Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

1941w router fail-over works but fail-back doesn't???

I haven't seen a setup like this before, and it just stopped working a couple months ago from the person before who set it up. I have changed the config to not show the hostname, external ip's, certificate, usernames, password hashes, and serial number. If anyone knows why this configuration would work when failing-over to the serial connection when the cable modem fails, but doesn't fail-back to the cable modem when the route becomes available again, I would appreciate any input. I tried many things, even updating to the most recent IOS, and this was working before. Thanks.


show run and show version output:



ROUTER#sh run

Building configuration...


Current configuration : 6747 bytes

!

! No configuration change since last restart

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ROUTER

!

boot-start-marker

boot system flash c1900-universalk9-mz.SPA.152-1.T.bin

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

clock timezone Arizona -7 0

!

no ipv6 cef

!

!

ip dhcp excluded-address 10.0.1.1 10.0.1.30

ip dhcp excluded-address 10.0.1.101 10.0.1.254

!

ip dhcp pool MainIP

import all

network 10.0.1.0 255.255.255.0

domain-name inlandmarketing

dns-server 8.8.8.8

default-router 10.0.1.1

lease 5

!

!

ip domain name yourdomain.com

ip name-server 10.0.1.202

ip name-server 8.8.8.8

ip cef

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1898501780

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1898501780

revocation-check none

rsakeypair TP-self-signed-1898501780

!

!

crypto pki certificate chain TP-self-signed-1898501780

certificate self-signed 01

   {cert here}

      quit

license udi pid CISCO1941/K9 sn {serialhere}

!

!

username {userhere} privilege 15 secret 5 {passwordhere}

username {userhere} privilege 15 secret 5 {passwordhere}

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$

ip address 10.0.1.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Cable-Modem0/0/0

ip address {staticIPhere w/subnet}

ip flow ingress

ip nat outside

ip virtual-reassembly in

!

interface Serial0/1/0

ip address {staticIPhere w/subnet}

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

service-module t1 fdl ansi

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map cable-modem interface Cable-Modem0/0/0 overload

ip nat inside source route-map t1 interface Serial0/1/0 overload

ip nat inside source static tcp 10.0.1.200 1723 {staticIPcablemodemhere} 1723 extendable

ip nat inside source static tcp 10.0.1.200 1723 {staticIPserialhere} 1723 extendable

ip route 0.0.0.0 0.0.0.0 Cable-Modem0/0/0

ip route 0.0.0.0 0.0.0.0 Serial0/1/0 50

!

ip access-list extended udp_rtp

permit udp host 10.0.1.27 any range 10000 20000

ip access-list extended udp_trp

!

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 2 permit 10.0.1.0 0.0.0.255

access-list 23 permit 10.0.1.0 0.0.0.255

!

route-map cable-modem permit 10

match ip address 1

match interface Cable-Modem0/0/0

!

route-map t1 permit 10

match ip address 2

match interface Serial0/1/0

!

route-map sip_nat permit 10

match ip address udp_rtp

!

!

snmp-server community ROUTER RW

snmp-server location ServerRoom

snmp-server enable traps entity-sensor threshold

!

control-plane

!

!

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end


ROUTER#sh ver

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(1)T, RELEASE SOFTWARE (fc1)

Technical Support:

http://www.cisco.com/techsupport


Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Thu 21-Jul-11 16:40 by prod_rel_team


ROM: System Bootstrap, Version 15.0(1r)M6, RELEASE SOFTWARE (fc1)


ROUTER uptime is 3 weeks, 2 days, 4 hours, 55 minutes

System returned to ROM by power-on

System restarted at 08:38:25 Arizona Wed Oct 12 2011

System image file is "flash:c1900-universalk9-mz.SPA.152-1.T.bin"

Last reload type: Normal Reload

Last reload reason: Reload Command



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html



If you require further assistance please contact us by sending email to

export@cisco.com

.


Cisco CISCO1941/K9 (revision 1.0) with 487424K/36864K bytes of memory.

Processor board ID {serialhere}

2 Gigabit Ethernet interfaces

1 Serial interface

1 terminal line

1 Cable Modem interface

DRAM configuration is 64 bits wide with parity disabled.

255K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)


License Info:


License UDI:


-------------------------------------------------

Device#      PID            SN

-------------------------------------------------

*0        CISCO1941/K9          {serialhere}



Technology Package License Information for Module:'c1900'


-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot 

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      None          None           None

data          None          None           None


Configuration register is 0x2102

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

1941w router fail-over works but fail-back doesn't???

Frank

I am glad that when there was a problem today that it failed over and then failed back as desired. That is good

In your post this morning you say:"One thing I noticed, and changed, is setting the administrative  distance on the serial line to be greater on the default route than the  cable modem". Are you saying that before the 2 static default routes had the same administrative distance? In that case it should have done load balancing on both connections and not failover. So I am puzzled about what was going on.

And I am a bit puzzled about your question about the example from the docwiki. It shows using a route map to control NAT (actually PAT) to match to which interface the traffic is using. And the config in your original post shows that you are already doing this. And I would say that this article is actually showing a bad example of doing failover and I hope that you do not try to do it quite the same way. The problem with the failover shown in the article from docwiki is that it is using static default routes which specify a next hop address. But the interfaces where these addresses are located are Ethernet interfaces. There are lots of situations where you may lose connectivity to the next hop router over Ethernet but the Ethernet interface remains line protocol up. And when it is line protocol up then the static default route would not be removed from the routing table.

