08-31-2021 01:45 AM
Hi All,
I'm setting up a LAB wherein I have 2 vEdge with direct internet connection.
vEdge-A is acting as the primary router; it has also a TLOC-Extension to vEdge-B. I also enabled NAT and applied a tracker on vEdge Tloc-extension interface.
I'm able to validate that this is working with both lines active/enabled. However, when the tracker goes down. I can see that the packet is still being sent to TLOC-Extension causing the packet to silently drop since internet connection via TLOC-Extension is down.
The objective is to reroute the traffic to the active internet connection if the tracker applien on tlo-extension interface at vEdge-A goes down.
Here's what I configured.
a. Applied a tracker and created a data policy with nat fall-back.
from-vsmart data-policy VPN1_DIANAT direction all vpn-list VPN1 sequence 10 match source-ip 10.0.0.0/16 destination-ip 10.0.0.0/16 action accept sequence 11 match source-data-prefix-list VPN1-Sites102060-Services action accept nat use-vpn 0 nat fallback set local-tloc-list color biz-internet public-internet default-action accept from-vsmart lists vpn-list VPN1 vpn 1 from-vsmart lists data-prefix-list VPN1-Sites102060-Services ip-prefix 10.0.50.0/24
b. vEdge-A(Primary):
vEdge-A interface: Tloc-Extension: 0 ge0/2 ipv4 192.168.20.2/30 Up Up Up null transport 1500 50:00:00:11:00:03 1000 full 1416 0:00:30:31 39078 46931 Direct=-Internet: 0 ge0/4 ipv4 192.88.88.1/24 Up Up NA null transport 1500 50:00:00:11:00:05 1000 full 1416 0:00:00:03 417 2277 - Tracker is up 0 ge0/2 0 udp 192.168.20.2 200.1.10.1 12386 12346 192.168.20.2 200.1.10.1 12386 12346 established 0:00:00:59 704 115104 704 125527 - 0 ge0/4 0 icmp 192.88.88.1 200.1.1.3 716 716 192.88.88.1 200.1.1.3 716 716 established 0:00:00:05 1 98 0 0 - From NAT statistics able to see that both interfaces are used.
The issue is when both interface are enable, Somehow client can't reach the 8.8.8.8 but if I disable one of the link I can see that client can reach 8.8.8.8.
REFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0static - ge0/4 192.88.88.254- - - - F,S (direct)
0 0.0.0.0/0static - ge0/2 192.168.20.1- - - - F,S (Tlocex)
vpn 0 interface ge0/4 ip address 192.88.88.1/24 nat ! tunnel-interface encapsulation ipsec color public-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown ! ! vEdge-A# show running-config vpn 0 interface ge0/2 vpn 0 interface ge0/2 description "TLOC" ip address 192.168.20.2/30 nat ! tracker track_public_internet tunnel-interface encapsulation ipsec color biz-internet restrict no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown When a Did a TCP dump on both interfaces it seem like no data passing through. Switch#ping 8.8.8.8 repeat 1000 source 10.0.50.10 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.0.50.10 ...................................................................... ............................... vEdge-A# tcpdump vpn 0 interface ge0/4 options "host 8.8.8.8 -n" tcpdump -p -i ge0_4 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_4, link-type EN10MB (Ethernet), capture size 128 bytes # tcpdump vpn 0 interface ge0/2 options "host 8.8.8.8 -n" tcpdump -p -i ge0_2 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_2, link-type EN10MB (Ethernet), capture size 128 bytes
Disabled one of the interface
SITE-C_ID500_MPLS(config-vpn-0)# interface ge0/4 SITE-C_ID500_MPLS(config-interface-ge0/4)# shutdown SITE-C_ID500_MPLS(config-interface-ge0/4)# commit Commit complete. - Ping works after disabling ................!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <> !!!!!!!!!!!!!!!!!!!! Success rate is 87 percent (878/1000), round-trip min/avg/max = 1/1/7 ms
Question:
a. Is it possible to use both biz-internet public-internet transport connections, however if the tloc extension tracker goes down the traffic should flow to the active internet connection? How can I achieve that?
b. Am I missing something in my configuration?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: