05-20-2019 06:17 AM
Hello,
I have configured 3845 router with dual fail-over ISP. For users in internal network everything is working perfectly. But I have noticed that IP SLA rule 2 is not working as far as from router itself I can't ping any host (including interface IP address 7.1.0.46 itself) and also can't ssh 3845 from outside on interface IP address (7.1.0.46 in my case) with reject result code. But
ping 8.8.8.8 source Gi0/0.2
ping 8.8.8.8 source Gi0/1.10
is working perfectly.
! no aaa new-model ! ! dot11 syslog ip source-route ! ip cef ! no ip domain lookup no ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! redundancy ! track 22 ip sla 2 reachability ! interface Tunnel1 description T1 ip address 10.170.171.1 255.255.255.252 ip mtu 1400 ip nat inside ip nat enable ip virtual-reassembly in tunnel source GigabitEthernet0/0.2 tunnel destination 18.12.19.15 ! interface Tunnel99 description T99 ip address 10.170.170.1 255.255.255.252 ip nat inside ip virtual-reassembly in tunnel source GigabitEthernet0/0.2 tunnel destination 8.22.16.20 ! interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.2 description ISP1 encapsulation dot1Q 2 ip address 7.2.2.127 255.255.255.0 ip nat outside ip virtual-reassembly in ! interface GigabitEthernet0/0.3 description ISP2 encapsulation dot1Q 3 ip address 7.1.0.46 255.255.255.252 ip nat outside ip virtual-reassembly in ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.10 description LAN_TO_3750 encapsulation dot1Q 10 ip address 10.153.70.2 255.255.255.192 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ! ! ip nat inside source route-map ISP2 interface GigabitEthernet0/0.3 overload ip nat inside source route-map ISP1 interface GigabitEthernet0/0.2 overload ip nat inside source static udp 10.153.70.9 17566 7.2.2.127 17566 extendable ip nat inside source static udp 10.153.70.9 17566 7.1.0.46 17566 extendable ip route 0.0.0.0 0.0.0.0 7.1.0.45 10 track 22 ip route 0.0.0.0 0.0.0.0 7.2.2.1 171 ip route 10.10.117.0 255.255.255.0 10.170.170.2 name H ip route 10.129.122.0 255.255.255.128 10.170.171.2 name K ip route 10.153.70.64 255.255.255.192 10.153.70.1 ip route 17.5.7.189 255.255.255.255 7.2.2.1 name kb ! ip sla 1 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.2 frequency 50000 timeout 100000 threshold 60000 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.3 frequency 10 timeout 10000 threshold 10000 ip sla schedule 2 life forever start-time now logging esm config logging trap notifications logging facility local3 logging source-interface GigabitEthernet0/1.10 logging 10.153.70.9 access-list 69 permit 10.153.70.9 ! route-map ISP2 permit 10 match interface GigabitEthernet0/0.3 ! route-map ISP1 permit 10 match interface GigabitEthernet0/0.2 ! snmp-server community orel RO 69 snmp-server location O ! control-plane ! mgcp profile default ! line con 0 login local line aux 0 line vty 0 4 login local transport input ssh line vty 5 796 login local transport input ssh ! scheduler allocate 20000 1000 ntp server 85.21.78.8 source GigabitEthernet0/0.2 ntp server 192.36.133.17 source GigabitEthernet0/0.2 end
Any idea hat is wrong here?
Thanks in advance.
05-20-2019 06:54 AM - edited 05-20-2019 06:57 AM
Hello,
interface GigabitEthernet0/0.3
description ISP2
encapsulation dot1Q 3
ip address 7.1.0.46 255.255.255.252 it is correctly?
ip nat outside
ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 7.2.2.1 171 < change it from 171 to 11 and test your track again.
if not works, try remove ip sla 2 and track 22 and add it again. Maybe it is a bug.
05-20-2019 07:44 AM - edited 05-20-2019 07:49 AM
Hi Jaderson Pessoa,
thank you for the answer.
7.1.0.46 255.255.255.252 - yes it's IP given by main ISP
changed to ip route 0.0.0.0 0.0.0.0 7.2.2.1 11
delete and create ip sla 2 and track 22
nothing changes - still no ping from gi0/0.3
3845#ping 8.8.8.8 so gi 0/0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.2.2.127
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
3845#ping 8.8.8.8 so gi 0/0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.1.0.46
.....
Success rate is 0 percent (0/5)
05-20-2019 07:49 AM
@ps0000000 hello,
interface GigabitEthernet0/0.3 description ISP2 encapsulation dot1Q 3 ip address 7.1.0.46 255.255.255.252 ip nat outside ip virtual-reassembly in !
This interface has a vlan 3 configured, this interface is connected directly to ISP device or pass trough internal device?
Because if you cant ping it from itself, router doesn't the problem.
1. Maybe interfaces that is connect from this interface doesn't has the vlan 3 allowed trough the trunk yet.
2. Maybe address is wrong.
Could you confiirm the simple topology?
Thanks in advance.
05-20-2019 07:55 AM
05-20-2019 09:06 AM
05-20-2019 09:33 AM
05-20-2019 12:09 PM
05-20-2019 11:29 PM
05-21-2019 05:41 AM
05-21-2019 07:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide