Tloc-action backup

nilicdan · ‎12-06-2018

Hi,

Customer wants to implement tloc-action feature in order to have backup over Hub vEdge in the middle once direct tunnel between 2 border vEdges is down due to one transport loss.

vEdge-1(Ismaning) should communicate over primary/direct ipsec tunnel to vEdge-3(Duisburg), but when that one is down to go over vEdge-2(Frankfurt) and priv1 transport (priv1=mpls, color restrict).

We made policy below as per config guide (topology and policy also in attachment).

When we apply policy without tloc-action statement we get traffic over vEdge in the middle, so policy works, but we want that behavior only if direct tunnel is down, not unconditionally.

When we add tloc-action backup in policy – all our routes have TLOC unresolved. ☹

Any direction for solving problem? I didn't succeed to find any config example with tloc-action in order to validate our config. :(

policy

lists

tloc-list fra000_private

tloc 10.242.188.9 color private1 encap ipsec

tloc 10.242.188.10 color private1 encap ipsec

!

tloc-list fra000_red

tloc 10.242.188.9 color red encap ipsec

tloc 10.242.188.10 color red encap ipsec

!

color-list etherconnect_colors

color private1

!

color-list internet_colors

color lte

color red

!

site-list any_except-fra000

site-id 1001-9999999

!

control-policy topo_backup-fra000

sequence 1

match route

color-list internet_colors

site-list any_except-fra000

!

action accept

set

tloc-action backup

tloc-list fra000_private

!

sequence 11

match route

color-list etherconnect_colors

site-list any_except-fra000

!

action accept

set

tloc-action backup

tloc-list fra000_red

!

default-action accept

!

apply-policy

site-list any_except-fra000

control-policy topo_backup-fra000 out

!

a-ro-img001-0002# show omp routes 10.236.176.32/28

Code:

C -> chosen

I -> installed

Red -> redistributed

Rej -> rejected

L -> looped

R -> resolved

S -> stale

Ext -> extranet

Inv -> invalid

Stg -> staged

U -> TLOC unresolved

PATH ATTRIBUTE

VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE

--------------------------------------------------------------------------------------------------------------------------------------

100 10.236.176.32/28 10.242.188.7 1119 1002 Inv,U installed 10.242.188.9 private1 ipsec -

10.242.188.7 1120 1003 Inv,U installed 10.242.188.10 private1 ipsec -

10.242.188.7 1121 1002 Inv,U installed 10.242.188.30 lte ipsec -

10.242.188.7 1122 1002 Inv,U installed 10.242.188.9 private1 ipsec -

10.242.188.8 894 1002 Inv,U installed 10.242.188.9 private1 ipsec -

10.242.188.8 895 1003 Inv,U installed 10.242.188.10 private1 ipsec -

10.242.188.8 896 1002 Inv,U installed 10.242.188.30 lte ipsec -

10.242.188.8 897 1002 Inv,U installed 10.242.188.9 private1 ipsec -

So obviously I have a route using fra000 (10.242.188.9 and .10 priv1) as intermediate. But that route is never installed because of:

a-ro-img001-0002# show omp routes 10.236.176.32/28 detail

---------------------------------------------------

omp route entries for vpn 100 route 10.236.176.32/28

---------------------------------------------------

RECEIVED FROM:

peer 10.242.188.7

path-id 1119

label 1002

status Inv,U

loss-reason tloc-action

lost-to-peer 10.242.188.8

lost-to-path-id 896

Attributes:

originator 10.242.188.30

type installed

tloc 10.242.188.9, private1, ipsec

ultimate-tloc 10.242.188.30, lte, ipsec -- backup

domain-id not set

overlay-id 1

site-id 2003101

preference not set

tag not set

origin-proto connected

origin-metric 0

as-path not set

unknown-attr-len not set

BR,

Nadja

nilicdan · ‎12-06-2018

Checking for bug CSCvm64622 tloc action strict to backup not working in 18.3.1

nilicdan · ‎03-04-2019

Bug should be fixed in 18.4.1

ekhabaro · ‎03-24-2019

Actually it's not just a bug, you need "service TE" enabled on intermediate router. I hope my article about this will be posted soon.