2x877's, 2xADSL Circuits - Failover and Tracking

Unanswered Question
Oct 21st, 2008

Hi,

I've 2x877 routers which are each connected to a separate ADSL circuit with different providers for redundancy.

Currently I have HSRP setup for failover should one of the devices die. This doesn't cover failover should the upstream ADSL circuit stop working (leaving line protocol up, but no routing of traffic). And it means 1 ADSL circuit is left not doing much as all traffic goes out the primary Router.

I would like to start using both routers/circuits, with load balancing and failover.

What i've thought is, if I configure each router to track a couple of hosts on the internet (our vpn host at another site, and perhaps http://www.google.com), and then use the reachability of those hosts as an indicator of whether the circuit connected to that router is up, i can then use that status to trigger a fail over and route all traffic out via the other circuit.

While both circuits are active and working i would like to be able to load balance traffic in and out of both ADSL circuits, but am not sure what type of load balancing i should use (i presume GLBP is the best option). I understand that if the circuit fails that a persistant session (like RDP or SSH) is using fails, then it will have to be re-established to initiate the session out the other router.

Currently everything i've looked at seems to rely on decrementing and if ADSL_1 circuit fails more often than ADSL_2 then it's object weighting or priority will be decremented more often and thus, much lower than ADSL_2 so no fail over will occur unless ADSL_2 fails the same number of times to bring it's weighting/priority to below ADSL_1 (i hope i make sense).

I want to fail based on state of a tracked object, ie if tracked_object_1 is UP all is well and load balance between 2 circuits but when tracked_object_1 is DOWN route via the other circuit, and when tracked_object_1 comes back UP, load balance again.

Any help would be much appreciated, as i'm fairly new to the track command and GLBP on the 877.

Cheers,

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 10/22/2008 - 23:51

Hello Andy,

some more information is needed in order to get better help.

Are you using ADSL circuits that are in a Service Provider VPN like MPLS VPN or these are Internet access links?

If are Internet access links you are probably using NAT.

For accessing your Head Quarters have you got some form of tunneling like IPSEc or GRE or GRE inside IPSec ?

What you can use here is object tracking with static routes.

Here the idea is to have two default static routes the primary that is linked to object tracking , the backup pointing at the other router

see

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

In this way you can at the same time change track objects for GLBP and for the static routes.

I would suggest you to use as object target a device that you can control on another site: you cannot know when and if google network managers decide to drop your ICMP requests

However, the capability to offer real load balancing depends on your scenario: if using NAT and/or IPSec this can be a problem that require a more complex configuration

Hope to help

Giuseppe

andysuggars Mon, 10/27/2008 - 05:10

Hi Giuseppe,

The ADSL connections are normal ISP provided internet access links and we are using NAT. We will probably setup a site-2-site vpn back to head quarters, mainly for administration of the firewalls and host machines behind that, but otherwise a vpn will not be used as all access needed by the office is available via the web.

Thanks for the tips. I had started looking into the object tracking with static routes with that document, and then saw your post mentioning the same document and ideas so persevered and i think i have it working now.

With the GLBP load balancing, will this affect VPN connections? and i presume if i don't specify a type of load balancing it will just use round robin? There will be a maximum of 12 hosts on the network.

When I do some testing, i notice failover is fine and there is no loss of connectivity as the other router picks up the traffic, however when the connection comes back up on the second router, there isa 3 second delay until traffic starts flowing again. Can this be done with no loss of connectivity? ie, a similar idea to port-channelling? I understand session based connections going out via the router that fails like RDP or SSH sessions will have to be re established but the least amount of time the connection is down during failover and failback the better. I was thinking of having 3 ip sla monitors and grouping them in an OR list. That way i can shorten the timeout, meaning if one packet reponse is missed it won't false failover as the other two are up, and if all 3 drop then chances are the connection is down and to fail over. However i'm not sure how to stop the short connection failure when the failed connection comes back online (whether it be a router power cycle or pulling the ADSL cable out of the back and plugging it back in).

For the sake of the config I've substituted one of our public devices with the Google IP address for the tracking statement, but as you mentioned i will be using a device that we have control of the IP.

I've attached our config to this post (various details changed/removed for public viewing)

Any help would be much appreciated.

Cheers,

Andy

Actions

This Discussion