10-12-2010 11:15 AM - edited 03-06-2019 01:28 PM
I'm using IP SLA to switch internet to backup connection when the main ISP goes down.
Unfortunately the SLA removes route map every 60 seconds and add this route even if the main ISP is not working.
In this case I have internet for 60 sec. trough backup and for 60 sec internet is gone.
This process going to be periodically.
Bebug below:
000764: *Jun 24 19:19:01.748 Berlin: %SYS-5-CONFIG_I: Configured from console by xxx on vty0 (192.168.3.110)
000765: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000766: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) Scheduler: Starting an operation
000767: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=192.168.153.10
000768: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) echo operation: Sending ID: 12
000769: *Jun 24 19:19:06.765 Berlin: IP SLAs(1) echo operation: RTT=83
000770: *Jun 24 19:19:06.765 Berlin: IP SLAs(1) Scheduler: Updating result
000771: *Jun 24 19:19:06.765 Berlin: IP SLAs(1) Scheduler: start wakeup timer, delay = 59913
000772: *Jun 24 19:19:10.645 Berlin: %TRACKING-5-STATE: 123 ip sla 1 reachability Down->Up
000773: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000774: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) Scheduler: Starting an operation
000775: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=80.153.64.40
000776: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) echo operation: Sending ID: 12
000777: *Jun 24 19:20:11.681 Berlin: IP SLAs(1) echo operation: Timeout - destAddr=194.204.152.34, sAddr=80.153.64.40
000778: *Jun 24 19:20:11.681 Berlin: IP SLAs(1) Scheduler: Updating result
000779: *Jun 24 19:20:11.681 Berlin: IP SLAs(1) Scheduler: start wakeup timer, delay = 54997
000780: *Jun 24 19:20:15.653 Berlin: %TRACKING-5-STATE: 123 ip sla 1 reachability Up->Down
Solved! Go to Solution.
10-12-2010 11:55 AM
The ip address 194.204.152.34 is being used to test the reachability. Once the route has failed over to other internet connection is this address pingable because if it just an address on the internet then it may well be ie it may be pingable by the secondary internet connection. That does look like what is happening. If it is pingable then the router will then try and install the original route.
There are a couple of ways to fix this -
1) specify a source interface to use for the ping test and make that source interface fa4
2) specify a different IP address to ping ie. you could try using the default-gateway on the primary connection ie. 20.153.64.41
Jon
10-12-2010 11:17 AM
Can you post your config ?
Jon
10-12-2010 11:28 AM
Current configuration : 7320 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname test
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.3.1 192.168.3.109
ip dhcp excluded-address 192.168.3.201 192.168.3.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.3.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 192.168.3.253
!
!
ip cef
no ip bootp server
ip name-server 194.204.152.34
ip name-server 194.204.159.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key test address 13.92.3.212
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to13.92.3.212
set peer 13.92.3.212
set security-association idle-time 300
set transform-set ESP-3DES-SHA
match address 100
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to13.92.3.212
set peer 13.92.3.212
set security-association idle-time 60
set transform-set ESP-3DES-SHA1
match address 102
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
track 123 ip sla 1 reachability
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description WAN2
switchport access vlan 2
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 20.153.64.42 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.3.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.153.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_2
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 20.153.64.41 track 123
ip route 0.0.0.0 0.0.0.0 192.168.153.1 254
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map ISP1 interface FastEthernet4 overload
ip nat inside source route-map ISP2 interface Vlan2 overload
!
ip sla 1
icmp-echo 194.204.152.34
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 remark CCP_ACL Category=6
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map ISP2 permit 11
match ip address 105
match interface Vlan2
set ip next-hop 192.168.153.1
!
route-map ISP1 permit 10
match ip address 101
match interface FastEthernet4
set ip next-hop 20.153.64.41
!
!
control-plane
end
10-12-2010 11:55 AM
The ip address 194.204.152.34 is being used to test the reachability. Once the route has failed over to other internet connection is this address pingable because if it just an address on the internet then it may well be ie it may be pingable by the secondary internet connection. That does look like what is happening. If it is pingable then the router will then try and install the original route.
There are a couple of ways to fix this -
1) specify a source interface to use for the ping test and make that source interface fa4
2) specify a different IP address to ping ie. you could try using the default-gateway on the primary connection ie. 20.153.64.41
Jon
10-12-2010 12:03 PM
I choose ping address on purpose because the gateway is always on and I can ping it from LAN even if ISP is down.
So you suggest to use :
test(config-ip-sla) icmp-echo 8.8.8.8 source-interface fastEthernet 4
??
10-12-2010 12:11 PM
pwolsza_wolfik1 wrote:
I choose ping address on purpose because the gateway is always on and I can ping it from LAN even if ISP is down.
So you suggest to use :
test(config-ip-sla) icmp-echo 8.8.8.8 source-interface fastEthernet 4
??
Yes try that. The only other option is to find an IP that you can ping that is only reachable via the primary link but this is going to be difficult unless the ISP can give you an address to use.
Jon
10-13-2010 03:13 AM
I added that command to config.
When the signal from main ISP goes down SLA removes route with SLA track but unfortunately if the internet goes up SLA do not switching to main ISP.
The source of ping is Vlan 2 which now is down and I think that's way SLA cant ping trough this connection ad make it up.
Debug:
000111: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000112: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: Starting an operation
000113: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=83.14.62.82
000114: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending ID: 12
000115: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) echo operation: Timeout - destAddr=194.204.152.34, sAddr=83.14.62.82
000116: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: Updating result
000117: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: start wakeup timer, delay = 54996
10-13-2010 10:00 AM
pwolsza_wolfik1 wrote:
I added that command to config.
When the signal from main ISP goes down SLA removes route with SLA track but unfortunately if the internet goes up SLA do not switching to main ISP.
The source of ping is Vlan 2 which now is down and I think that's way SLA cant ping trough this connection ad make it up.
Debug:
000111: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000112: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: Starting an operation
000113: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=83.14.62.82
000114: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending ID: 12
000115: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) echo operation: Timeout - destAddr=194.204.152.34, sAddr=83.14.62.82
000116: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: Updating result
000117: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: start wakeup timer, delay = 54996
Sorry it's not clear what you mean. The source of the ping should always be fa4 and not vlan 2 ??
Just out of interest, when you said before the ISP gateway is always pingable even when the ISP is down what exactly did you mean ? Do you mean within the ISP themselves ? Can they not provide you with an IP to check reachability that is not pingable from the internet ?
Jon
10-13-2010 11:09 AM
Sorry to confuse you.
I checked this config on test router where the main connection was on Vlan2(fa3) and the backup Fa4.
So I changed SLA to ping internet address with source interface vlan2.
ip sla 1
icmp-echo 194.204.152.34 source-interface Vlan2
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
Maybe I shoud force the main connection (vlan2 in this case) to go up and then ping ?? How to do this??
My ISP provides DSL modem, when I will put of the plug with signal the ISP gateway is still pingable from LAN.
I do not know if they can - I will check it.
10-14-2010 04:07 AM
I have confirmation form my ISP that gateway is always pingable from the LAN even if there is no signal.
I changed SLA config.
Now I'm pinging primary gateway trough backup connection.
When the ping is down SLA route going down and the traffic goes through alternative route .
The problem could be the limit of transfer because the backup connection is trough cell phone connection with 20GB limit per month.
But I think the ping will not be a problem
Thanks for help and suggestion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide