07-02-2013 08:48 AM
Background: We have two DataCenters and our remote offices build cry tunnels to each. There is also a direct link between the two DC's and the remote offices use weighted routing to "failover per say" in the event their connection to one DC goes down. Each DC can reroute the destination traffic over the direct link to the other DC.
First Attempt:We created two ip sla's and upon detecting either restored, we did a "clear cry sesion" to clear both tunnels and let the various networks refresh their routes...
Issue: Having multiple networks (where normally nw A,B route to DC1 and nw C routes to DC2), sometimes we see very brief outages and nw A&B will end up with spilt routing with nw A going to DC1 and nw B still going to DC2 although the tunnel to DC1 recovered.
Goal: We're thinking just clearing the tunnel that bounce vs both would work better and trying the following and it's not restoring the individual tunnel.
ip sla 9
icmp-echo [DC1-ipaddress] source-interface Serial0/0/0
frequency 10
ip sla 10
icmp-echo [DC2-ipaddress] source-interface Serial0/0/0
frequency 10
event manager applet DC1
event track 9 state up maxrun 10
action 1.0 syslog msg "DC1 primary peer came back online, clearing crypto tunnel"
action 2.0 cli command "enable"
action 3.0 cli command "clear crypto remote peer [DC1-ipaddress]"
event manager applet DC2
event track 10 state up maxrun 10
action 1.0 syslog msg "DC2 primary peer came back online, clearing crypto tunnel"
action 2.0 cli command "enable"
action 3.0 cli command "clear crypto remote peer [DC2-ipaddress]"
Question: Does anyone know a command or sequence that would work. unfortunatley since tunnels build ramdomly we never know which conn-id is which location and cannot use the "clear cry is ####" command
07-02-2013 09:07 AM
Are you asking for IPSec commands that will achieve what you want or are you asking for how EEM can be used to automate a known process? If the former, you will have better luck on one of the security communities. If the latter, explain the steps you would use to manually go through the process to determine which tunnel needs to be bounced and how you know it's bouncing.
07-02-2013 11:45 AM
I resolved the issue, turns out I just need to add another line to clear tunnels to both DC's in order for routing to restore to normal.
event manager applet DC1
event track 9 state up maxrun 10
action 1.0 syslog msg "DC1 primary peer came back online, clearing crypto tunnel"
action 2.0 cli command "enable"
action 3.0 cli command "clear crypto remote peer [DC1-ipaddress]"
action 4.0 cli command "clear crypto remote peer [DC2-ipaddress]"
event manager applet DC2
event track 10 state up maxrun 10
action 1.0 syslog msg "DC2 primary peer came back online, clearing crypto tunnel"
action 2.0 cli command "enable"
action 3.0 cli command "clear crypto remote peer [DC2-ipaddress]"
action 4.0 cli command "clear crypto remote peer [DC1-ipaddress]"
So for reference to others, the "event track #" coresponds to the ip sla #, so when a site drops and returns to the "state up" it executes the actions commands. Since routing will fail to the other DC, you have to clear it's tunnel to force traffic to try routing back to normal and rebuild your tunnel.
Clearing each peer individually works much faster then "clear cry sess" especially if your have other tunnels..
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide