2xCisco 871, 2 tunels, 2 ISP on second router

Answered Question
Sep 13th, 2010
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I have a task to do.

Two routers 871 are working connected through tunnel using simple vpn configuration.

On the second router now is 2 ISP connections, one as a backup.

How to configure routers to automatically switch VPN tunnel in a time when one of the ISP is going down??

First router:

Outside IP: 213.23.34.1

Second router

Outside IP ISP1: 58.34.5.225

Outside IP ISP2: 199.23.1.231 - as backup

For now I made configuration with route-map for every ISP to automatically switch outside port.

Configured is 2 tunnels but the second one do not want to work.

What to do next??

Correct Answer by Federico Coto F... about 6 years 7 months ago

On the router that has both ISP connections, the tunnel will always establish using the primary link.

i.e

If you clear the tunnel, but the primary link is still active, then it will again establish the tunnel using the primary link.


If the second link becomes active and you clear the tunnel, then the tunnel should establish using the secondary link.


One way to check what's happening is using:


debug cry isa --> for phase 1 negotiations

debug cry ipsec --> for phase 2


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 09/13/2010 - 14:03
User Badges:
  • Green, 3000 points or more

Hi,


Both routers are working with the VPN tunnel.

If one of the internet connection goes down on one router, then the router can create the tunnel using the second link (if having IP SLA configured).

Basically you have two default gateways (one primary, one secondary)... then when the first link goes down, the router starts using the second link because of the tracking feature of IP SLA.


Then when the primary link goes up again, the router can move back.


The other router (the one that has a single Internet connection) has its crypto map peer pointing to both IP addresses (giving priority to the primary internet connection of the other side).


Federico.

pwolsza_wolfik1 Tue, 09/14/2010 - 02:13
User Badges:

Well


It's not working how you said.


On both routers I have 2 site-to-site vpn tunels.


First router with one ISP:


Tunnel one to peer 58.34.5.225 over FastEthernet4

Tunnel two to peer 199.23.1.231 over FastEthernet4


Second router with two ISP:


Tunnel one to peer 213.23.34.1 over FastEthernet4

Tunnel two to  peer 213.23.34.1 over Vlan 2 (outside)


First tunnel have status up on both routers.

When first ISP is going down second router switching to Vlan 2 and using ISP 2.


Unfortunately on second router the second tunnel is down but on first router is up.


Where I shoud look to find a problem??

Federico Coto F... Tue, 09/14/2010 - 08:13
User Badges:
  • Green, 3000 points or more

You said what I mentioned did not work.

I mentioned IP SLA to track the routes of the ISPs (assuming you have static routes to the internet).


Do you have the configuration on the second router (with two ISPs) so that when the primary interface goes down, it should switch to route packets through the tunnel using the backup connection? Is this working?


Federico.

pwolsza_wolfik1 Tue, 09/14/2010 - 09:36
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Configuration on the second router automatically switch when the primary connection is going down.

Unfortunately the tunnel not working.

Federico Coto F... Tue, 09/14/2010 - 09:49
User Badges:
  • Green, 3000 points or more

Sometimes what happen is that when the primary Internet connection goes down, the router tries to establish the tunnel out via the second link but the other router still has the tunnel up!

So, when a second tunnel comes, the first tunnel is still established.


Make sure the primary tunnel is torn down by using keepalives.

Or manually bring it down and check if it works.


Federico.

Federico Coto F... Tue, 09/14/2010 - 10:03
User Badges:
  • Green, 3000 points or more

For example:


crypto isakmp keepalives 5 3


This means that the router will send keepalives every 5 seconds and will retry 3 times if does not receive a response.

If the dead time expires, the tunnel will be torn down (and if the configuration is correct, should restablish from the other link).


Make sure you do the same command on both ends.


Federico.

pwolsza_wolfik1 Tue, 09/14/2010 - 12:25
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I add keepalive option.

But I found something strange.

On the beginning first tunnel was up. I used "clear connection" option.

After that any tunnel want to go up.

How to find where is a problem, some debug option??

Correct Answer
Federico Coto F... Tue, 09/14/2010 - 12:37
User Badges:
  • Green, 3000 points or more

On the router that has both ISP connections, the tunnel will always establish using the primary link.

i.e

If you clear the tunnel, but the primary link is still active, then it will again establish the tunnel using the primary link.


If the second link becomes active and you clear the tunnel, then the tunnel should establish using the secondary link.


One way to check what's happening is using:


debug cry isa --> for phase 1 negotiations

debug cry ipsec --> for phase 2


Federico.

pwolsza_wolfik1 Wed, 09/15/2010 - 07:02
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Well

I checked once again VPN configuration and there was mistake.

Anyway there is possibility to create one vpn tunnel with 2 peers in one configuration - this is usefully for router one.

I changed the configuration and when the primary connection goes down the tunnel switched to backup connection.

Switching was made manually because there was a problem to establish connection automatically by the router.

I want to add keepalive option to see if this will help - maybe tomorrow.

pwolsza_wolfik1 Thu, 09/16/2010 - 22:27
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

I configured on first router 1 tunnels with 2 peers and 2 keys.

On second I have 2 tunnels with 1 key.

Now everything works fine.

Unfortunately the automatically switching of the ISP only works when I will put off the plug from the cisco socket.

When the signal goes down from ISP router, CISCO do not want to push the traffic into backup ISP.

Tracert gives me information of the destination IP for example cisco.com but without addresses of hoops.

And tunnels do not works too - tunnels are established but ping can't go through.

What to do now ??

Federico Coto F... Fri, 09/17/2010 - 06:55
User Badges:
  • Green, 3000 points or more

Sounds like the IP SLA is not configured correctly.

You say when the primary link goes down, the router won't send the traffic out the second link?


Traceroute won't show information when going through the ASA (i believe you can inspect ICMP-errors) to see the hopcounts.


Question:

When the primary link goes down on the two ISP side... can you PING the other router? (going through the backup connection)?


If the problem persists, perhaps you can post your configurations.


Federico.

pwolsza_wolfik1 Sun, 09/19/2010 - 22:10
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

No I can't PING anything.

It works only when I put out the plug manually from the router.


below config



Current configuration : 7295 bytes


!


version 12.4


no service pad


service tcp-keepalives-in


service tcp-keepalives-out


service timestamps debug datetime msec localtime show-timezone


service timestamps log datetime msec localtime show-timezone


service password-encryption


service sequence-numbers


!


hostname CISCO


!


boot-start-marker


boot-end-marker


!


logging message-counter syslog


logging buffered 51200


logging console critical


!


aaa new-model


!


!


aaa authentication login default local


aaa authorization exec default local


!


!


aaa session-id common


clock timezone Warsaw 1


clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00


!


dot11 syslog


no ip source-route


ip dhcp excluded-address 192.168.2.1 192.168.2.79


ip dhcp excluded-address 192.168.2.151 192.168.2.254


!


ip dhcp pool ccp-pool1


   import all


   network 192.168.2.0 255.255.255.0


   dns-server 213.134.128.19 213.134.128.20


   default-router 192.168.2.252


   lease 5


!


!


ip cef


no ip bootp server


ip name-server 213.134.128.19


ip name-server 213.134.128.20


ip name-server 194.204.152.34


ip name-server 194.204.159.1


!


!


!


!


username xxx privilege 15 secret 5 xxx

!


!


crypto isakmp policy 1


encr 3des


authentication pre-share


group 2


crypto isakmp key test address 10.192.10.210


!


!


crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac


crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac


!


crypto map SDM_CMAP_1 1 ipsec-isakmp


description Tunnel to10.192.10.210


set peer 10.192.10.210


set transform-set ESP-3DES-SHA1


match address 102


!


crypto map SDM_CMAP_2 1 ipsec-isakmp


description Tunnel to10.192.10.210


set peer 10.192.10.210


set transform-set ESP-3DES-SHA2


match address 103


!


archive


log config


  hidekeys


!


!


ip tcp synwait-time 10


ip ssh time-out 60


ip ssh authentication-retries 2


!


!


!


interface FastEthernet0


!


interface FastEthernet1


!


interface FastEthernet2


!


interface FastEthernet3


description WAN2


switchport access vlan 2


!


interface FastEthernet4


description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$


ip address 10.111.10.238 255.255.255.240


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


ip nat outside


ip virtual-reassembly


duplex auto


speed auto


crypto map SDM_CMAP_1


!


interface Vlan1


description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$


ip address 192.168.2.252 255.255.255.0


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


ip nat inside


ip virtual-reassembly


ip tcp adjust-mss 1452


!


interface Vlan2


ip address 10.14.10.82 255.255.255.248


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow ingress


ip nat outside


ip virtual-reassembly


crypto map SDM_CMAP_2


!


ip forward-protocol nd


ip route 0.0.0.0 0.0.0.0 10.111.10.225


ip route 0.0.0.0 0.0.0.0 10.14.10.81 2


ip http server


ip http access-class 23


ip http authentication local


ip http secure-server


ip http timeout-policy idle 60 life 86400 requests 10000


!


ip nat inside source route-map ISP1 interface FastEthernet4 overload


ip nat inside source route-map ISP2 interface Vlan2 overload


!


logging trap debugging


access-list 1 remark INSIDE_IF=Vlan1


access-list 1 remark CCP_ACL Category=2


access-list 1 permit 192.168.2.0 0.0.0.255


access-list 101 remark CCP_ACL Category=2


access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 101 remark IPSec Rule


access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 101 permit ip 192.168.2.0 0.0.0.255 any


access-list 102 remark CCP_ACL Category=4


access-list 102 remark IPSec Rule


access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 103 remark CCP_ACL Category=4


access-list 103 remark IPSec Rule


access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 105 remark CCP_ACL Category=2


access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 105 remark IPSec Rule


access-list 105 deny   ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255


access-list 105 permit ip 192.168.2.0 0.0.0.255 any


no cdp run




!


!


!


route-map ISP2 permit 11


match ip address 105


match interface Vlan2


set ip next-hop 10.14.10.81


!


route-map ISP1 permit 10


match ip address 101


match interface FastEthernet4


set ip next-hop 10.111.10.225


!


!


line con 0


no modem enable


transport output telnet


line aux 0


transport output telnet


line vty 0 4


transport input telnet ssh


!


scheduler max-task-time 5000


scheduler allocate 4000 1000


scheduler interval 500


end

Actions

This Discussion