09-21-2010 11:18 AM - edited 03-06-2019 01:06 PM
I configured on router primary and backup ISP connections.
Everything works fine.
Unfortunately the automatically switching of the ISP only works when I will put off the plug from the cisco socket.
When the signal goes down from ISP router, CISCO do not want to push the traffic into backup ISP.
Tracert gives me information of the destination IP for example cisco.com but without addresses of hoops.
What to do now ??
Solved! Go to Solution.
09-21-2010 12:10 PM
If you only want to use primary connection and then use secondary only if primary fails you need to sort out your route-maps.
However main thing you need to do is use IP SLA to keep track of the next-hop for the primary and if that fails then it will fail over to the backup link. Basic IP SLA config -
ip sla monitor 1
type echo protocol ipIcmpEcho
frequency
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123
ip route 0.0.0.0 0.0.0.0 10.14.10.81 254
the above config will use the tracked route as long as the
Let me know how you get on and if you have any problems.
Jon
09-21-2010 11:20 AM
What are the connections ie how is your router connected to the ISP ? Are they serial connections or ethernet connections ?
Can you post your config ?
Jon
09-21-2010 11:26 AM
Only fast ethernet connections.
My config:
Current configuration : 7295 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone Warsaw 1
clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00
!
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.2.1 192.168.2.79
ip dhcp excluded-address 192.168.2.151 192.168.2.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 213.134.128.19 213.134.128.20
default-router 192.168.2.252
lease 5
!
!
ip cef
no ip bootp server
ip name-server 213.134.128.19
ip name-server 213.134.128.20
ip name-server 194.204.152.34
ip name-server 194.204.159.1
!
!
!
!
username xxx privilege 15 secret 5 xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test address 10.192.10.210
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.192.10.210
set peer 10.192.10.210
set transform-set ESP-3DES-SHA1
match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to10.192.10.210
set peer 10.192.10.210
set transform-set ESP-3DES-SHA2
match address 103
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description WAN2
switchport access vlan 2
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 10.111.10.238 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.252 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 10.14.10.82 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_2
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.111.10.225
ip route 0.0.0.0 0.0.0.0 10.14.10.81 2
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ISP1 interface FastEthernet4 overload
ip nat inside source route-map ISP2 interface Vlan2 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
!
!
route-map ISP2 permit 11
match ip address 105
match interface Vlan2
set ip next-hop 10.14.10.81
!
route-map ISP1 permit 10
match ip address 101
match interface FastEthernet4
set ip next-hop 10.111.10.225
!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
09-21-2010 11:46 AM
Okay, couple of things to check.
1) are you currently using both ISPs ie your route-maps suggest you are. If you are then you need to add both next-hops to each route-map because you are not checking the availability of the next hop. So your map matches certain traffic and sends it to a particular ISP but your route-map makes no allowance for that next hop being down.
Can you confirm you are using both ISPs currently with your route maps
2) If the connections are ethernet you may well need to use IP SLA because the ISP next hop could go down but if there is a switch in between your router and the ISP router your router thinks the connection is still up because it's interface is still up/up.
Jon
09-21-2010 11:59 AM
1) Both ISP are on but I want use only primary and in the case of failure transfer the traffic into backup ISP (lower transfer).
2) Between ISP router and CISCO router is switch indeed. And the connection is up/up.
Putting out the plug change the state of the interface to down and traffic goes through backup ISP.
09-21-2010 12:10 PM
If you only want to use primary connection and then use secondary only if primary fails you need to sort out your route-maps.
However main thing you need to do is use IP SLA to keep track of the next-hop for the primary and if that fails then it will fail over to the backup link. Basic IP SLA config -
ip sla monitor 1
type echo protocol ipIcmpEcho
frequency
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123
ip route 0.0.0.0 0.0.0.0 10.14.10.81 254
the above config will use the tracked route as long as the
Let me know how you get on and if you have any problems.
Jon
09-21-2010 12:22 PM
Thanks for suggestions.
I will change the config on Thursday (the next working day) and let you know.
09-22-2010 10:38 PM
Well on my IOS 12.4(24)T3 the commands are quite different but I managed to configure SLA and now it's working
Many thanks for help !!!
As addition my commands:
ip sla enable reaction-alerts
ip sla 1
icmp-echo 8.8.8.8
ip sla schedule 1 life forever start-time now
track 123 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123
ip route 0.0.0.0 0.0.0.0 10.14.10.81 254
One more question, which address is the best as a ping ISP gateway or public address, DNS for example ??
09-23-2010 02:57 AM
pwolsza_wolfik1 wrote:
Well on my IOS 12.4(24)T3 the commands are quite different but I managed to configure SLA and now it's working
Many thanks for help !!!
As addition my commands:
ip sla enable reaction-alerts
ip sla 1
icmp-echo 8.8.8.8
ip sla schedule 1 life forever start-time now
track 123 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123
ip route 0.0.0.0 0.0.0.0 10.14.10.81 254
One more question, which address is the best as a ping ISP gateway or public address, DNS for example ??
Glad you got it working. Yes those commands are a bit different, i was using 12.4.
If the ISP gateway works then use that because if in the unlikely event the public DNS server goes down but your ISP gateway stays up then you will shift to the secondary for no reason, whereas if the ISP gateway goes down you know you have lost the link.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide