Cisco 891 and IP SLA

Unanswered Question
Jul 25th, 2010
User Badges:

I have recently taken a oposition with a firm where the existing infrastructure has just been installed by a third-party.


A Cisco 891 has been intalled with IP SLA configured to provide failover to a secondary ISP link.


Within days of my arrival the 891 stoped routing to either WAN interface serval times a week. When this would happen it was possible to to Ping both WAN devices connected to the router from inside and outside, but not possible to ping past them in ether direction.


My immediate suspicions were that the IP SLAs were incorrectly configured. I have disabled them and have not ecperienced any problems since. But I am concerned as to why they were causing the device to stop routing.


If any one fancies taking a look below and making suggestions please go ahead.


For security some details have been altered for this exercise. The relevant sections are in bold


Current configuration : 6797 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXX001
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
crypto pki trustpoint TP-self-signed-xxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxx
revocation-check none
rsakeypair TP-self-signed-4057743359
!
!
crypto pki certificate chain TP-self-signed-xxx
certificate self-signed 01
! Lines removed for security
   quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name xxx.com
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
!
!
!
no spanning-tree vlan 1
no spanning-tree vlan 2
username xxxxx privilege 15 secret 5 xxxx
username xxxxx privilege 15 secret 5 xxxx
!
!
!
archive
log config
  hidekeys
!
!
!
track 1 ip sla 1 reachability
delay down 10 up 10
!
track 2 ip sla 2 reachability
delay down 10 up 10
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
ip address xxx.yyy.13.214 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0
description ***2M / 2M SHDSL***
ip address xxx.yyy.13.118 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex full
speed auto
!
interface Vlan1
description ***LAN***
ip address 192.168.120.253 255.255.255.0
ip access-group 120 in
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.yyy.13.213 240 track 1
ip route 0.0.0.0 0.0.0.0 xxx.yyy.13.117 250 track 2
ip route 192.1.1.0 255.255.255.0 192.168.120.254
ip route 192.168.121.0 255.255.255.0 192.168.120.254
no ip http server
ip http access-class 50
ip http authentication local
ip http secure-server
ip http secure-port 50443
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip dns server
ip nat inside source route-map NAT1 interface FastEthernet8 overload
ip nat inside source route-map NAT2 interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.120.41 25 xxx.yyy.13.118 25 route-map NAT2 extendable
ip nat inside source static tcp 192.168.120.41 80 xxx.yyy.13.118 80 route-map NAT2 extendable
ip nat inside source static tcp 192.168.120.41 443 xxx.yyy.13.118 443 route-map NAT2 extendable
ip nat inside source static tcp 192.1.1.2 1723 xxx.yyy.13.118 1723 extendable
ip nat inside source static tcp 192.168.120.47 3389 xxx.yyy.13.118 3389 route-map NAT2 extendable
ip nat inside source static tcp 192.168.120.41 25 xxx.yyy.13.214 25 route-map NAT1 extendable
ip nat inside source static tcp 192.168.120.41 80 xxx.yyy.13.214 80 route-map NAT1 extendable
ip nat inside source static tcp 192.168.120.41 443 xxx.yyy.13.214 443 route-map NAT1 extendable
ip nat inside source static tcp 192.1.1.2 1723 xxx.yyy.13.214 1723 extendable
ip nat inside source static tcp 192.1.1.203 3389 xxx.yyy.13.214 3389 route-map NAT1 extendable
!
ip access-list extended VPN_ADDRESS
permit ip 192.168.120.0 0.0.0.255 192.168.192.0 0.0.0.255
!
ip sla 1
icmp-echo xxx.yyy.13.213 source-ip xxx.yyy.13.214
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo xxx.yyy.13.117 source-ip xxx.yyy.13.118
timeout 1000
frequency 5
ip sla schedule 2 life forever start-time now
access-list 50 remark ***RemoteAccess***
access-list 50 permit 210.185.92.41
access-list 50 permit 121.212.238.53
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 50 permit 192.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 192.1.1.0 0.0.0.255 any
access-list 120 permit tcp host 192.1.1.31 any eq smtp
access-list 120 permit tcp host 192.1.1.32 any eq smtp
access-list 120 permit tcp host 192.168.120.41 any eq smtp
access-list 120 deny   tcp 192.1.1.0 0.0.0.255 any eq smtp
access-list 120 deny   tcp 192.168.120.0 0.0.0.255 any eq smtp
access-list 120 deny   tcp 192.168.121.0 0.0.0.255 any eq smtp
access-list 120 permit ip any any
snmp-server community xxx RO 50
snmp-server location xxxxxxxxxx
no cdp run
!
!
!
!
route-map NAT2 permit 10
match ip address 101
match interface GigabitEthernet0
!
route-map NAT1 permit 10
match ip address 101
match interface FastEthernet8
!
!
!
!
control-plane
!
privilege exec level 15 configure
!
line con 0
timeout login response 300
privilege level 15
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 50 in
privilege level 15
logging synchronous
transport input ssh
line vty 5 193
access-class 50 in
privilege level 15
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
ntp server 192.231.203.132
ntp server 192.189.54.17
ntp server 192.189.54.33
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gregory Camp Mon, 07/26/2010 - 09:16
User Badges:
  • Cisco Employee,

Do you have the logs from the time of the outage?  Did the IP SLAs fail during the outage?

gerardhunt Mon, 07/26/2010 - 16:09
User Badges:

The logs are very bland. There are only two statements in it of relevance


IPA SLA 1 Reachability up ->down



IPA SLA 2 Reachability up ->down


So the SLA works in so far that a perfomance/connection issue on the primary WAN feed forces a failover to the secondard WAN feed.

However, it does not fail back. Then when the secondary WAN feed fails on a performance/connection issue, it too fails.

Result, no routing.


I am not concerned about what triggers the SLA. That is not a problem.  But why the SLA doesnt fail-back does concern me.

I am misisng something in the config.

Gregory Camp Mon, 07/26/2010 - 17:51
User Badges:
  • Cisco Employee,

Gerard,


I do not believe you are missing anything in the configuration.  IP SLA should continue to send ICMP echo requests forever as soon as the router finishes loading.  Even if the track goes down, the IP SLA process should continue.  Are the IP SLAs currently in a filed state?  If so, please grab the output of show ip sla stat and show track.


Thanks,


Greg

Actions

This Discussion