2xCisco 871, 2 tunels, 2 ISP on second router

Answered Question
Sep 13th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I have a task to do.

Two routers 871 are working connected through tunnel using simple vpn configuration.

On the second router now is 2 ISP connections, one as a backup.

How to configure routers to automatically switch VPN tunnel in a time when one of the ISP is going down??

First router:

Outside IP: 213.23.34.1

Second router

Outside IP ISP1: 58.34.5.225

Outside IP ISP2: 199.23.1.231 - as backup

For now I made configuration with route-map for every ISP to automatically switch outside port.

Configured is 2 tunnels but the second one do not want to work.

What to do next??

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 2 months ago

On the router that has both ISP connections, the tunnel will always establish using the primary link.

i.e

If you clear the tunnel, but the primary link is still active, then it will again establish the tunnel using the primary link.

If the second link becomes active and you clear the tunnel, then the tunnel should establish using the secondary link.

One way to check what's happening is using:

debug cry isa --> for phase 1 negotiations

debug cry ipsec --> for phase 2

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 09/13/2010 - 14:03

Hi,

Both routers are working with the VPN tunnel.

If one of the internet connection goes down on one router, then the router can create the tunnel using the second link (if having IP SLA configured).

Basically you have two default gateways (one primary, one secondary)... then when the first link goes down, the router starts using the second link because of the tracking feature of IP SLA.

Then when the primary link goes up again, the router can move back.

The other router (the one that has a single Internet connection) has its crypto map peer pointing to both IP addresses (giving priority to the primary internet connection of the other side).

Federico.

pwolsza_wolfik1 Tue, 09/14/2010 - 02:13

Well

It's not working how you said.

On both routers I have 2 site-to-site vpn tunels.

First router with one ISP:

Tunnel one to peer 58.34.5.225 over FastEthernet4

Tunnel two to peer 199.23.1.231 over FastEthernet4

Second router with two ISP:

Tunnel one to peer 213.23.34.1 over FastEthernet4

Tunnel two to  peer 213.23.34.1 over Vlan 2 (outside)

First tunnel have status up on both routers.

When first ISP is going down second router switching to Vlan 2 and using ISP 2.

Unfortunately on second router the second tunnel is down but on first router is up.

Where I shoud look to find a problem??

Federico Coto F... Tue, 09/14/2010 - 08:13

You said what I mentioned did not work.

I mentioned IP SLA to track the routes of the ISPs (assuming you have static routes to the internet).

Do you have the configuration on the second router (with two ISPs) so that when the primary interface goes down, it should switch to route packets through the tunnel using the backup connection? Is this working?

Federico.

pwolsza_wolfik1 Tue, 09/14/2010 - 09:36

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Configuration on the second router automatically switch when the primary connection is going down.

Unfortunately the tunnel not working.

Federico Coto F... Tue, 09/14/2010 - 09:49

Sometimes what happen is that when the primary Internet connection goes down, the router tries to establish the tunnel out via the second link but the other router still has the tunnel up!

So, when a second tunnel comes, the first tunnel is still established.

Make sure the primary tunnel is torn down by using keepalives.

Or manually bring it down and check if it works.

Federico.

Federico Coto F... Tue, 09/14/2010 - 10:03

For example:

crypto isakmp keepalives 5 3

This means that the router will send keepalives every 5 seconds and will retry 3 times if does not receive a response.

If the dead time expires, the tunnel will be torn down (and if the configuration is correct, should restablish from the other link).

Make sure you do the same command on both ends.


Federico.

pwolsza_wolfik1 Tue, 09/14/2010 - 12:25

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I add keepalive option.

But I found something strange.

On the beginning first tunnel was up. I used "clear connection" option.

After that any tunnel want to go up.

How to find where is a problem, some debug option??

Correct Answer
Federico Coto F... Tue, 09/14/2010 - 12:37

On the router that has both ISP connections, the tunnel will always establish using the primary link.

i.e

If you clear the tunnel, but the primary link is still active, then it will again establish the tunnel using the primary link.

If the second link becomes active and you clear the tunnel, then the tunnel should establish using the secondary link.

One way to check what's happening is using:

debug cry isa --> for phase 1 negotiations

debug cry ipsec --> for phase 2

Federico.

pwolsza_wolfik1 Wed, 09/15/2010 - 07:02

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Well

I checked once again VPN configuration and there was mistake.

Anyway there is possibility to create one vpn tunnel with 2 peers in one configuration - this is usefully for router one.

I changed the configuration and when the primary connection goes down the tunnel switched to backup connection.

Switching was made manually because there was a problem to establish connection automatically by the router.

I want to add keepalive option to see if this will help - maybe tomorrow.

pwolsza_wolfik1 Thu, 09/16/2010 - 22:27

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I configured on first router 1 tunnels with 2 peers and 2 keys.

On second I have 2 tunnels with 1 key.

Now everything works fine.

Unfortunately the automatically switching of the ISP only works when I will put off the plug from the cisco socket.

When the signal goes down from ISP router, CISCO do not want to push the traffic into backup ISP.

Tracert gives me information of the destination IP for example cisco.com but without addresses of hoops.

And tunnels do not works too - tunnels are established but ping can't go through.

What to do now ??

Federico Coto F... Fri, 09/17/2010 - 06:55

Sounds like the IP SLA is not configured correctly.

You say when the primary link goes down, the router won't send the traffic out the second link?

Traceroute won't show information when going through the ASA (i believe you can inspect ICMP-errors) to see the hopcounts.

Question:

When the primary link goes down on the two ISP side... can you PING the other router? (going through the backup connection)?

If the problem persists, perhaps you can post your configurations.

Federico.

pwolsza_wolfik1 Sun, 09/19/2010 - 22:10

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

No I can't PING anything.

It works only when I put out the plug manually from the router.

below config

Current configuration : 7295 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CISCO

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

logging console critical

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone Warsaw 1

clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00

!

dot11 syslog

no ip source-route

ip dhcp excluded-address 192.168.2.1 192.168.2.79

ip dhcp excluded-address 192.168.2.151 192.168.2.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.2.0 255.255.255.0

   dns-server 213.134.128.19 213.134.128.20

   default-router 192.168.2.252

   lease 5

!

!

ip cef

no ip bootp server

ip name-server 213.134.128.19

ip name-server 213.134.128.20

ip name-server 194.204.152.34

ip name-server 194.204.159.1

!

!

!

!

username xxx privilege 15 secret 5 xxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key test address 10.192.10.210

!

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to10.192.10.210

set peer 10.192.10.210

set transform-set ESP-3DES-SHA1

match address 102

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to10.192.10.210

set peer 10.192.10.210

set transform-set ESP-3DES-SHA2

match address 103

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description WAN2

switchport access vlan 2

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 10.111.10.238 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.2.252 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 10.14.10.82 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_2

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.111.10.225

ip route 0.0.0.0 0.0.0.0 10.14.10.81 2

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map ISP1 interface FastEthernet4 overload

ip nat inside source route-map ISP2 interface Vlan2 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

!

!

route-map ISP2 permit 11

match ip address 105

match interface Vlan2

set ip next-hop 10.14.10.81

!

route-map ISP1 permit 10

match ip address 101

match interface FastEthernet4

set ip next-hop 10.111.10.225

!

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Actions

This Discussion