03-18-2009 03:59 AM - edited 03-04-2019 03:59 AM
hello,
i have two connection between headend and branch, how can i failover between two link using static route, managing admin. distance in branch router the returning path is not getting from headend if the primary link goes down.
03-18-2009 04:11 AM
hi,
2 connections in 2 router or 1 router?
03-18-2009 04:33 AM
using single router with IPsec VPN
03-18-2009 04:21 AM
If both links are in one router on both sides.
Headend
ip route x.x.x.x m.m.m.m
ip route x.x.x.x m.m.m.m
Branch
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
03-18-2009 04:32 AM
i did the same, the backup link is come up when primary link goes down, but issue is there the headedn router could not forward any packet to branch, i m using IPsec VPN too.
03-18-2009 05:00 AM
How is the IPSec implemented? Can you paste all relevant configs?
03-18-2009 05:36 AM
here what i have done
BRANCH
-------
crypto isakmp policy 150
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234xx address 10.10.10.1
crypto isakmp key 5678xx address 10.11.11.1
!
!
crypto ipsec transform-set XX esp-3des esp-sha-hmac
!
crypto map MAP-A 10 ipsec-isakmp
set peer 10.10.10.1
set security-association lifetime seconds 28800
set transform-set XX
match address vpn-to-ho
!
crypto map MAP-B 10 ipsec-isakmp
set peer 10.11.11.1
set security-association lifetime seconds 28800
set transform-set XX
match address vpn-to-ho
interface FastEthernet0/0
description $$ Primary LINK $$
ip address 10.10.10.8 255.255.255.0
duplex auto
speed auto
crypto map MAP-A
!
interface FastEthernet0/1
escription $$ Seconday LINK $$
ip address 10.11.11.8 255.255.255.0
duplex auto
speed auto
crypto map MAP-B
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.11.11.1 9
ip access-list extended vpn-to-ho
permit ip xx xx
permit ip xx xx
HEADEND
--------
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234xx address 10.10.10.8
crypto isakmp key 5678xx address 10.11.11.8
crypto ipsec transform-set XX esp-3des esp-sha-hmac
crypto map MAP-A 100 ipsec-isakmp
set peer 10.10.10.8
set security-association lifetime seconds 28800
set transform-set XX
match address vpn-to-branch
crypto map MAP-B 100 ipsec-isakmp
set peer 10.11.11.8
set security-association lifetime seconds 28800
set transform-set XX
match address vpn-to-branch
interface FastEthernet2/1
description $$ Primary-LINK $$
no switchport
ip address 10.10.10.1 255.255.255.0
crypto map MAP-A
!
interface FastEthernet2/2
description $$ Secondar-LINK $$
no switchport
ip address 10.11.11.1 255.255.255.0
crypto map MAP-B
ip route x.x.x.x x.x.x.x 10.10.10.8
ip route x.x.x.x x.x.x.x 10.11.11.8 9
ip access-list extended vpn-to-branch
03-22-2009 12:29 AM
I see. You are using LAN interfaces for these two links. The problem is this, static routes are valid as long as there is a valid route to the next hop IP address.
So, ip route x.x.x.x x.x.x.x 10.10.10.8 is valid as long as there is a valid route to 10.10.10.8. So, if FastEthernet2/1 on your headend router doesn't go down, then the other route will never take over.
Ultimately, probably the easiest solution is to setup some routing protocol. What protocol do you run internally on your network?
The other option you have is to setup a tracking object that would track IP reachability to 10.10.10.8, and cause the static route to become invalid when 10.10.10.8 is unreachable.
The configs would be something like this...
=============
HEADEND
=============
conf t
ip sla 1
icmp-echo 10.10.10.8
timeout 500
frequency 3
ip sla schedule 1 start-time now life forever
exit
!
track 1 rtr 1 reachability
!
ip route x.x.x.x x.x.x.x 10.10.10.8 track 1
ip route x.x.x.x x.x.x.x 10.11.11.8 9
============
BRANCH
============
conf t
ip sla 1
icmp-echo 10.10.10.1
timeout 500
frequency 3
ip sla schedule 1 start-time now life forever
exit
!
track 1 rtr 1 reachability
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1
ip route 0.0.0.0 0.0.0.0 10.11.11.1 9
There is a similar concept here as well: http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
Let me know how it goes
03-22-2009 02:46 AM
Also, you may have to adjust the above depending on IOS, but is should be similar.
03-23-2009 01:25 AM
Ryan, thanks for your kind full help, eventually i replaced static route with OSPF routing protocol, then the problem had been solved,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide