ip SLA failover config not working need help urgent cisco 2911 K9 router

Answered Question
Sep 4th, 2014
User Badges:

Hi,

I am setting up failover wan for one of my cient and seems everything i have configured correctly but its not working. For track i am using google DNS ip 8.8.8.8 and 8.8.4.4 where if i ping 8.8.8.8 from router it pings but not 8.8.4.4. I I think because 8.8.4.4 no pinging so router does not jump if primary gigabitethernet0/0 down.

Not sure what i am doing wrong. Please find below config details:

-------------------------------------------config-----

username admin privilege 15 password 7 XXXXX
!
redundancy
!
!
!
track 10 ip sla 1 reachability
 delay down 5 up 5
!
track 20 ip sla 2 reachability
 delay down 5 up 5
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 122.160.79.18 255.0.0.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !        
!         
interface GigabitEthernet0/1
 ip address 182.71.34.71 255.255.255.248

ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !        
!         
interface GigabitEthernet0/2
 description $ES_LAN$
 ip address 200.200.201.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !        
!         
!         
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
!         

ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload

ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 10

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 20
ip route 8.8.4.4 255.255.255.255 GigabitEthernet0/1 permanent
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0 permanent
!         
ip sla 1  
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
 frequency 10
ip sla schedule 1 life forever start-time now

 

ip sla 2  
 icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
 frequency 10
ip sla schedule 2 life forever start-time now

access-list 100 permit ip any any
access-list 101 permit ip any any
!         
!         
!         
!         
route-map giga0 permit 10
 match ip address 100
 match interface GigabitEthernet0/0
!         
route-map giga1 permit 10
 match ip address 101
 match interface GigabitEthernet0/1
!         
!         
!         
control-plane

------------------------------------------config end

 

 

Correct Answer by LukaszTJB about 2 years 11 months ago

Hello,

as Richard Burts state correct the nat configuration is not right. But the ICMP echo request for the IP SLA is traffic, which is generated from the router with a source-interface specified. There shouldn't be any NAT operation at all, or? Iam using IP SLA  for two WAN connections too, but I can't recall  ever seen an entry for the icmp operation in the output of sh ip nat trans.

To me the static route configuration looks wrong too. As far as I remember it's necessary to specify a next-hop address (Subnet/mask via x.x.x.x) on Multiple Access Broadcast Networks like ethernet, otherwise the Subnet appears as directly connected on the routing table. The configuration "ip route subnet mask <outgoing interface> only works correct for p2p links. With the configuration above i would say there is no routing at all possible except for "real" direct attached networks. Vibs said it's possible to reach the google dns 8.8.8.8 but not the second one 8.8.4.4. I verified that 8.8.4.4 usually answers to ICMP echo-request.

My guess is that the next hop for the gig 0/0 interface has proxy arp enabled but the next hop for the gig0/1 interface hasn't proxy arp turned on.

kind regards

Lukasz
 

Correct Answer by Tagir Temirgaliyev about 2 years 11 months ago

sh ip route

sh ip int br

sh ip sla summ

sh track

 

 

I think you dont need 

ip sla 2 

track 20 ip sla 2 reachability

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 20

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 metric 30

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Thu, 09/04/2014 - 06:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Your problem is that there is no address translation configured for Gig0/1. Your config has


ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload

ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload

but it should be


ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload

ip nat inside source route-map giga1 interface GigabitEthernet0/1 overload

 

I am not sure that it is a problem but I would suggest that you change the access list that you use for the route map. I have seen situations where address translation using extended access lists with permit ip any any caused problems. If you are not going to test for destination addresses then you could easily use a standard access list rather than an extended access list. And unless there are additional subnets somewhere inside that also need translation you could easily do something like this

access-list 10 permit 200.200.201.0 0.0.0.255

access-list 11 permit 200.200.201.0 0.0.0.255

and change the route maps to use these standard access lists.

 

HTH

 

Rick

Correct Answer
LukaszTJB Fri, 09/05/2014 - 02:12
User Badges:

Hello,

as Richard Burts state correct the nat configuration is not right. But the ICMP echo request for the IP SLA is traffic, which is generated from the router with a source-interface specified. There shouldn't be any NAT operation at all, or? Iam using IP SLA  for two WAN connections too, but I can't recall  ever seen an entry for the icmp operation in the output of sh ip nat trans.

To me the static route configuration looks wrong too. As far as I remember it's necessary to specify a next-hop address (Subnet/mask via x.x.x.x) on Multiple Access Broadcast Networks like ethernet, otherwise the Subnet appears as directly connected on the routing table. The configuration "ip route subnet mask <outgoing interface> only works correct for p2p links. With the configuration above i would say there is no routing at all possible except for "real" direct attached networks. Vibs said it's possible to reach the google dns 8.8.8.8 but not the second one 8.8.4.4. I verified that 8.8.4.4 usually answers to ICMP echo-request.

My guess is that the next hop for the gig 0/0 interface has proxy arp enabled but the next hop for the gig0/1 interface hasn't proxy arp turned on.

kind regards

Lukasz
 

vibs Fri, 09/05/2014 - 04:27
User Badges:

Hello,

 

Sorry NAT was correct just by mistake pate it twice were giga1.

NOW,

its a weired issue: What i did is i swap the internet from 0/0 to 0/1. Basically previously 0/0 was DSL and 0/1 was leased line and now 0/0 is leased line and 0/1 is DSL. AND google ip 8.8.4.4 start pinging it means IP SLA is WORKING, some problem with leased line internet. However, if we unplug the leased line cable from cisco router(0/0 current config) and connects to laptop internet works. One more important info just got know that the leased line router/switch also acting as DHCP server if any client send DHCP request it provides 192.168.1.X ip and if there is no DHCP request from client and use ip address(public IP) provided by TELCO on client internet works. all in all, if laptop request DHCP address leased line router/switch provides 192.168.1.X and internet works if use public static ip internet still works. NOW IT ONLY NOT WORKING ON CISCO ROUTER.

 

Correct Answer
Tagir Temirgaliyev Thu, 09/04/2014 - 08:21
User Badges:
  • Silver, 250 points or more

sh ip route

sh ip int br

sh ip sla summ

sh track

 

 

I think you dont need 

ip sla 2 

track 20 ip sla 2 reachability

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 20

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 metric 30

 

Richard Burts Thu, 09/04/2014 - 08:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Perhaps there is a little ambiguity in the original post and depending on how you interpret the explanation either my suggestion is a better solution or the second suggestion is the better solution.

 

The original post is clear that there are two connections but perhaps not clear about how they are to be used. It was my interpretation (based on the config provided) that the client wants to actively use both connections and to provide failover if one of the connections has a problem. I believe that my suggestion for fixing the problem by correcting the NAT configuration would achieve that. The second suggestion is based on the assumption that by having failover that there should be a primary connection that is used whenever it is available and a secondary/backup connection that is used only when the primary has failed. The suggestions in the second response would achieve this goal (but only if the issue with configuration of NAT is corrected - if the NAT is not corrected then the second connection will not have Internet access).

 

So perhaps the original poster can provide clarification about what was the intention of the client?

 

HTH

 

Rick

vibs Fri, 09/05/2014 - 05:31
User Badges:

I have no idea why it works when i removed track 20, i didnt add metric 30 but after removing track 20

IP SLA working, failover working.. all good..

8.8.4.4 was not pinging due to subnet as LukaszTJB suggested.

 

I do want to know why after removing track 20 failover start working please... for my own knowledge.

 

Actions

This Discussion