interface for the TLOC extension.  Sadly this is an HTML GET looking for an OK response, but if you use a very highly available and global website it will pull the route when that tracker fails and vedge 1 will stop sending traffic over to vedge2.

 

I know the tracker works in ver 18.3.8

 

 

 

0 Helpful
Customers Also Viewed These Support Documents