I have following network layout uploaded here: diagram Simplified router configurations:
I'm running constant pings to: Server B(192.168.10.1) from Server A (192.168.1.1) as well to the internet (22.214.171.124). When CE1 router is the HSRP active one (standby group for both LAN and ISP facing interfaces) all traffic routes normally with no issues. When I make CE2 router active on ISP side (10.0.0.0/24 network) all traffic routes normally. When I make CE2 router active on LAN side (192.168.1.0) I'm starting getting TTL expired messages when pinging ServerB. Pings to 126.96.36.199 routes normally.
The question is, why am i getting TTL expired messages when trying to route when CE2 is active member of HSRP LAN group.
What i tried:
When i route directly to a CE2 ip address (192.168.1.22) i have no problems (No TTL expiration)
In route map definition i tried following:
set vrf L-LAN
set ip default L-LAN next-hop 192.168.1.254
set ip default global next-hop 192.168.1.254
and combination of these.
Removing policy map from interface fixes issue with routing to ServerB (obviously that disables default traffic going to ASA).
Changed set ip next-hop address to go to Sonicwall does not make difference
CE2 can reach both ISP1 and ISP2 routers via their HSRP or local addresses.
"show standby" shows all expected information (active, standby routers etc)
Cisco ASA has one static route - 192.168.10.0/24 route via 192.168.1.23
Any ideas what else to check?
ISO revisions: Cisco 2921 IOS: 15.4(3)M6 Cisco 1921 ISO: 15.2(4)M2
... View more
Hi Michal, I don't understand your problem described by " The problem i'm trying to overcome is if traffic from Site3 to Site2 lands on router S1_MAIN. S1_MAIN due to "split horizon" rule on EIGRP should only have route pointing via IPSEC tunnel which is not what i want. MPLS network should be always preferred route for all source subnets. S1_MAIN might not know that there is better path via S1_MPLS (if S1_MPLS received route advertisement and due to split horizon did not advertise it back) and hence S1_MAIN will route traffic via IPSEC_BACKUP link (much slower with higher latency)." Are you talking about the route for Site3 received on S1_MPLS router? I don't know where exactly you are redistributing BGP/EIGRP in your topology. On S1_Core1 or S1_MPLS? Let's say you are redistributing on S1_MPLS: S1_MPLS is receiving routes for Site3 via BGP and also via EIGRP (from S1_Main which had received it via IPSec tunnel). As the eBGP AD is better than EIGRP one, S1_MPLS puts the BGP route to his RIB and redistributes it to EIGRP. So it advertises it to EIGRP with some good metric. S1_Main then receives the route via EIGRP from S1_MPLS with a better metric than the original prefix received via IPSec. So it puts the new prefix to his RIB and starts to forward packest with Site3 destination address via S1_MPLS. No EIGRP Split Horizon is applied, as the better route was not received on the same interface as the original IPSec one. Alos note: The Split Horizon rule is only about advertising the prefix back out from the interface it was received, not ignoring it! See http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/16406-eigrp-toc.html#splithorizon for more details. BR, Milan
... View more
If you have control on MPLS_CORE node, you can change local preference to prefer a route. I see both routes are coming from different autonomous system (64512 and 64513). If you have control on both node 188.8.131.52 and 184.108.40.206 then you can do as-path prepend while advertising to MPLS_CORE.
... View more