Thanks Rick, I will ammend the ACL and re-test

I permitted ICMP on the ACL IN-FROM-INTERNET but the failover still didn't work. I found that while I had my ACL's applied to the Cellular interface I was not getting any hits on them. I moved them to the dialer interface and could then see the ACL's getting matches.

I set the IP SLA to track on the cellular interface and then tried tracking on the dialer interface but still no result.

Can you remove both ACLs from the Cellular0/0/0 interface, and try it again? This will quickly rule out the ACLs.

Removing both ACL would be a reasonable test to determine whether there is something in the ACL that is causing this issue. If removing the ACL does not resolve then perhaps you would post the current config and also the output of show ip sla summ?

HTH

Rick

Thanks for the replies, I will re-test with no ACLs and let you know the outcome.

------------------------------------------------------------------------------

Current configuration : 7612 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname jrrtwalker

!

boot-start-marker

boot-end-marker

!

!

enable secret 5

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

clock timezone CST 9 30

!

ip cef

!

!

!

!

!

!

ip domain name jrrtwalker.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

multilink bundle-name authenticated

!

chat-script lte "" "AT!CALL1" TIMEOUT 60

chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"CONNECT

!

!

license udi pid CISCO1921/K9 sn FGL172022NY

license accept end user agreement

!

!

!

redundancy

!

!

!

!

!

controller Cellular 0/0

!

controller Cellular 0/1

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

track 1 ip sla 1 reachability

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN-Staff

  pool VPN-Connections

acl VPN-Staff

!

crypto isakmp client configuration group VPN-Contractor

  pool VPN-Connections

acl VPN-Contractor

!

crypto isakmp client configuration group VPN-QHSE

  pool VPN-Connections

acl VPN-QHSE

crypto isakmp profile VPN-Staff

   match identity group VPN-Staff

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group VPN-Staff

   virtual-template 10

crypto isakmp profile VPN-Contractors

   match identity group VPN-Contractor

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group VPN-Contractor

   virtual-template 11

crypto isakmp profile VPN-QHSE

   match identity group VPN-QHSE

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group VPN-QHSE

   virtual-template 12

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set myset esp-3des esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC-Contractors

set transform-set myset

set isakmp-profile VPN-Contractors

!

crypto ipsec profile IPSEC-QHSE

set transform-set myset

set isakmp-profile VPN-QHSE

!

crypto ipsec profile IPSEC-Staff

set transform-set myset

set isakmp-profile VPN-Staff

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 192.168.127.253 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Cellular0/0/0

ip address negotiated

ip access-group IN-FROM-INTERNET in

ip access-group OUT-TO-INTERNET out

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

!

interface Cellular0/1/0

ip address negotiated

ip access-group IN-FROM-INTERNET in

ip access-group OUT-TO-INTERNET out

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer pool-member 2

dialer-group 2

async mode interactive

!

interface Cellular0/1/1

no ip address

encapsulation slip

!

interface Virtual-Template10 type tunnel

description --- Template for VPN-Staff ---

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-Staff

!

interface Virtual-Template11 type tunnel

description --- Template for VPN-Contractors ---

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-Contractors

!

interface Virtual-Template12 type tunnel

description --- Template for VPN-QHSE ---

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-QHSE

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string lte

dialer persistent

dialer-group 1

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer idle-timeout 0

dialer string hspa

dialer persistent

dialer-group 2

no cdp enable

!

ip local pool VPN-Connections 192.168.127.240 192.168.127.245

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source route-map PRIMARY interface Dialer0 overload

ip nat inside source route-map SECONDARY interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1 100

!

ip access-list extended IN-FROM-INTERNET

evaluate Internet

remark VPN-Traffic

permit udp any any eq isakmp

permit udp any any eq isakmp non500-isakmp

permit udp any any eq 10000

permit tcp any any eq 10000

permit esp any any

permit ahp any any

permit tcp any any eq 22

permit icmp any any

remark DNS

permit udp any any eq domain

permit icmp any any echo-reply log

permit icmp any any echo

deny   ip any any

ip access-list extended OUT-TO-INTERNET

permit ip any any reflect Internet timeout 300

permit icmp any any

deny   ip any any log

ip access-list extended VPN-Contractor

permit ip host 192.168.127.104 any

permit ip host 192.168.127.105 any

permit ip host 192.168.127.106 any

permit ip host 192.168.127.107 any

ip access-list extended VPN-QHSE

permit ip host 192.168.127.4 any

ip access-list extended VPN-Staff

permit ip 192.168.127.0 0.0.0.255 any

ip access-list extended acl_nat

permit ip 0.0.0.0 255.255.255.0 any

!

ip sla auto discovery

ip sla 1

icmp-echo 8.8.8.8 source-interface Cellular0/0/0

threshold 2

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

access-list 1 permit 192.168.127.0 0.0.0.255

access-list 2 permit 192.168.127.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map PRIMARY permit 1

match ip address 1

match interface Dialer0

!

route-map SECONDARY permit 1

match ip address 1

match interface Dialer1

!

!

snmp-server community public RO

snmp-server enable traps entity-sensor threshold

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 0/0/0

script dialer lte

modem InOut

no exec

transport input all

transport output all

rxspeed 100000000

txspeed 50000000

line 0/1/0

script dialer hspa

modem InOut

no exec

transport input all

transport output all

rxspeed 21600000

txspeed 5760000

line 0/1/1

no exec

line vty 0 4

exec-timeout 0 0

password 7 11232B3723252A202F0F19277D67667A4B

transport input all

!

scheduler allocate 20000 1000

!

end

jrrtwalker#sh ip sla st
jrrtwalker#sh ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
        Latest RTT: 0 milliseconds
Latest operation start time: 19:06:39 CST Sun Nov 3 2013
Latest operation return code: Socket set option error
Number of successes: 0
Number of failures: 44147
Operation time to live: Forever

jrrtwalker#sh ip route tr
jrrtwalker#sh ip route track-table
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1 state is [down]
jrrtwalker#

Current configuration : 7612 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname jrrtwalker

!

boot-start-marker

boot-end-marker

!

!

enable secret 5

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

clock timezone CST 9 30

!

ip cef

!

!

!

!

!

!

ip domain name jrrtwalker.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

multilink bundle-name authenticated

!

chat-script lte "" "AT!CALL1" TIMEOUT 60

chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK"CONNECT

!

!

license udi pid CISCO1921/K9 sn FGL172022NY

license accept end user agreement

!

!

!

redundancy

!

!

!

!

!

controller Cellular 0/0

!

controller Cellular 0/1

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

track 1 ip sla 1 reachability

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN-Staff

  pool VPN-Connections

acl VPN-Staff

!

crypto isakmp client configuration group VPN-Contractor

  pool VPN-Connections

acl VPN-Contractor

!

crypto isakmp client configuration group VPN-QHSE

  pool VPN-Connections

acl VPN-QHSE

crypto isakmp profile VPN-Staff

   match identity group VPN-Staff

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group VPN-Staff

   virtual-template 10

crypto isakmp profile VPN-Contractors

   match identity group VPN-Contractor

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group VPN-Contractor

   virtual-template 11

crypto isakmp profile VPN-QHSE

   match identity group VPN-QHSE

   client authentication list userauthen

   isakmp authorization list groupauthor

   client configuration address respond

   client configuration group VPN-QHSE

   virtual-template 12

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set myset esp-3des esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC-Contractors

set transform-set myset

set isakmp-profile VPN-Contractors

!

crypto ipsec profile IPSEC-QHSE

set transform-set myset

set isakmp-profile VPN-QHSE

!

crypto ipsec profile IPSEC-Staff

set transform-set myset

set isakmp-profile VPN-Staff

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 192.168.127.253 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Cellular0/0/0

ip address negotiated

ip access-group IN-FROM-INTERNET in

ip access-group OUT-TO-INTERNET out

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

!

interface Cellular0/1/0

ip address negotiated

ip access-group IN-FROM-INTERNET in

ip access-group OUT-TO-INTERNET out

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer pool-member 2

dialer-group 2

async mode interactive

!

interface Cellular0/1/1

no ip address

encapsulation slip

!

interface Virtual-Template10 type tunnel

description --- Template for VPN-Staff ---

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-Staff

!

interface Virtual-Template11 type tunnel

description --- Template for VPN-Contractors ---

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-Contractors

!

interface Virtual-Template12 type tunnel

description --- Template for VPN-QHSE ---

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-QHSE

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string lte

dialer persistent

dialer-group 1

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer idle-timeout 0

dialer string hspa

dialer persistent

dialer-group 2

no cdp enable

!

ip local pool VPN-Connections 192.168.127.240 192.168.127.245

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source route-map PRIMARY interface Dialer0 overload

ip nat inside source route-map SECONDARY interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1 100

!

ip access-list extended IN-FROM-INTERNET

evaluate Internet

remark VPN-Traffic

permit udp any any eq isakmp

permit udp any any eq isakmp non500-isakmp

permit udp any any eq 10000

permit tcp any any eq 10000

permit esp any any

permit ahp any any

permit tcp any any eq 22

permit icmp any any

remark DNS

permit udp any any eq domain

permit icmp any any echo-reply log

permit icmp any any echo

deny   ip any any

ip access-list extended OUT-TO-INTERNET

permit ip any any reflect Internet timeout 300

permit icmp any any

deny   ip any any log

ip access-list extended VPN-Contractor

permit ip host 192.168.127.104 any

permit ip host 192.168.127.105 any

permit ip host 192.168.127.106 any

permit ip host 192.168.127.107 any

ip access-list extended VPN-QHSE

permit ip host 192.168.127.4 any

ip access-list extended VPN-Staff

permit ip 192.168.127.0 0.0.0.255 any

ip access-list extended acl_nat

permit ip 0.0.0.0 255.255.255.0 any

!

ip sla auto discovery

ip sla 1

icmp-echo 8.8.8.8 source-interface Cellular0/0/0

threshold 2

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

access-list 1 permit 192.168.127.0 0.0.0.255

access-list 2 permit 192.168.127.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

route-map PRIMARY permit 1

match ip address 1

match interface Dialer0

!

route-map SECONDARY permit 1

match ip address 1

match interface Dialer1

!

!

snmp-server community public RO

snmp-server enable traps entity-sensor threshold

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 0/0/0

script dialer lte

modem InOut

no exec

transport input all

transport output all

rxspeed 100000000

txspeed 50000000

line 0/1/0

script dialer hspa

modem InOut

no exec

transport input all

transport output all

rxspeed 21600000

txspeed 5760000

line 0/1/1

no exec

line vty 0 4

exec-timeout 0 0

password 7 11232B3723252A202F0F19277D67667A4B

transport input all

!

scheduler allocate 20000 1000

!

----------------------------------------------------------------------------------------------------------------------------------

You also need a local policy to prevent SLA probes exit on the secondary interface after failover.

Reliable Static Routing Backup Using Object Tracking

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0                                   <------ remove this
ip route 0.0.0.0 0.0.0.0 Dialer1 100

Following changes made

Removed ip route 0.0.0.0 0.0.0.0 Dialer0  so only the following routes are left:

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 100

removed ACLs from Cell interfaces

I also change the IP SLA config to use the dialer 0 interface instead of the cell interface.

I shut down the dialer 0 interface and the dialer 1 interface was updated in the route table so this was a success.

However when I brought the dialer 0 interface I could not get it to fail back to the primary dialer 0 interface.

I tried then shutting down the dialer 1 interface which killed everything.

The only way I could force the traffic back through the dialer 0 interface was to add a default route via dialer 0 with no tracking, e.g. ip route 0.0.0.0 0.0.0.0 dialer0.

Thanks

Thanks for the update. I am sorry that the test results were not more positive. In looking at what you posted I notice this in the output of show ip sla statistics

Number of successes: 0
Number of failures: 44147

So something is not working with ip sla and in that case tracking for the route will not work as well. So we need to figure out what is the issue with ip sla. Perhaps the output of show ip sla summ might help. And perhaps the current config - at least the parts about ip sla since you did make some changes.

HTH

Rick

Three things:

1. Configure an echo service for "ip sla 1" and "ip sla 2" for the source-interfaces (which has already been done for one interface).

2. Check the next-hop availability command using (I guess this is the command) "set ip next-hop x.x.x.x verify-availability 1 track 1" command.[Again, I am unsure of this command, so please forgive me]. Do this for both the interfaces. x.x.x.x is the next hop for the ISP(I think you can also set this as some google dns, should work).

3. Set the next hop availability command for both IP SLAs under both lan interfaces using the route-map.

This should work.

HTH.

P.S. I am quite rusty with IP SLA configuration

Have you added

ip local policy route-map

to make sure that SLA probes to 8.8.8.8 always exit on Dialer0? Study the linked guide.

I don't think Arun Nair's 3 points are necessary.