problems with second ISP

sanjar200994 · ‎02-12-2024

Hello everyone, I have a question.

We changed ISP for backup channel of our branch office. We use ip sla and tracks to switch main and backup channel. Before we changed ISP everything worked good, but now it doesnt work.

part of config with tracks

track 10 ip sla 10 reachability
!
track 11 ip sla 11 reachability
!
track 15 list boolean or
object 10
object 11
delay down 60 up 60
!
track 20 ip sla 20 reachability
!
track 21 ip sla 21 reachability
!
track 25 list boolean or
object 20
object 21
delay down 60 up 60
!
track 30 list boolean and
object 15 not
object 25

ip access-list extended sla-1
permit icmp host vlan5_ip DMVPN_HUB_R1
permit icmp host vlan5_ip DMVPN_HUB_R2
ip access-list extended sla-2
permit icmp host Fa4_ip host DMVPN_HUB_R1
permit icmp host Fa4_ip host DMVPN_HUB_R2

ip route 0.0.0.0 0.0.0.0 GW_ISP1 track 15
ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 25

ip sla 10
icmp-jitter DMVPN_HUB_R1 source-ip vlan5_ip num-packets 5 interval 1000
frequency 12
ip sla schedule 10 life forever start-time now
ip sla 11
icmp-jitter DMVPN_HUB_R2 source-ip vlan5_ip num-packets 5 interval 1000
frequency 12
ip sla schedule 11 life forever start-time now
ip sla 20
icmp-jitter DMVPN_HUB_R1 source-ip Fa4_ip num-packets 5 interval 1000
frequency 12
ip sla schedule 20 life forever start-time now
ip sla 21
icmp-jitter DMVPN_HUB_R2 source-ip Fa4_ip num-packets 5 interval 1000
frequency 12
ip sla schedule 21 life forever start-time now

route-map sla permit 10
match ip address sla-1
set vrf ISP
set ip vrf ISP next-hop GW_of_ISP1
set interface FastEthernet4

route-map sla permit 20
match ip address sla-2
set vrf ISP
set interface Dialer0

event manager applet backup
event track 30 state up
action 1.0 cli command "configure terminal"
action 1.1 cli command "interface range tunnel0-1"
action 1.2 cli command "shutdown"
action 1.3 cli command "no tunnel protection ipsec profile"
action 1.4 cli command "tunnel source Dialer0"
action 1.5 cli command "tunnel protection ipsec profile profile-a shared"
action 1.6 cli command "no shutdown"
action 1.7 cli command "exit"
event manager applet main
event track 15 state up
action 1.0 cli command "configure terminal"
action 1.1 cli command "interface range tunnel0-1"
action 1.2 cli command "shutdown"
action 1.3 cli command "no tunnel protection ipsec profile"
action 1.4 cli command "tunnel source Vlan5"
action 1.5 cli command "tunnel protection ipsec profile profile-a shared"
action 1.6 cli command "no shutdown"
action 1.7 cli command "exit"

as you see in event manager I have DMVPN tunnel, and with event manager it changes "tunnel source"

When I make it manual it works fine. But when I want to simulate some problems with ISP1 (I shutdown interface vlan 5), ISP2 also lose connection.

Very strange(( I just changed old ISP configuration to new, but it doesnt work. Who can help me?

sanjar200994 · ‎02-12-2024

I found mistake here and deleted this line, but still have problem

route-map sla permit 10
match ip address sla-1
set vrf ISP
set ip vrf ISP next-hop GW_of_ISP1
set interface FastEthernet4

MHM Cisco World · ‎02-12-2024

Can you explain with topology what you want to achieve here

Two hub and two tunnel source

Or one hub and two tunnel source?

Why you need to change source instead you can connect to both Hub, s

MHM

sanjar200994 · ‎02-12-2024

thanks for your answer, we have two hubs and two tunnels. I didn't created this topology, and I cant change something how I want

MHM Cisco World · ‎02-12-2024

Understood

So you want to change the tunnel source depend on the hun is reachable via ISP or not.

If that so why you use icmp-jitter not icmp-echo?

These are two different sla' jitter calculation delay and echo detect reachability and as I see track you use is for reachability.

Can you check the status of track and ip sla when you use icmp-jitter

MHM

sanjar200994 · ‎02-12-2024

all this configs already were on this router, I just changed ISP to other. So should I change icmp-jitter to icmp-echo? on all sla (10,11,20,21)?

sanjar200994 · ‎02-12-2024

a-nsez#sh track
Track 10
IP SLA 10 reachability
Reachability is Up
2 changes, last change 04:08:28
Latest operation return code: OK
Latest RTT (millisecs) 39
Tracked by:
Track-list 15
Track 11
IP SLA 11 reachability
Reachability is Up
2 changes, last change 04:08:28
Latest operation return code: OK
Latest RTT (millisecs) 37
Tracked by:
Track-list 15
Track 15
List boolean or
Boolean OR is Up
2 changes, last change 04:07:27
object 10 Up
object 11 Up
Delay up 60 secs, down 60 secs
Tracked by:
Track-list 30
STATIC-IP-ROUTING 0
EEM applet main
Track 20
IP SLA 20 reachability
Reachability is Down
1 change, last change 04:08:52
Latest operation return code: Timeout
Tracked by:
Track-list 25
Track 21
IP SLA 21 reachability
Reachability is Down
1 change, last change 04:08:52
Latest operation return code: Timeout
Tracked by:
Track-list 25
Track 25
List boolean or
Boolean OR is Down
1 change, last change 04:08:52
object 20 Down
object 21 Down
Delay up 60 secs, down 60 secs
Tracked by:
Track-list 30
STATIC-IP-ROUTING 0
Track 30
List boolean and
Boolean AND is Down
1 change, last change 04:08:52
object 15 not Up
object 25 Down
Tracked by:
EEM applet backup

MHM Cisco World · ‎02-14-2024

The track now follow the IP SLA but you use boolean.

So now are track final status is what you looking for ?

MHM

balaji.bandi · ‎02-13-2024

You need give more information

what device model and what IOS code running ?

is the both the ISP connected to same Router/ Device ? - or you have dual router and switch behind ?

I shutdown interface vlan 5

where this VLAN 5 ? your OP post does not show this configuration.

Why do you need 4 SLA - just trying to understand the Logic behind.

If i understand correctly - example each link using each hub1 and hub2, if the Hub 1 link go down, it should use Hub 2 and vice versa right ?

you should use 2 SLA using the correct source to track. since (i aim in guess you ping using both the interface, that is not reachable so other SLA track also going down - that what is the issue i think for now)

Is your all traffic go via tunnel only right ? you do not have DIA from spoke ?

nice to have high level diagram what devices in the spoke side.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help