cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
661
Views
0
Helpful
8
Replies

Secondary ISP connection do not work automatically

pwolsza_wolfik1
Level 1
Level 1

I configured on router primary and backup ISP connections.

Everything works fine.

Unfortunately  the automatically switching of the ISP only works when I will put off  the plug from the cisco socket.

When the signal goes down from ISP router, CISCO do not  want to push the traffic into backup ISP.

Tracert gives me information of the destination IP for  example cisco.com but without addresses of hoops.

What to do now ??

1 Accepted Solution

Accepted Solutions

If you only want to use primary connection and then use secondary only if primary fails you need to sort out your route-maps.

However main thing you need to do is use IP SLA to keep track of the next-hop for the primary and if that fails then it will fail over to the backup link. Basic IP SLA config -

ip sla monitor 1

type echo protocol ipIcmpEcho

frequency   <-- how often do you want it to check the next-hop

ip sla monitor schedule 1 life forever start-time now

track 123 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123

ip route  0.0.0.0 0.0.0.0 10.14.10.81 254

the above config will use the tracked route as long as the is responding. If it stops responding then IP SLA will remove the route from the routing table and then the floating static with an AD of 254 will be inserted into the routing table. If the primary next hop comes back up then IP SLA will remove the floating static and insert the tracked route again.

Let me know how you get on and if you have any problems.

Jon

View solution in original post

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

What are the connections ie how is your router connected to the ISP ? Are they serial connections or ethernet connections ?

Can you post your config ?

Jon

Only fast ethernet connections.

My config:

Current configuration : 7295 bytes

!

version 12.4

no service  pad

service  tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime  msec localtime show-timezone

service timestamps log datetime msec localtime  show-timezone

service  password-encryption

service sequence-numbers

!

hostname CISCO

!

boot-start-marker

boot-end-marker

!

logging  message-counter syslog

logging buffered 51200

logging console critical

!

aaa  new-model

!

!

aaa  authentication login default local

aaa authorization exec default local

!

!

aaa  session-id common

clock timezone Warsaw 1

clock summer-time Warsaw date Mar 30  2003 2:00 Oct 26 2003 3:00

!

dot11 syslog

no ip source-route

ip dhcp  excluded-address 192.168.2.1 192.168.2.79

ip dhcp excluded-address  192.168.2.151 192.168.2.254

!

ip dhcp pool ccp-pool1

   import all

   network  192.168.2.0 255.255.255.0

   dns-server 213.134.128.19 213.134.128.20

    default-router 192.168.2.252

   lease 5

!

!

ip cef

no ip bootp server

ip name-server 213.134.128.19

ip  name-server 213.134.128.20

ip name-server 194.204.152.34

ip  name-server 194.204.159.1

!

!

!

!

username xxx privilege 15 secret 5 xxx

!

!

crypto  isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto  isakmp key test address 10.192.10.210

!

!

crypto ipsec transform-set  ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set  ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to10.192.10.210

set peer 10.192.10.210

set  transform-set ESP-3DES-SHA1

match address 102

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to10.192.10.210

set peer 10.192.10.210

set  transform-set ESP-3DES-SHA2

match address 103

!

archive

log config

  hidekeys

!

!

ip tcp  synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface  FastEthernet0

!

interface  FastEthernet1

!

interface  FastEthernet2

!

interface  FastEthernet3

description WAN2

switchport access vlan 2

!

interface FastEthernet4

description  $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 10.111.10.238 255.255.255.240

no ip  redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip  virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface  Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address  192.168.2.252 255.255.255.0

no ip redirects

no ip unreachables

no ip  proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface  Vlan2

ip address 10.14.10.82 255.255.255.248

no ip redirects

no ip  unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

crypto map  SDM_CMAP_2

!

ip  forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.111.10.225

ip route  0.0.0.0 0.0.0.0 10.14.10.81 2

ip http server

ip http access-class 23

ip http  authentication local

ip http secure-server

ip http timeout-policy idle 60 life  86400 requests 10000

!

ip nat inside source route-map ISP1 interface  FastEthernet4 overload

ip nat inside source route-map ISP2 interface  Vlan2 overload

!

logging  trap debugging

access-list  1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1  permit 192.168.2.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list  101 deny   ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list  101 remark IPSec Rule

access-list 101 deny   ip 192.168.2.0 0.0.0.255  192.168.179.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255  any

access-list  102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list  102 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list  102 permit ip 192.168.1.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list  103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list  103 permit ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list  105 remark CCP_ACL Category=2

access-list 105 deny   ip 192.168.1.0 0.0.0.255  192.168.179.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list  105 deny   ip 192.168.2.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list  105 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

!

!

route-map ISP2 permit 11

match ip address 105

match  interface Vlan2

set ip next-hop 10.14.10.81

!

route-map ISP1 permit 10

match ip  address 101

match interface FastEthernet4

set ip next-hop 10.111.10.225

!

!

line con 0

no modem  enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport  input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler  interval 500

end

Okay, couple of things to check.

1) are you currently using both ISPs ie your route-maps suggest you are. If you are then you need to add both next-hops to each route-map because you are not checking the availability of the next hop. So your map matches certain traffic and sends it to a particular ISP but your route-map makes no allowance for that next hop being down.

Can you confirm you are using both ISPs currently with your route maps

2) If the connections are ethernet you may well need to use IP SLA because the ISP next hop could go down but if there is a switch in between your router and the ISP router your router thinks the connection is still up because it's interface is still up/up.

Jon

1) Both ISP are on but I want use only primary and in the case of failure transfer the traffic into backup ISP (lower transfer).

2) Between ISP router and CISCO router is switch indeed. And the connection is up/up.

Putting out the plug change the state of the interface to down and traffic goes through backup ISP.

If you only want to use primary connection and then use secondary only if primary fails you need to sort out your route-maps.

However main thing you need to do is use IP SLA to keep track of the next-hop for the primary and if that fails then it will fail over to the backup link. Basic IP SLA config -

ip sla monitor 1

type echo protocol ipIcmpEcho

frequency   <-- how often do you want it to check the next-hop

ip sla monitor schedule 1 life forever start-time now

track 123 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123

ip route  0.0.0.0 0.0.0.0 10.14.10.81 254

the above config will use the tracked route as long as the is responding. If it stops responding then IP SLA will remove the route from the routing table and then the floating static with an AD of 254 will be inserted into the routing table. If the primary next hop comes back up then IP SLA will remove the floating static and insert the tracked route again.

Let me know how you get on and if you have any problems.

Jon

Thanks for suggestions.

I will change the config on Thursday (the next working day) and let you know.

Well on my IOS 12.4(24)T3 the commands are quite different but I managed to configure SLA and now it's working

Many thanks for help !!!

As addition my commands:

ip sla enable reaction-alerts

ip sla 1

icmp-echo 8.8.8.8

ip sla schedule 1 life forever start-time now

track 123 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123

ip route  0.0.0.0 0.0.0.0 10.14.10.81 254

One more question, which address is the best as a ping ISP gateway or public address, DNS for example ??

pwolsza_wolfik1 wrote:

Well on my IOS 12.4(24)T3 the commands are quite different but I managed to configure SLA and now it's working

Many thanks for help !!!

As addition my commands:

ip sla enable reaction-alerts

ip sla 1

icmp-echo 8.8.8.8

ip sla schedule 1 life forever start-time now

track 123 ip sla 1 reachability

ip route 0.0.0.0 0.0.0.0 10.111.10.225 track 123

ip route  0.0.0.0 0.0.0.0 10.14.10.81 254

One more question, which address is the best as a ping ISP gateway or public address, DNS for example ??

Glad you got it working. Yes those commands are a bit different, i was using 12.4.

If the ISP gateway works then use that because if in the unlikely event the public DNS server goes down but your ISP gateway stays up then you will shift to the secondary for no reason, whereas if the ISP gateway goes down you know you have lost the link.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: