08-28-2011 11:56 PM - edited 02-21-2020 05:32 PM
Guys, i am facing some problem here i have 2 links in my headoffice from same ISP and got a fortigate, both Ipsec tunnels are working but problem is with my cisco when 2.2.2.78 is down which is primary the tunnel didnt switch automatically to secondary 1.1.1.51 i have 2 routes for 10.10.3.0/24 with different distance in fortigate. the actual problem is that when the primary link of HO goes down the branch router didnt switch to seconday HO link and the access list keep matching with the primary tunnel. If i remove access list from the primary tunnel then it works fine but i need automatic failover. Cisco 881 configuration is below, if you need addtional information let me know. Thank you ! track 101 ip sla 101 reachability ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key test123 address 1.1.1.51 crypto isakmp key test456 address 2.2.2.78 crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set my-set esp-3des esp-sha-hmac ! crypto map mymap 11 ipsec-isakmp match address 102 set peer 2.2.2.78 set security-association lifetime seconds 86400 set transform-set my-set crypto map mymap 12 ipsec-isakmp set peer 1.1.1.51 set security-association lifetime seconds 86400 set transform-set my-set match address 101 ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address 1.1.1.52 255.255.255.0 duplex auto speed auto crypto map mymap ! interface Vlan1 ip address 10.10.3.1 255.255.255.0 ! ip forward-protocol nd no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 1.1.1.9 track 101 ip route 0.0.0.0 0.0.0.0 1.1.1.51 200 ip route 2.2.2.78 255.255.255.255 1.1.1.9 ! ip sla 101 icmp-echo 2.2.2.78 source-interface FastEthernet4 timeout 500 threshold 499 frequency 3 ip sla schedule 101 life forever start-time now access-list 101 permit ip 10.10.3.0 0.0.0.255 any access-list 102 permit ip 10.10.3.0 0.0.0.255 any ! end
08-29-2011 01:49 AM
hi ,
so routing is responsible for switching the VPN path here , can you share the following when the problem is there :
show ip route
show crypto isa sa
show crypto ipsec sa
cheers !
08-30-2011 02:19 AM
hello mohammad, yes routing is responsible for switching the vpn path. here is the output form these show commands:
BRANCH#sh ip route (when the primary link of HO is UP i.e 2.2.2.78)
S* 0.0.0.0/0 [1/0] via 1.1.1.9BRANCH#sh ip route (when the primary link of HO is Down i.e 2.2.2.78)S* 0.0.0.0/0 [1/0] via 1.1.1.51BRANCH#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 202.166.219.52 202.166.219.51 QM_IDLE 2006 ACTIVE 202.166.219.52 202.166.217.78 QM_IDLE 2005 ACTIVEBRANCH#sh access-lists Extended IP access list 101 10 permit ip 10.10.3.0 0.0.0.255 any (160 matches) Extended IP access list 102 10 permit ip 10.10.3.0 0.0.0.255 any (160 matches)Mohammad the main problem is with the access-list the traffic keep matching both
access lists. If the primary tunnel goes down the access list didnt switch to the
backup tunnel. Default route does change. CHEERS MATE!!! waiting for the solution.
08-30-2011 02:38 AM
Hi ,
the problem for sure is not with the access-list if you still see hits on both access-lists then the router is doing load balancing on both interfaces , can you share the full show ip route if possibe!
regards.
08-29-2011 09:04 AM
Use the Cisco Embedded Event Manager to track when the primary ISP goes down and tell it to run commands to bring the tunnel down on primary.
You can also create a policy when the reverse happens. This is all dynamic within the Cisco IOS.
Cisco EEM information can be found here
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview.html
08-30-2011 02:43 AM
hi , at the time of the issue if you are still seeing hits on both access-lists , then this means the router is doing loadbalancing for the destination ?
please share the full output of the "show ip route"
regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: