09-04-2014 12:56 AM - edited 03-04-2019 11:41 PM
Hi,
I am setting up failover wan for one of my cient and seems everything i have configured correctly but its not working. For track i am using google DNS ip 8.8.8.8 and 8.8.4.4 where if i ping 8.8.8.8 from router it pings but not 8.8.4.4. I I think because 8.8.4.4 no pinging so router does not jump if primary gigabitethernet0/0 down.
Not sure what i am doing wrong. Please find below config details:
-------------------------------------------config-----
username admin privilege 15 password 7 XXXXX
!
redundancy
!
!
!
track 10 ip sla 1 reachability
delay down 5 up 5
!
track 20 ip sla 2 reachability
delay down 5 up 5
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 122.160.79.18 255.0.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 182.71.34.71 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
description $ES_LAN$
ip address 200.200.201.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload
ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 20
ip route 8.8.4.4 255.255.255.255 GigabitEthernet0/1 permanent
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0 permanent
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
frequency 10
ip sla schedule 2 life forever start-time now
access-list 100 permit ip any any
access-list 101 permit ip any any
!
!
!
!
route-map giga0 permit 10
match ip address 100
match interface GigabitEthernet0/0
!
route-map giga1 permit 10
match ip address 101
match interface GigabitEthernet0/1
!
!
!
control-plane
------------------------------------------config end
Solved! Go to Solution.
09-04-2014 08:21 AM
sh ip route
sh ip int br
sh ip sla summ
sh track
I think you dont need
ip sla 2
track 20 ip sla 2 reachability
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 20
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 metric 30
09-05-2014 02:12 AM
Hello,
as Richard Burts state correct the nat configuration is not right. But the ICMP echo request for the IP SLA is traffic, which is generated from the router with a source-interface specified. There shouldn't be any NAT operation at all, or? Iam using IP SLA for two WAN connections too, but I can't recall ever seen an entry for the icmp operation in the output of sh ip nat trans.
To me the static route configuration looks wrong too. As far as I remember it's necessary to specify a next-hop address (Subnet/mask via x.x.x.x) on Multiple Access Broadcast Networks like ethernet, otherwise the Subnet appears as directly connected on the routing table. The configuration "ip route subnet mask <outgoing interface> only works correct for p2p links. With the configuration above i would say there is no routing at all possible except for "real" direct attached networks. Vibs said it's possible to reach the google dns 8.8.8.8 but not the second one 8.8.4.4. I verified that 8.8.4.4 usually answers to ICMP echo-request.
My guess is that the next hop for the gig 0/0 interface has proxy arp enabled but the next hop for the gig0/1 interface hasn't proxy arp turned on.
kind regards
Lukasz
09-04-2014 06:35 AM
Your problem is that there is no address translation configured for Gig0/1. Your config has
ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload
ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload
but it should be
ip nat inside source route-map giga0 interface GigabitEthernet0/0 overload
ip nat inside source route-map giga1 interface GigabitEthernet0/1 overload
I am not sure that it is a problem but I would suggest that you change the access list that you use for the route map. I have seen situations where address translation using extended access lists with permit ip any any caused problems. If you are not going to test for destination addresses then you could easily use a standard access list rather than an extended access list. And unless there are additional subnets somewhere inside that also need translation you could easily do something like this
access-list 10 permit 200.200.201.0 0.0.0.255
access-list 11 permit 200.200.201.0 0.0.0.255
and change the route maps to use these standard access lists.
HTH
Rick
09-05-2014 02:12 AM
Hello,
as Richard Burts state correct the nat configuration is not right. But the ICMP echo request for the IP SLA is traffic, which is generated from the router with a source-interface specified. There shouldn't be any NAT operation at all, or? Iam using IP SLA for two WAN connections too, but I can't recall ever seen an entry for the icmp operation in the output of sh ip nat trans.
To me the static route configuration looks wrong too. As far as I remember it's necessary to specify a next-hop address (Subnet/mask via x.x.x.x) on Multiple Access Broadcast Networks like ethernet, otherwise the Subnet appears as directly connected on the routing table. The configuration "ip route subnet mask <outgoing interface> only works correct for p2p links. With the configuration above i would say there is no routing at all possible except for "real" direct attached networks. Vibs said it's possible to reach the google dns 8.8.8.8 but not the second one 8.8.4.4. I verified that 8.8.4.4 usually answers to ICMP echo-request.
My guess is that the next hop for the gig 0/0 interface has proxy arp enabled but the next hop for the gig0/1 interface hasn't proxy arp turned on.
kind regards
Lukasz
09-05-2014 04:27 AM
Hello,
Sorry NAT was correct just by mistake pate it twice were giga1.
NOW,
its a weired issue: What i did is i swap the internet from 0/0 to 0/1. Basically previously 0/0 was DSL and 0/1 was leased line and now 0/0 is leased line and 0/1 is DSL. AND google ip 8.8.4.4 start pinging it means IP SLA is WORKING, some problem with leased line internet. However, if we unplug the leased line cable from cisco router(0/0 current config) and connects to laptop internet works. One more important info just got know that the leased line router/switch also acting as DHCP server if any client send DHCP request it provides 192.168.1.X ip and if there is no DHCP request from client and use ip address(public IP) provided by TELCO on client internet works. all in all, if laptop request DHCP address leased line router/switch provides 192.168.1.X and internet works if use public static ip internet still works. NOW IT ONLY NOT WORKING ON CISCO ROUTER.
09-04-2014 08:21 AM
sh ip route
sh ip int br
sh ip sla summ
sh track
I think you dont need
ip sla 2
track 20 ip sla 2 reachability
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 20
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 metric 30
09-04-2014 08:35 AM
Perhaps there is a little ambiguity in the original post and depending on how you interpret the explanation either my suggestion is a better solution or the second suggestion is the better solution.
The original post is clear that there are two connections but perhaps not clear about how they are to be used. It was my interpretation (based on the config provided) that the client wants to actively use both connections and to provide failover if one of the connections has a problem. I believe that my suggestion for fixing the problem by correcting the NAT configuration would achieve that. The second suggestion is based on the assumption that by having failover that there should be a primary connection that is used whenever it is available and a secondary/backup connection that is used only when the primary has failed. The suggestions in the second response would achieve this goal (but only if the issue with configuration of NAT is corrected - if the NAT is not corrected then the second connection will not have Internet access).
So perhaps the original poster can provide clarification about what was the intention of the client?
HTH
Rick
09-05-2014 05:31 AM
I have no idea why it works when i removed track 20, i didnt add metric 30 but after removing track 20
IP SLA working, failover working.. all good..
8.8.4.4 was not pinging due to subnet as LukaszTJB suggested.
I do want to know why after removing track 20 failover start working please... for my own knowledge.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: