Solved: SLA switching every 60 sek.

pwolsza_wolfik1 · ‎10-12-2010

I'm using IP SLA to switch internet to backup connection when the main ISP goes down.

Unfortunately the SLA removes route map every 60 seconds and add this route even if the main ISP is not working.

In this case I have internet for 60 sec. trough backup and for 60 sec internet is gone.

This process going to be periodically.

Bebug below:

000764: *Jun 24 19:19:01.748 Berlin: %SYS-5-CONFIG_I: Configured from console by xxx on vty0 (192.168.3.110)
000765: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000766: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) Scheduler: Starting an operation
000767: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=192.168.153.10
000768: *Jun 24 19:19:06.681 Berlin: IP SLAs(1) echo operation: Sending ID: 12
000769: *Jun 24 19:19:06.765 Berlin: IP SLAs(1) echo operation: RTT=83
000770: *Jun 24 19:19:06.765 Berlin: IP SLAs(1) Scheduler: Updating result
000771: *Jun 24 19:19:06.765 Berlin: IP SLAs(1) Scheduler: start wakeup timer, delay = 59913
000772: *Jun 24 19:19:10.645 Berlin: %TRACKING-5-STATE: 123 ip sla 1 reachability Down->Up
000773: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000774: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) Scheduler: Starting an operation
000775: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=80.153.64.40
000776: *Jun 24 19:20:06.680 Berlin: IP SLAs(1) echo operation: Sending ID: 12
000777: *Jun 24 19:20:11.681 Berlin: IP SLAs(1) echo operation: Timeout - destAddr=194.204.152.34, sAddr=80.153.64.40
000778: *Jun 24 19:20:11.681 Berlin: IP SLAs(1) Scheduler: Updating result
000779: *Jun 24 19:20:11.681 Berlin: IP SLAs(1) Scheduler: start wakeup timer, delay = 54997
000780: *Jun 24 19:20:15.653 Berlin: %TRACKING-5-STATE: 123 ip sla 1 reachability Up->Down

Jon Marshall · ‎10-12-2010

The ip address 194.204.152.34 is being used to test the reachability. Once the route has failed over to other internet connection is this address pingable because if it just an address on the internet then it may well be ie it may be pingable by the secondary internet connection. That does look like what is happening. If it is pingable then the router will then try and install the original route.

There are a couple of ways to fix this -

1) specify a source interface to use for the ping test and make that source interface fa4

2) specify a different IP address to ping ie. you could try using the default-gateway on the primary connection ie. 20.153.64.41

Jon

View solution in original post

Jon Marshall · ‎10-12-2010

Can you post your config ?

Jon

pwolsza_wolfik1 · ‎10-12-2010

Current configuration : 7320 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname test

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone Berlin 1

clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00

!

dot11 syslog

no ip source-route

!

ip dhcp excluded-address 192.168.3.1 192.168.3.109

ip dhcp excluded-address 192.168.3.201 192.168.3.254

!

ip dhcp pool ccp-pool1

import all

network 192.168.3.0 255.255.255.0

dns-server 194.204.152.34 8.8.8.8

default-router 192.168.3.253

!

ip cef

no ip bootp server

ip name-server 194.204.152.34

ip name-server 194.204.159.1

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key test address 13.92.3.212

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to13.92.3.212

set peer 13.92.3.212

set security-association idle-time 300

set transform-set ESP-3DES-SHA

match address 100

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to13.92.3.212

set peer 13.92.3.212

set security-association idle-time 60

set transform-set ESP-3DES-SHA1

match address 102

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

track 123 ip sla 1 reachability

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description WAN2

switchport access vlan 2

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 20.153.64.42 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.3.253 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 192.168.153.10 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_2

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 20.153.64.41 track 123

ip route 0.0.0.0 0.0.0.0 192.168.153.1 254

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map ISP1 interface FastEthernet4 overload

ip nat inside source route-map ISP2 interface Vlan2 overload

!

ip sla 1

icmp-echo 194.204.152.34

ip sla schedule 1 life forever start-time now

ip sla enable reaction-alerts

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 105 remark CCP_ACL Category=6

access-list 105 remark IPSec Rule

access-list 105 deny ip 192.168.3.0 0.0.0.255 192.168.179.0 0.0.0.255

access-list 105 permit ip 192.168.3.0 0.0.0.255 any

no cdp run

!

route-map ISP2 permit 11

match ip address 105

match interface Vlan2

set ip next-hop 192.168.153.1

!

route-map ISP1 permit 10

match ip address 101

match interface FastEthernet4

set ip next-hop 20.153.64.41

!

control-plane

end

Jon Marshall · ‎10-12-2010

The ip address 194.204.152.34 is being used to test the reachability. Once the route has failed over to other internet connection is this address pingable because if it just an address on the internet then it may well be ie it may be pingable by the secondary internet connection. That does look like what is happening. If it is pingable then the router will then try and install the original route.

There are a couple of ways to fix this -

1) specify a source interface to use for the ping test and make that source interface fa4

2) specify a different IP address to ping ie. you could try using the default-gateway on the primary connection ie. 20.153.64.41

Jon

pwolsza_wolfik1 · ‎10-12-2010

I choose ping address on purpose because the gateway is always on and I can ping it from LAN even if ISP is down.

So you suggest to use :

test(config-ip-sla) icmp-echo 8.8.8.8 source-interface fastEthernet 4

??

Jon Marshall · ‎10-12-2010

pwolsza_wolfik1 wrote:

I choose ping address on purpose because the gateway is always on and I can ping it from LAN even if ISP is down.

So you suggest to use :

test(config-ip-sla) icmp-echo 8.8.8.8 source-interface fastEthernet 4

??

Yes try that. The only other option is to find an IP that you can ping that is only reachable via the primary link but this is going to be difficult unless the ISP can give you an address to use.

Jon

pwolsza_wolfik1 · ‎10-13-2010

I added that command to config.

When the signal from main ISP goes down SLA removes route with SLA track but unfortunately if the internet goes up SLA do not switching to main ISP.

The source of ping is Vlan 2 which now is down and I think that's way SLA cant ping trough this connection ad make it up.

Debug:

000111: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000112: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: Starting an operation
000113: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=83.14.62.82
000114: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending ID: 12
000115: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) echo operation: Timeout - destAddr=194.204.152.34, sAddr=83.14.62.82
000116: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: Updating result
000117: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: start wakeup timer, delay = 54996

Jon Marshall · ‎10-13-2010

pwolsza_wolfik1 wrote:

I added that command to config.

When the signal from main ISP goes down SLA removes route with SLA track but unfortunately if the internet goes up SLA do not switching to main ISP.

The source of ping is Vlan 2 which now is down and I think that's way SLA cant ping trough this connection ad make it up.

Debug:

000111: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: saaSchedulerEventWakeup
000112: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) Scheduler: Starting an operation
000113: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending an echo operation - destAddr=194.204.152.34, sAddr=83.14.62.82
000114: *Sep 3 11:50:52.529 PCTime: IP SLAs(1) echo operation: Sending ID: 12
000115: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) echo operation: Timeout - destAddr=194.204.152.34, sAddr=83.14.62.82
000116: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: Updating result
000117: *Sep 3 11:50:57.530 PCTime: IP SLAs(1) Scheduler: start wakeup timer, delay = 54996

Sorry it's not clear what you mean. The source of the ping should always be fa4 and not vlan 2 ??

Just out of interest, when you said before the ISP gateway is always pingable even when the ISP is down what exactly did you mean ? Do you mean within the ISP themselves ? Can they not provide you with an IP to check reachability that is not pingable from the internet ?

Jon

pwolsza_wolfik1 · ‎10-13-2010

Sorry to confuse you.

I checked this config on test router where the main connection was on Vlan2(fa3) and the backup Fa4.

So I changed SLA to ping internet address with source interface vlan2.

ip sla 1

icmp-echo 194.204.152.34 source-interface Vlan2

ip sla schedule 1 life forever start-time now

ip sla enable reaction-alerts

Maybe I shoud force the main connection (vlan2 in this case) to go up and then ping ?? How to do this??

My ISP provides DSL modem, when I will put of the plug with signal the ISP gateway is still pingable from LAN.

I do not know if they can - I will check it.

pwolsza_wolfik1 · ‎10-14-2010

I have confirmation form my ISP that gateway is always pingable from the LAN even if there is no signal.

I changed SLA config.

Now I'm pinging primary gateway trough backup connection.

When the ping is down SLA route going down and the traffic goes through alternative route .

The problem could be the limit of transfer because the backup connection is trough cell phone connection with 20GB limit per month.

But I think the ping will not be a problem

Thanks for help and suggestion.