When doing failover in situations where the outbound routes are over Ethernet interfaces you frequently need to use something like Enhanced Object Tracking or IP SLA to track reachability of the next hop router and control the static route. I am not clear what the behavior of your able modem interface is and whether something like IP SLA might be beneficial for you.

HTH

Rick

5 REPLIES
Hall of Fame Super Silver

1941w router fail-over works but fail-back doesn't???

Frank

I will start with a disclaimer - since we know that you have altered/omitted parts of the config but do not know what or how you changed it, there is a possibility that something you changed or omitted could be involved in the problem. But based on what is in the post here are my comments and suggestions.

- the config looks pretty straightforward and uses a static default route and a floating static default route to accomplish the failover.

- the failover depends on the static default route through the cable modem being withdrawn from the IP routing table. This usually would depend on the interface going line protocol down.

- the recovery should be that the static default route is put back into the routing table which should happen when the cable modem interface returns to line protocol up.

Can you capture and post the output of show interface and of show ip route while the problem is going on (and the router has failed over to the serial) and then capture and post the output of show interface and of show ip route when the cable modem problem is over but the router has not returned to the original static default route?

HTH

Rick

New Member

1941w router fail-over works but fail-back doesn't???

Rick,

I realize that what I omitted could very well be the source of the issue, so I made sure everything lined up as it should before I removed them. I have also been mulling over this for about a month now looking for issues in the config. Typically when the failover is tested the interface line is physically pulled from the back of the router, connectivity tests are ran, and it is plugged back in with a visit to whatsmyip.org following to verify that the device is back on the route of the cable modem instead of the t1/serial line. I am going to recreate the issue and post your requested output here by tomorrow morning.

I thought the same thing you did, but didn't check the tables while the issue was occuring. One thing I noticed, and changed, is setting the administrative distance on the serial line to be greater on the default route than the cable modem. Which in my mind means when the interface is up it will use that route as preferred over the serial connection with a distance of 50.

Thanks,

Frank

New Member

1941w router fail-over works but fail-back doesn't???

Rick,

The internet went down today, and it seems to have done exactly what you stated. It took the cable modem interface being unplugged to failover, and when it was plugged back in the default route back to cable modem took prevelance and failed back over correctly.

Do you know the following configuration example would work by using internet availability for a default route over port state?

http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example

I appreciate your input.

Thanks,

Frank

Hall of Fame Super Silver

1941w router fail-over works but fail-back doesn't???

Frank

I am glad that when there was a problem today that it failed over and then failed back as desired. That is good

In your post this morning you say:"One thing I noticed, and changed, is setting the administrative  distance on the serial line to be greater on the default route than the  cable modem". Are you saying that before the 2 static default routes had the same administrative distance? In that case it should have done load balancing on both connections and not failover. So I am puzzled about what was going on.

And I am a bit puzzled about your question about the example from the docwiki. It shows using a route map to control NAT (actually PAT) to match to which interface the traffic is using. And the config in your original post shows that you are already doing this. And I would say that this article is actually showing a bad example of doing failover and I hope that you do not try to do it quite the same way. The problem with the failover shown in the article from docwiki is that it is using static default routes which specify a next hop address. But the interfaces where these addresses are located are Ethernet interfaces. There are lots of situations where you may lose connectivity to the next hop router over Ethernet but the Ethernet interface remains line protocol up. And when it is line protocol up then the static default route would not be removed from the routing table.

When doing failover in situations where the outbound routes are over Ethernet interfaces you frequently need to use something like Enhanced Object Tracking or IP SLA to track reachability of the next hop router and control the static route. I am not clear what the behavior of your able modem interface is and whether something like IP SLA might be beneficial for you.

HTH

Rick

New Member

1941w router fail-over works but fail-back doesn't???

While working on this today I received the following:

Nov  6 17:51:39.797: %LINK-3-UPDOWN: Interface Cable-Modem0/0/0, changed state to down

Nov  6 17:51:40.797: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cable-Modem0/0/0, changed state to down

Nov  6 17:51:43.621: %LINK-3-UPDOWN: Interface Cable-Modem0/0/0, changed state to up

Nov  6 17:53:55.945: %CABLE_MODEM_HWIC-3-FAILURE_DETECT: The Cable Modem Daughtercard has failed on interface Cable-Modem0/0/0.

IASROUTER#

Nov  6 17:54:23.645: %CABLE_MODEM_HWIC-3-CONTROL_PLANE_FAIL: RBCP failure : Adding service flow ACE failed - Ethernet type not supported

Nov  6 17:54:26.857: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cable-Modem0/0/0, changed state to up

During this time I verfied through whatsmyip.com that the route had actually failed over and was working. We're using the ipbase feature set and don't have the data or security packages enabled, or purchased, to use IP SLA or Enhanced Object Tracking, so we're going to purchase it for both routers and set it up so we can track reachability and also monitor for link status and send emails out when the backup route goes down while the primary is still active and working.

Thanks for your help Rick.

Frank

1391
Views
4
Helpful
5
Replies
CreatePlease login to create content