Guys, i am facing some problem here i have 2 links in my headoffice from same ISP and got a fortigate, both Ipsec tunnels are working but problem is with my cisco when 18.104.22.168 is down which is primary the tunnel didnt switch automatically to secondary 22.214.171.124 i have 2 routes for 10.10.3.0/24 with different distance in fortigate. the actual problem is that when the primary link of HO goes down the branch router didnt switch to seconday HO link and the access list keep matching with the primary tunnel. If i remove access list from the primary tunnel then it works fine but i need automatic failover. Cisco 881 configuration is below, if you need addtional information let me know. Thank you ! track 101 ip sla 101 reachability ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key test123 address 126.96.36.199 crypto isakmp key test456 address 188.8.131.52 crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set my-set esp-3des esp-sha-hmac ! crypto map mymap 11 ipsec-isakmp match address 102 set peer 184.108.40.206 set security-association lifetime seconds 86400 set transform-set my-set crypto map mymap 12 ipsec-isakmp set peer 220.127.116.11 set security-association lifetime seconds 86400 set transform-set my-set match address 101 ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address 18.104.22.168 255.255.255.0 duplex auto speed auto crypto map mymap ! interface Vlan1 ip address 10.10.3.1 255.255.255.0 ! ip forward-protocol nd no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 22.214.171.124 track 101 ip route 0.0.0.0 0.0.0.0 126.96.36.199 200 ip route 188.8.131.52 255.255.255.255 184.108.40.206 ! ip sla 101 icmp-echo 220.127.116.11 source-interface FastEthernet4 timeout 500 threshold 499 frequency 3 ip sla schedule 101 life forever start-time now access-list 101 permit ip 10.10.3.0 0.0.0.255 any access-list 102 permit ip 10.10.3.0 0.0.0.255 any ! end
so routing is responsible for switching the VPN path here , can you share the following when the problem is there :
show ip route
show crypto isa sa
show crypto ipsec sa
hello mohammad, yes routing is responsible for switching the vpn path. here is the output form these show commands:
BRANCH#sh ip route (when the primary link of HO is UP i.e 18.104.22.168)
S* 0.0.0.0/0 [1/0] via 22.214.171.124BRANCH#sh ip route (when the primary link of HO is Down i.e 126.96.36.199)S* 0.0.0.0/0 [1/0] via 188.8.131.52BRANCH#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 184.108.40.206 220.127.116.11 QM_IDLE 2006 ACTIVE 18.104.22.168 22.214.171.124 QM_IDLE 2005 ACTIVEBRANCH#sh access-lists Extended IP access list 101 10 permit ip 10.10.3.0 0.0.0.255 any (160 matches) Extended IP access list 102 10 permit ip 10.10.3.0 0.0.0.255 any (160 matches)Mohammad the main problem is with the access-list the traffic keep matching both
access lists. If the primary tunnel goes down the access list didnt switch to the
backup tunnel. Default route does change. CHEERS MATE!!! waiting for the solution.
the problem for sure is not with the access-list if you still see hits on both access-lists then the router is doing load balancing on both interfaces , can you share the full show ip route if possibe!
Use the Cisco Embedded Event Manager to track when the primary ISP goes down and tell it to run commands to bring the tunnel down on primary.
You can also create a policy when the reverse happens. This is all dynamic within the Cisco IOS.
Cisco EEM information can be found here
hi , at the time of the issue if you are still seeing hits on both access-lists , then this means the router is doing loadbalancing for the destination ?
please share the full output of the "show ip route"