Solved: two links to remote sites(one eigrp, one vpn) - Page 2

paulnigel · ‎07-09-2006

i have an existing eigrp link to remote site, now i am setting up a vpn tunnel using the ASA to ASA. Site A allows full access for site B, Site B allows full access for site A. if my EIGRP link down, can it take the VPN link?

How do I start the VPN link?

paulnigel · ‎08-10-2006

Hi Nitishh and everyone,

I have done this setup according to your suggestion, I am not sure but i believe it is working for the first 2 sites. I have attached the visio 2003 file with configurations.

However, I am not very sure with the EIGRP portion, although i can see the gre tunnel(192.168.10.2) being registered with eigrp:

via 172.16.212.2 (1805056/28416), Serial0/2/0

via 192.168.10.2 (52802816/28416), Tunnel0

I just change the bandwidth of the tunnel to 64 with respect to the rest of the E1 line which is 1984 and the eigrp just learn and insert the tunnel0.

I can see this on the ASA:

local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

current_peer: 2.2.2.2

#pkts encaps: 3111968, #pkts encrypt: 4314218, #pkts digest: 4314218

#pkts decaps: 913757, #pkts decrypt: 913757, #pkts verify: 913757

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3111968, #pkts comp failed: 0, #pkts decomp failed:

0

#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

some questions:

1) how do i add specific route to point some device through the tunnel, i tried this ip route x.x.x.x...tunnel0 but it doesn't seems to work.

2) how do i know which traffic is going through the tunnel

3) how do i configure the eigrp to only choose this tunnel when all the routes has failed?

kind regards and thanks,

paul

Wilson Samuel · ‎08-10-2006

Hi Paul,

Good that you are able to communicate across the sites as of now.

However may I request you to paste the Sh ip route from any of the two rotuers in order to ascertain that things are indeed going as planned.

1) how do i add specific route to point some device through the tunnel, i tried this ip route x.x.x.x...tunnel0 but it doesn't seems to work.

I would like this to be taken care by the EIGRP i.e. in an event when the E-1 may go down, the EIGRP should route the traffic through this link

2) how do i know which traffic is going through the tunnel

Could be answered by looking at your Routing Table or by debug (former being better)

3) how do i configure the eigrp to only choose this tunnel when all the routes has failed?

Ideally nothing, as EIGRP's metrics would count on the bandwith and latency hence the preferred route always would be the E-1 and in case of E-1 failure it would route to the the tunner interface.

I really lookforward for the solution that you have got for it. IF you are still looking for a solution may I request you to paste the config from Router and ASA.

Looking forward from yourside,

Kind Regards,

Wilson SAmuel

paulnigel · ‎08-11-2006

Hi wilson and everyone,

attached are the config files.

why do i see the FD is Inaccessible?

P 0.0.0.0/0, 0 successors, FD is Inaccessible

via 172.16.210.1 (3097600/2585600), Serial0/0/0

P 10.255.250.0/24, 0 successors, FD is Inaccessible

via 172.16.210.1 (3097600/2585600), Serial0/0/0

=============================================

Based on my eigrp, how do I improve on it? must I do anything?

Is it possible to have 2 internet links connected to the ASA, with 4 GRE tunnels tunnel across the 2 ASA internet links?

Thanks and Best regards,

Paul

nitishh · ‎08-10-2006

paul

good stuff .

question 1 -: you shoud be able to point some devices through the tunnel by using ip route command be sure if you are pointing a host to add 255.255.255.255 as the mask

question 2. check your routing table . lets say for eg i want to check for 172.16.170.0/24 network on KSO router . Then on KSO Router i will type the command : show ip route 172.16.170.0

this will give you an output as to which path the network is taking also look at the routing table you will know which path is prefered .

3rd question you dont need to configure eigrp to choose a tunnel when your primary route has failed because eigrp will learn routes from 2 places one E1 link and 2nd the internet link .

on KSO do a Show ip eigrp neig

u should see 2 neig one through the tunnel the other through e1 .

let me know if this helps

cheers

nh

paulnigel · ‎08-10-2006

Hi everyone,

really thanks for the help. this morning i had my remote sites(configured with gre) E1 links all down, and the traffic actually takes the tunnel, everything is so transparent.

good and bad, the management is a bit excited, so they are asking for more:

1) we have 5 sites, now they are requesting to have each site with 4 gre tunnels to all sites.

2) on top of that, each site to have 2 internet links connected via the ASA. so that traffic can be load balance with the 2 internet links.

to be frank, i know nothing of that. Is it possible?

I will attach my configs for the current setup in my next mail.

Thanks much and regards,

paul

nitishh · ‎08-11-2006

Paul

Gr8 news . But before you continue please make sure when you add the new tunnel you are not creating a mesh and loops this will become very difficult to identify and solve later . Try to keep it simple best approch is to use Hub and Spoke topology . If a site has 2 internet connection try to use only one by putting static routes to the hub site on the FW . Let me know if you need anything else

NH

paulnigel · ‎08-15-2006

Hi Nitish,

I hope I am getting you right:

1) using a central site to create hub and spoke to the other 4 sites for the GRE.

2) if each site has 2 internet connections, use only 1.

Is that your recommendation? Coz I need to come up with the new design.

Thanks and regards,

paul

Wilson Samuel · ‎08-15-2006

Hi Paul,

Yes thats what he means.

Infact we have a more than 20 sites connected with MPLS as main link and fallback is IPSec GRE Tunnels and I believe the best way to go ahead is with the Hub and Spoke way or else it will be too difficult for the expansion and to troubleshoot.

Kind Regards,

Wilson Samuel

nitishh · ‎08-15-2006

Paul

I am attaching a diagram for you please have a look . This is what i would have done . Dont Know if it reflects what your managment wants. Keep it simple not very complicated . If a site has multiple internet connection use one. First step get the network up and stable using one connection once all your sites are converted let it burn in for a few weeks before you make add dual vpn gre tunnels

I cant really tell what would be best in your case as i dont know the business your company is in or how things effect the users .All i can so is give a suggestion which you may need to alter to suite your requirements and objectives

Thanks

Nh

paulnigel · ‎08-15-2006

Hi Nitish, Samuel,

Thanks much for your suggestions. I will put this to the management.

If I am using the hub and spoke, which mean the central site must have a bigger pipe? Can it be a single point of failure should the central site goes down? IF I am getting another router as a backup running "vrrp?" can this tunnel still work?

If the configuration is such that the tunnel is going around in a big circle connecting all the sites, Is that possible?

Sorry much for the questions, I hope you guys don't run out of patience with me.

Thanks much and Best regards,

paul

nitishh · ‎08-16-2006

paul

I need to understand what is your current topology . Pls attach an diagram so i can get an idea . I dont think you will have to worry about single pt of failure as this is supposed to be a backup connection to the existing connections you have . ur idea abt second router and vrrp (HSRP in cisco terms) is good for then you can have backup for eigrp (Gre)tunnels .

pls include diagram we can work on a stable design

thanks

nh

paulnigel · ‎08-16-2006

Hi Nitish,

I will send you the diagram on monday as I am on training.

Thanks much and regards,

paul

paulnigel · ‎08-20-2006

Hi Nitish,

Attached is the current wan diagram. Talking about the HSRP, my management is thinking of using the cisco switches to do the HSRP and to create the tunnel, is that feasible?

Thanks much for your help.

Kind regards,

paul

nitishh · ‎08-21-2006

paul

Thanks for the diagram more questions?

1. why are there so many redundunt link's are these only for redunduncy or does business require that these path exist there . For example KM3 has a E1 to Km1 and KJO.

to answer your question i will need to know what type of switch are you buying

thanks

nitish

paulnigel · ‎08-21-2006

Hi nitish,

Those links are for redundancy, you have something on your mind? I am interested to know that.

For core switches, we use 4000 and 3000 series switches.

I have another question, right now I have a IPsec site to site link from KSO to KJO, I am making use of the 2 sites ASA public ip addresses, if I am going to configure the hub and spoke, must i create ipsec site to site tunnel for all the sites? I do not understand this portion.

Kind regards,

paul