failover issue

Unanswered Question
Mar 18th, 2009
User Badges:

hello,

i have two connection between headend and branch, how can i failover between two link using static route, managing admin. distance in branch router the returning path is not getting from headend if the primary link goes down.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rpfinneran Wed, 03/18/2009 - 04:21
User Badges:
  • Bronze, 100 points or more

If both links are in one router on both sides.


Headend

ip route x.x.x.x m.m.m.m

ip route x.x.x.x m.m.m.m 10



Branch

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 10

ramesh.karki Wed, 03/18/2009 - 04:32
User Badges:

i did the same, the backup link is come up when primary link goes down, but issue is there the headedn router could not forward any packet to branch, i m using IPsec VPN too.

rpfinneran Wed, 03/18/2009 - 05:00
User Badges:
  • Bronze, 100 points or more

How is the IPSec implemented? Can you paste all relevant configs?

ramesh.karki Wed, 03/18/2009 - 05:36
User Badges:

here what i have done


BRANCH

-------


crypto isakmp policy 150

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234xx address 10.10.10.1

crypto isakmp key 5678xx address 10.11.11.1

!

!

crypto ipsec transform-set XX esp-3des esp-sha-hmac

!

crypto map MAP-A 10 ipsec-isakmp

set peer 10.10.10.1

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-ho

!

crypto map MAP-B 10 ipsec-isakmp

set peer 10.11.11.1

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-ho


interface FastEthernet0/0

description $$ Primary LINK $$

ip address 10.10.10.8 255.255.255.0

duplex auto

speed auto

crypto map MAP-A

!

interface FastEthernet0/1

escription $$ Seconday LINK $$

ip address 10.11.11.8 255.255.255.0

duplex auto

speed auto

crypto map MAP-B


ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 0.0.0.0 0.0.0.0 10.11.11.1 9


ip access-list extended vpn-to-ho

permit ip xx xx

permit ip xx xx


HEADEND

--------


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234xx address 10.10.10.8

crypto isakmp key 5678xx address 10.11.11.8


crypto ipsec transform-set XX esp-3des esp-sha-hmac


crypto map MAP-A 100 ipsec-isakmp

set peer 10.10.10.8

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-branch


crypto map MAP-B 100 ipsec-isakmp

set peer 10.11.11.8

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-branch


interface FastEthernet2/1

description $$ Primary-LINK $$

no switchport

ip address 10.10.10.1 255.255.255.0

crypto map MAP-A

!

interface FastEthernet2/2

description $$ Secondar-LINK $$

no switchport

ip address 10.11.11.1 255.255.255.0

crypto map MAP-B


ip route x.x.x.x x.x.x.x 10.10.10.8

ip route x.x.x.x x.x.x.x 10.11.11.8 9


ip access-list extended vpn-to-branch

rpfinneran Sun, 03/22/2009 - 00:29
User Badges:
  • Bronze, 100 points or more

I see. You are using LAN interfaces for these two links. The problem is this, static routes are valid as long as there is a valid route to the next hop IP address.


So, ip route x.x.x.x x.x.x.x 10.10.10.8 is valid as long as there is a valid route to 10.10.10.8. So, if FastEthernet2/1 on your headend router doesn't go down, then the other route will never take over.


Ultimately, probably the easiest solution is to setup some routing protocol. What protocol do you run internally on your network?


The other option you have is to setup a tracking object that would track IP reachability to 10.10.10.8, and cause the static route to become invalid when 10.10.10.8 is unreachable.


The configs would be something like this...


=============

HEADEND

=============

conf t

ip sla 1

icmp-echo 10.10.10.8

timeout 500

frequency 3

ip sla schedule 1 start-time now life forever

exit

!

track 1 rtr 1 reachability

!

ip route x.x.x.x x.x.x.x 10.10.10.8 track 1

ip route x.x.x.x x.x.x.x 10.11.11.8 9



============

BRANCH

============

conf t

ip sla 1

icmp-echo 10.10.10.1

timeout 500

frequency 3

ip sla schedule 1 start-time now life forever

exit

!

track 1 rtr 1 reachability

!

ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1

ip route 0.0.0.0 0.0.0.0 10.11.11.1 9



There is a similar concept here as well: http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml


Let me know how it goes


rpfinneran Sun, 03/22/2009 - 02:46
User Badges:
  • Bronze, 100 points or more

Also, you may have to adjust the above depending on IOS, but is should be similar.

ramesh.karki Mon, 03/23/2009 - 01:25
User Badges:

Ryan, thanks for your kind full help, eventually i replaced static route with OSPF routing protocol, then the problem had been solved,

Actions

This Discussion