05-18-2022 09:32 PM
Hi,
We're trying to set dual Internet connections on a branch site and each vEdge has one ISP connection.
And, vEdges are having the other ISP link through TLOC Extension.
Each vEdge has default GRE routes undet VPN1 for DAI Internet traffic. (ip gre-route 0.0.0.0 0.0.0.0 vpn0 gre1 gre2).
On LAN side, vEdges are runnning VRRP. (vEdge1 is master and vEdge2 is backup).
Currently, the Internet link on vEdge1 is down currently, but vEdge1 still have the control connections over the TLOC Extension link via vEdge2.
For the Internet traffic failover, we want vEdge1 send the traffic coming from LAN side(VPN1) send out to the TLOC Extension link and the traffic is going through vEdge2.
We have only ip gre-route 0.0.0.0 0.0.0.0 vpn0 gre1 gre2 and want to add sub-sequential static service route, but have no idea what static route should be added to make this failover.
05-19-2022 06:18 AM
Hi,
Let me ask you a few thing in order to try to help:
"We're trying to set dual Internet connections on a branch site and each vEdge has one ISP connection."
Right, then, you are going to stablish your control connections using Internet. That´s right.
"And, vEdges are having the other ISP link through TLOC Extension."
You mean, you have redundancy through TLOC to other router. OK.
"Each vEdge has default GRE routes undet VPN1 for DAI Internet traffic. (ip gre-route 0.0.0.0 0.0.0.0 vpn0 gre1 gre2)."
You probably mean "DIA"? Direct Internet Access ?
I was wondering why GRE tunnel for DIA. DIA, if that is the case, is used to Internet surfing, I mean, all traffic that you wont send to your data center.
And would make more sense to me if you have something like "ip internet-route 0.0.0.0"
"On LAN side, vEdges are runnning VRRP. (vEdge1 is master and vEdge2 is backup)."
Probably the VRRF is running on the switch connected to the router.
"Currently, the Internet link on vEdge1 is down currently, but vEdge1 still have the control connections over the TLOC Extension link via vEdge2."
right.
"For the Internet traffic failover, we want vEdge1 send the traffic coming from LAN side(VPN1) send out to the TLOC Extension link and the traffic is going through vEdge2."
This should be happening already.
"We have only ip gre-route 0.0.0.0 0.0.0.0 vpn0 gre1 gre2 and want to add sub-sequential static service route, but have no idea what static route should be added to make this failover.""
Not sure how this works for you. Can you share the "show running-config" from both routers and switches involved? You can take off any sensitiv information please.
If you can share the topology as well, would be great.
05-19-2022 04:43 PM - edited 05-19-2022 04:47 PM
Hi Flavio,
To help you understand our setup, we don't run any overlay tunnel between vEdges.
We're using them as just WAN routers under vmanage control.
And, another thing about the setup regarding especially GRE tunnels, we are having Zscaler cloud service(like Umbrella SIG) and any Internet traffics are supposed to sent out the GRE tunnels established between our vEdge WAN router and Zscaler cloud service edge.
That's why we have the gre default static route under vpn1(service).
For our issue, each vEdge has GRE tunnels established through it's direct ISP link.
And they are also connected by TLOC Extension.
Under the normal condition, which means that traffic arrives at either vEdge1 or vEdge2 will send traffic over GRE tunnels.
But, when for example, vEdge1, which is VRRP primary router has its Internet link down and it has only TLOC extension route left.
The traffic will be still sent to vEdge1 because vEdge1 is still VRRP primary router, but vEdge doesn't have alive GRE tunnels anymore.
In this case, vEdge1 should send traffic over TLOC Extension link to vEdge2 somehow.
Or as another option, somehow vEdge2 should become VRRP primary router when vEdge1 has outage with GREs or Internet link.
How can we make this work?
Hopefully, this helps you understand.
05-20-2022 08:27 AM
Well, might be others and maybe better solution but you can add a Tracker on the router 1 monitoring the Link. In case the link fail you can take some action.
For example, you could have a default route send averything to router 2 but with higher Administrative distance. And the action of the tracker could lower this route AD in case of link failure.
another option could be change the VRRP priority as the action and then the traffic would be sent to Rotuer 2 as well.
05-22-2022 03:38 PM
Hi,
I think no need to route via TLOC extension, better way is to track interface(s) and to track interface or even SIG and decrease VRRP priority automatically (use 120 on primary, 100 on secondary and decrement 30).
HTH,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide