09-13-2010 01:07 PM
I have a task to do.
Two routers 871 are working connected through tunnel using simple vpn configuration.
On the second router now is 2 ISP connections, one as a backup.
How to configure routers to automatically switch VPN tunnel in a time when one of the ISP is going down??
First router:
Outside IP: 213.23.34.1
Second router
Outside IP ISP1: 58.34.5.225
Outside IP ISP2: 199.23.1.231 - as backup
For now I made configuration with route-map for every ISP to automatically switch outside port.
Configured is 2 tunnels but the second one do not want to work.
What to do next??
Solved! Go to Solution.
09-14-2010 12:37 PM
On the router that has both ISP connections, the tunnel will always establish using the primary link.
i.e
If you clear the tunnel, but the primary link is still active, then it will again establish the tunnel using the primary link.
If the second link becomes active and you clear the tunnel, then the tunnel should establish using the secondary link.
One way to check what's happening is using:
debug cry isa --> for phase 1 negotiations
debug cry ipsec --> for phase 2
Federico.
09-13-2010 02:03 PM
Hi,
Both routers are working with the VPN tunnel.
If one of the internet connection goes down on one router, then the router can create the tunnel using the second link (if having IP SLA configured).
Basically you have two default gateways (one primary, one secondary)... then when the first link goes down, the router starts using the second link because of the tracking feature of IP SLA.
Then when the primary link goes up again, the router can move back.
The other router (the one that has a single Internet connection) has its crypto map peer pointing to both IP addresses (giving priority to the primary internet connection of the other side).
Federico.
09-14-2010 02:13 AM
Well
It's not working how you said.
On both routers I have 2 site-to-site vpn tunels.
First router with one ISP:
Tunnel one to peer 58.34.5.225 over FastEthernet4
Tunnel two to peer 199.23.1.231 over FastEthernet4
Second router with two ISP:
Tunnel one to peer 213.23.34.1 over FastEthernet4
Tunnel two to peer 213.23.34.1 over Vlan 2 (outside)
First tunnel have status up on both routers.
When first ISP is going down second router switching to Vlan 2 and using ISP 2.
Unfortunately on second router the second tunnel is down but on first router is up.
Where I shoud look to find a problem??
09-14-2010 08:13 AM
You said what I mentioned did not work.
I mentioned IP SLA to track the routes of the ISPs (assuming you have static routes to the internet).
Do you have the configuration on the second router (with two ISPs) so that when the primary interface goes down, it should switch to route packets through the tunnel using the backup connection? Is this working?
Federico.
09-14-2010 09:36 AM
Configuration on the second router automatically switch when the primary connection is going down.
Unfortunately the tunnel not working.
09-14-2010 09:49 AM
Sometimes what happen is that when the primary Internet connection goes down, the router tries to establish the tunnel out via the second link but the other router still has the tunnel up!
So, when a second tunnel comes, the first tunnel is still established.
Make sure the primary tunnel is torn down by using keepalives.
Or manually bring it down and check if it works.
Federico.
09-14-2010 09:54 AM
Where/how config the keepalive option??
09-14-2010 10:03 AM
For example:
crypto isakmp keepalives 5 3
This means that the router will send keepalives every 5 seconds and will retry 3 times if does not receive a response.
If the dead time expires, the tunnel will be torn down (and if the configuration is correct, should restablish from the other link).
Make sure you do the same command on both ends.
Federico.
09-14-2010 12:25 PM
I add keepalive option.
But I found something strange.
On the beginning first tunnel was up. I used "clear connection" option.
After that any tunnel want to go up.
How to find where is a problem, some debug option??
09-14-2010 12:37 PM
On the router that has both ISP connections, the tunnel will always establish using the primary link.
i.e
If you clear the tunnel, but the primary link is still active, then it will again establish the tunnel using the primary link.
If the second link becomes active and you clear the tunnel, then the tunnel should establish using the secondary link.
One way to check what's happening is using:
debug cry isa --> for phase 1 negotiations
debug cry ipsec --> for phase 2
Federico.
09-15-2010 07:02 AM
Well
I checked once again VPN configuration and there was mistake.
Anyway there is possibility to create one vpn tunnel with 2 peers in one configuration - this is usefully for router one.
I changed the configuration and when the primary connection goes down the tunnel switched to backup connection.
Switching was made manually because there was a problem to establish connection automatically by the router.
I want to add keepalive option to see if this will help - maybe tomorrow.
09-16-2010 10:27 PM
I configured on first router 1 tunnels with 2 peers and 2 keys.
On second I have 2 tunnels with 1 key.
Now everything works fine.
Unfortunately the automatically switching of the ISP only works when I will put off the plug from the cisco socket.
When the signal goes down from ISP router, CISCO do not want to push the traffic into backup ISP.
Tracert gives me information of the destination IP for example cisco.com but without addresses of hoops.
And tunnels do not works too - tunnels are established but ping can't go through.
What to do now ??
09-17-2010 06:55 AM
Sounds like the IP SLA is not configured correctly.
You say when the primary link goes down, the router won't send the traffic out the second link?
Traceroute won't show information when going through the ASA (i believe you can inspect ICMP-errors) to see the hopcounts.
Question:
When the primary link goes down on the two ISP side... can you PING the other router? (going through the backup connection)?
If the problem persists, perhaps you can post your configurations.
Federico.
09-19-2010 10:10 PM
No I can't PING anything.
It works only when I put out the plug manually from the router.
below config
Current configuration : 7295 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone Warsaw 1
clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00
!
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.2.1 192.168.2.79
ip dhcp excluded-address 192.168.2.151 192.168.2.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 213.134.128.19 213.134.128.20
default-router 192.168.2.252
lease 5
!
!
ip cef
no ip bootp server
ip name-server 213.134.128.19
ip name-server 213.134.128.20
ip name-server 194.204.152.34
ip name-server 194.204.159.1
!
!
!
!
username xxx privilege 15 secret 5 xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test address 10.192.10.210
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.192.10.210
set peer 10.192.10.210
set transform-set ESP-3DES-SHA1
match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to10.192.10.210
set peer 10.192.10.210
set transform-set ESP-3DES-SHA2
match address 103
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description WAN2
switchport access vlan 2
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 10.111.10.238 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.252 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 10.14.10.82 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_2
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.111.10.225
ip route 0.0.0.0 0.0.0.0 10.14.10.81 2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ISP1 interface FastEthernet4 overload
ip nat inside source route-map ISP2 interface Vlan2 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
!
!
route-map ISP2 permit 11
match ip address 105
match interface Vlan2
set ip next-hop 10.14.10.81
!
route-map ISP1 permit 10
match ip address 101
match interface FastEthernet4
set ip next-hop 10.111.10.225
!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide