cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5594
Views
0
Helpful
14
Replies

Auto failover - HSRP

egua5261
Level 1
Level 1

Hi There,

I need some help setting up the following,

                              ---------- Router 1 --------------------- WAN ----------------- Main site (10.1.x.1)

Remote Site 

192.168.x.x/24         ---------- Router 2 --------------------- internet -------------- Disaster Recovery site ASA Firewall (10.x.x.1)

                                                       (site-to-site secure tunnel)

Currently, there are two routers (Cisco 1841) connected at this remote site. One of them provides connection to the main site over a WAN link. The other one connects to a disaster recovery site via a site-to-site (ipsec tunnel) over the internet. The device terminating the tunnel on the disaster recovery site is an ASA firewall. The two routers at the remote site run HSRP.

The plan is to provide auto failover (redundancy) in case the main link that provides connection over the WAN goes down. In which case all traffic should go over the secondary router to the disaster recovery site.

The LAN interfaces of both routers have IPs on the same private subnet.

Once the above set up was in place i was not  able to communicate from Router 2 to the Disaster recovery ASA firewall. Even though the tunnel was established i was not able to reach devices behind the respective LANs. Users still require the secondary link to work even when the primary link is up.

Any ideas?

Much appreaciated,

Esteban

1 Accepted Solution

Accepted Solutions

Hi.

#1 - Seems to good. I am not seeing any issues on this config

#2 - Try to find out the IOS which support IP SLA and it should meet your current 1841 router capacity.

Feature Set/License                 Image Name                                                      DRAM          Flash

ADVANCED IP SERVICES         c1841-advipservicesk9-mz.124-8d.bin      128              32


Hope it helps you.

if you find this ok please rate it.

regards

karuppu

View solution in original post

14 Replies 14

Arup Dutta
Level 1
Level 1

hi,

   you can use route map policy in that perticular interface.

Hi Arup,

Thanks for the suggestion. Can you provide more details about this solution?

As far as i understand route maps are generally applied for route redistribution not to interfaces. Is Policy Based Routing what you are suggesting?

So the process will be something like the following on each of the routers at remote site?

1. Creat ACLs

2. Create a route map (matching the ACL above, and set next hop address)

3. Apply policy route map to LAN interface

Your help is much appreciated,

Esteban

Hi,

We can do in easy method instead of using PBR.

Step by step Implementation plan:

1.Configure IP SLA on primary router and track your wan ip.

ip sla monitor 6
 type echo protocol ipIcmpEcho 1.1.1.1(remote ip) source-ipaddr 1.1.1.2
 frequency 300

ip sla monitor schedule 6 life forever start-time now

2.Apply this ip sla into TRACK

rtr 1 track 1 reachability

3.Apply this is Track into HSRP of your LAN side

standby 1 ip 1.1.1.1 (virtual ip of your LAN)
standby 1 track 1 30 (value need to be decrease)


After configured this, if your primary link is down then remote WAN IP will not be reachable.so due to track,primary
HSRP(active) value will be decrease ,Now Secondary router HSRP (standby) will becomes active.

All the traffic is now will divert into secondary link.

Hope it helps u

Thanks & Regards
Karuppu



hi,

please see bellow the link it should be help you

https://supportforums.cisco.com/docs/DOC-8313

Regards,

Arup

On Tue, Feb 23, 2010 at 7:20 AM, egua5261 <

Hi There,

The difference i see is that in my case i'm not using a dual-homed router but instead i have two routers on the remote site.

Is this solution meant to replace the existing HSRP configuration?

Should i configure IP SLA and PBR on each router?

The users lan gateway is a layer 3 switch. The default route in this switch is via the virtual IP (HSRP).

Much appreciated,

Esteban

Hi,

Is this solution meant to replace the existing HSRP configuration?  -- No need to replace the HSRP config,use the HSRP config to make failover automatically based on the IP SLA with TRACKing solution

Should i configure IP SLA and PBR on each router?  -- No.. Configure IP SLA with Tracking.

Regards

Karuppu

Hi Karuppu,

Two questions:

1. Based in your suggestion can you prvide any feedback if the following config will do the job,

Router 1:

ip sla 1
icmp-echo 192.168.0.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

track 10 rtr 1 reachability
delay down 1 up 1

i

nterface FastEthernet0/0
ip address 192.168.1.250 255.255.0.0
standby 1 ip 192.168.1.253
standby 1 priority 110
standby 1 preempt
standby 1 track 10
!

ip route 0.0.0.0 0.0.0.0 WAN

Router 2:

interface FastEthernet0/0

ip address 192.168.1.249 255.255.0.0
ip nat inside
standby 1 ip 192.168.1.253
standby 1 preempt
!

ip route 0.0.0.0 0.0.0.0 ISP

2. The current IOS version of the cisco 1841 routers is Version 12.4(20)T and the only options i get for ip sla under configuration mode are these two,

rt(config)#ip sla ?
  key-chain  Use MD5 authentication for IP SLAs Control Messages
  responder  Enable IP SLAs Responder

Any ideas how to activate ip sla in this IOS release?

Cheers,

Esteban

Hi,

Need to change some small config in your config prepration,

Router 1:

ip sla 1
icmp-echo 192.168.0.2 // Need to write the full command i.e) u need to mention destination address and source address as well//
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

track 10 rtr 1 reachability
delay down 1 up 1

interface FastEthernet0/0
ip address 192.168.1.250 255.255.0.0
standby 1 ip 192.168.1.253
standby 1 priority 110
standby 1 preempt
standby 1 track 10      // you need to increase the priority value.because if primary link is down as per your config only vlaue 10 will be reduce          from 110.so it is same as secondary HSRP value.Hope u got it//
!

ip route 0.0.0.0 0.0.0.0 WAN

Router 2:

interface FastEthernet0/0

ip address 192.168.1.249 255.255.0.0
ip nat inside
standby 1 ip 192.168.1.253
standby 1 preempt
!

ip route 0.0.0.0 0.0.0.0 ISP

2. The current IOS version of the cisco 1841 routers is Version 12.4(20)T and the only options i get for ip sla under configuration mode are these two,  --- you need to upgrade your IOS. the version 12.4(20) is ok. But you need to have IP SLA future IOS in your router.

regards

Karuppu

Helo,

1. I got it, so if primary link goes down and to make the HSRP priority go down to 90. I just add the track value to 20; to make the secondary link kick in.

interface FastEthernet0/0
ip address 192.168.1.250 255.255.0.0
standby 1 ip 192.168.1.253
standby 1 priority 110
standby 1 preempt
standby 1 track 10 decrement 20

2. The current version of the IOS image in the router connecting the primary link is, c1841-ipbasek9-mz.12.4-20.T; the router has only 128 DRAM and 32 M Flash memory so i cant really use any of the 12.4T releases that support IPSLA as they require 192 DRAM and 64M Flash. The closest image i could find that i believe will do the job is this, c1841-entbase-mz.12.4-8d however; this will mean i will be downgrading the IOS image in the router. I've checked the features that are supported by this image and they seem to be ok with what the router currently does plus the IPSLA support.  Can you see any issues doing this?

Regards,

Esteban

Hi.

#1 - Seems to good. I am not seeing any issues on this config

#2 - Try to find out the IOS which support IP SLA and it should meet your current 1841 router capacity.

Feature Set/License                 Image Name                                                      DRAM          Flash

ADVANCED IP SERVICES         c1841-advipservicesk9-mz.124-8d.bin      128              32


Hope it helps you.

if you find this ok please rate it.

regards

karuppu

Hi,

HSRP and IPSLA will automate the failover process in the case that any of the routers on the remote site fails or if the target IP will not be reachable.

However how can i use the site-to-site ipsec tunnel connection from the remote site to the dr site simultaneously with the primary link?

Regards,

Esteban

dbass
Level 1
Level 1

Is there routing on the back end between the main site and the DR site (like a PTP circuit, MPLS cloud, etc)?

Are the devices at the DR site using the ASA as their default gateway or is there a router in between?

On the ASA, how does it think it needs to go to get to the user subnets at the remote site (is there a route on it pointing in or out)?

I would take a look on the ASA to see if the traffic is 1, getting to it from the remote site, and 2, is it trying to encap and forward the traffic out the correct interface.  The easiest way to tell is with "sh cry ips sa".  If you see send errors, or encap or decap errors, then something is not right with the way the VPN is configured.

Hi dbass,

>>Is there routing on the back end between the main site and the DR site (like a PTP circuit, MPLS cloud, etc)?

Yes there is. These two sites connect to the WAN.

>> Are the devices at the DR site using the ASA as their default gateway or is there a router in between?

There is a router in between.

>>On the ASA, how does it think it needs to go to get to the user subnets at the remote site (is there a route on it pointing in or out)?

There was a route on the firewall for these subnets via the WAN. I removed it once i had the site-to-site tunnel active so that i could reach the remote site from the dr site via the tunnel instead that via the WAN.

Esteban

Thanks for the info.

In this case I would say that you are going to need to run a dynamic routing protocol between the secondary router and the DR site.  In order to do that you'll need to build a GRE tunnel between the secondary router and the router that sits behind the ASA at the DR site and then run whatever routing protocol you run on the primary router and the WAN over it.  If the primary router connects to an MPLS cloud, then you are most likely running BGP, and I would use BGP between the DR site and the secondary router to keep it the same and prevent the backdoor issues you'll run in to if you run an IGP like EIGRP.  If you aren't running BGP and you run EIGRP or OSPF on your WAN, then use it across this GRE tunnel as well.

The other thing I would do is run a routing protocol with the switch that has all of the user VLANs on it.  That way you can get rid of HSRP between the primary and secondary routers and avoid having to implement the IP SLA solution, which is sweet, but I don't think it's going to get you want you need and could become a little more complicated or run in to some problems.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: