failover issue

Unanswered Question
Mar 18th, 2009

hello,

i have two connection between headend and branch, how can i failover between two link using static route, managing admin. distance in branch router the returning path is not getting from headend if the primary link goes down.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rpfinneran Wed, 03/18/2009 - 04:21

If both links are in one router on both sides.

Headend

ip route x.x.x.x m.m.m.m

ip route x.x.x.x m.m.m.m 10

Branch

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 10

ramesh.karki Wed, 03/18/2009 - 04:32

i did the same, the backup link is come up when primary link goes down, but issue is there the headedn router could not forward any packet to branch, i m using IPsec VPN too.

rpfinneran Wed, 03/18/2009 - 05:00

How is the IPSec implemented? Can you paste all relevant configs?

ramesh.karki Wed, 03/18/2009 - 05:36

here what i have done

BRANCH

-------

crypto isakmp policy 150

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234xx address 10.10.10.1

crypto isakmp key 5678xx address 10.11.11.1

!

!

crypto ipsec transform-set XX esp-3des esp-sha-hmac

!

crypto map MAP-A 10 ipsec-isakmp

set peer 10.10.10.1

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-ho

!

crypto map MAP-B 10 ipsec-isakmp

set peer 10.11.11.1

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-ho

interface FastEthernet0/0

description $$ Primary LINK $$

ip address 10.10.10.8 255.255.255.0

duplex auto

speed auto

crypto map MAP-A

!

interface FastEthernet0/1

escription $$ Seconday LINK $$

ip address 10.11.11.8 255.255.255.0

duplex auto

speed auto

crypto map MAP-B

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 0.0.0.0 0.0.0.0 10.11.11.1 9

ip access-list extended vpn-to-ho

permit ip xx xx

permit ip xx xx

HEADEND

--------

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234xx address 10.10.10.8

crypto isakmp key 5678xx address 10.11.11.8

crypto ipsec transform-set XX esp-3des esp-sha-hmac

crypto map MAP-A 100 ipsec-isakmp

set peer 10.10.10.8

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-branch

crypto map MAP-B 100 ipsec-isakmp

set peer 10.11.11.8

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-branch

interface FastEthernet2/1

description $$ Primary-LINK $$

no switchport

ip address 10.10.10.1 255.255.255.0

crypto map MAP-A

!

interface FastEthernet2/2

description $$ Secondar-LINK $$

no switchport

ip address 10.11.11.1 255.255.255.0

crypto map MAP-B

ip route x.x.x.x x.x.x.x 10.10.10.8

ip route x.x.x.x x.x.x.x 10.11.11.8 9

ip access-list extended vpn-to-branch

rpfinneran Sun, 03/22/2009 - 00:29

I see. You are using LAN interfaces for these two links. The problem is this, static routes are valid as long as there is a valid route to the next hop IP address.

So, ip route x.x.x.x x.x.x.x 10.10.10.8 is valid as long as there is a valid route to 10.10.10.8. So, if FastEthernet2/1 on your headend router doesn't go down, then the other route will never take over.

Ultimately, probably the easiest solution is to setup some routing protocol. What protocol do you run internally on your network?

The other option you have is to setup a tracking object that would track IP reachability to 10.10.10.8, and cause the static route to become invalid when 10.10.10.8 is unreachable.

The configs would be something like this...

=============

HEADEND

=============

conf t

ip sla 1

icmp-echo 10.10.10.8

timeout 500

frequency 3

ip sla schedule 1 start-time now life forever

exit

!

track 1 rtr 1 reachability

!

ip route x.x.x.x x.x.x.x 10.10.10.8 track 1

ip route x.x.x.x x.x.x.x 10.11.11.8 9

============

BRANCH

============

conf t

ip sla 1

icmp-echo 10.10.10.1

timeout 500

frequency 3

ip sla schedule 1 start-time now life forever

exit

!

track 1 rtr 1 reachability

!

ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1

ip route 0.0.0.0 0.0.0.0 10.11.11.1 9

There is a similar concept here as well: http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Let me know how it goes

rpfinneran Sun, 03/22/2009 - 02:46

Also, you may have to adjust the above depending on IOS, but is should be similar.

ramesh.karki Mon, 03/23/2009 - 01:25

Ryan, thanks for your kind full help, eventually i replaced static route with OSPF routing protocol, then the problem had been solved,

Actions

This Discussion