Re: IP SLA problem and advice. - Cisco Community

3501

Views

0

Helpful

7

Replies

Good Morning People,

I am writing to get some advice and best practices on putting IP SLA's up. Here is my configuration:

I have one 2911 ISR 2 router with two internet lines- One is a cable line (which is connected via ethernet to the providers onsite 1800 router) and the other is a standard ADSL line.

I have a route-map which looks at the source of the traffic (determines whether its staff traffic or server traffic) and splits them accordingly. The Staff go through the ADSL and the servers go through the Cable.

I am trying to get to a position where if one line fails, all traffic goes through the other and vice versa. I have got the route-maps set up to do this using track objects:

route-map r01 permit 20

match ip address SERVERTRAFFIC

set ip next-hop verify-availability x.x.x.x(Cable Gateway) 10 track 1

set ip next-hop verify-availability x.x.x.x(ADSL Gateway) 20 track 2

!

route-map r01 permit 30

match ip address STAFFTRAFFIC

set ip next-hop verify-availability x.x.x.x(ADSL Gateway) 10 track 2

set ip next-hop verify-availability x.x.x.x(Cable Gateway) 20 track 1

This works as I want it to. The problem I am having is the IP SLA's - I have noticed that the IP SLA gets reported down every so often for roughly 5 seconds at a time then comes back up. This is going to cause a big problem when I start setting up the corporate Site-Site VPNS. Here is my config for the IP SLA

ip sla 1 (This tracks the cable connection)

icmp-echo 4.2.2.1

timeout 2500

threshold 2000

frequency 10

ip sla schedule 1 life forever start-time now

ip sla 2 (This tracks the ADSL connection)

icmp-echo 4.2.2.2

timeout 2500

threshold 2000

frequency 10

ip sla schedule 2 life forever start-time now

The way I have currently done it is to ping the DNS servers of a major ISP and force the ping through the appropriate connection by using a static route. So for example, 4.2.2.1 is forced through the Cable connection by a route in my routing table: S 4.2.2.1 [1/0] via x.x.x.x(Cable Gateway)

So, looking at my logs I see the connection dip:

1

4/1/11

9:05:20.000 AM

Apr 1 09:05:20 192.168.50.1 1000: Apr 1 08:05:19.610: %TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

2

4/1/11

9:05:10.000 AM

Apr 1 09:05:10 192.168.50.1 999: Apr 1 08:05:09.610: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

3

4/1/11

8:28:51.000 AM

Apr 1 08:28:51 192.168.50.1 970: Apr 1 07:28:50.426: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

4

4/1/11

8:28:41.000 AM

Apr 1 08:28:41 192.168.50.1 968: Apr 1 07:28:40.426: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

5

3/31/11

10:41:10.000 PM

Mar 31 22:41:10 192.168.50.1 943: Mar 31 21:41:10.032: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

6

3/31/11

10:41:00.000 PM

Mar 31 22:41:00 192.168.50.1 942: Mar 31 21:41:00.032: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

7

3/31/11

10:12:47.000 PM

Mar 31 22:12:47 192.168.50.1 941: Mar 31 21:12:46.791: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

8

3/31/11

10:12:42.000 PM

Mar 31 22:12:42 192.168.50.1 940: Mar 31 21:12:41.791: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down

host=192.168.50.1 Options| sourcetype=udp:514 Options| source=udp:514 Options

As you can see, this is for 10 seconds and 5 seconds at a time.

Is there a better way of doing what I am wanting to do? I wouldn't have thought it was the DNS servers that are dissapearing for a few seconds now and then but is there a more stable remote host to ping? Any help would be magic as I need to get this problem sorted.

I appreciate any input.

Thank you very much

Tim

7 Replies 7

Have you tried a different sla

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsudpe.html#wp1027258

If you use 53 then an ISP DNS will reply on that they may be policing ICMP packets

Makes a lot of sense to do that in regards to the possible policing of ICMP echos.

I'm having a bit of trouble getting the UDP echo to work though. I've created the SLA and it is failing

IPSLA operation id: 3

Type of operation: udp-echo

Latest RTT: NoConnection/Busy/Timeout

Latest operation start time: 15:06:37.177 GMT Fri Apr 1 2011

Latest operation return code: No connection

Number of successes: 0

Number of failures: 8

Operation time to live: Forever

Using the SLA:

ip sla 3

udp-echo 4.2.2.1 53

threshold 2000

timeout 2500

frequency 10

ip sla schedule 3 life forever start-time now

I've looked on the firewall and on the Self-Out zone I have allowed all ICMP, TCP and UDP traffic with inspect and no other traffic is being blocked. Do you see any problem with this?

Hi

having re-read the ip sla for udp that's not going to work. How well do you know your ISP's the reason is if you have a good relationship then they may provide you with an IP in that you can ping without police else I would look at trying tcp sla to the isp's website.

Thank you for your suggestions. I think a HTTP IP SLA would suffice, but I am then running into the problems of how to actually force the correct HTTP get request out the correct interface. Remember, I have a cable and ADSL line (both static IP's) - I don't think it's possible to force a http request out of a particular port. I was getting past this problem on the icmp echo with static routes.

I think I am trying to achieve the impossible with this! Yet it sounds like a likely use case.

I have sorted the issue after talking to Cisco TAC.

The correct solution to this would be to use the Delay command on the Track unit that the IP SLA is associated to.

You can specify how many seconds to delay before the IP SLA forces the tracking to be up or down.

Would you be willing to post your tracking and SLA portion of the final configuration?

First of all, take note of your interval for the IP SLA - mine is set to ping every 15 seconds:

ip sla 12

icmp-echo 194.168.4.100

timeout 9000

frequency 15

Then, bind a track object that monitors the IP SLA with a delay up and delay down - ensure the seconds of the delay are multiples of the IP SLA frequency, or else it'll flap like a migrating bird.

The following code doesn't 'Down' the Track Object until the IP SLA has timed out 5 consecutive times and and doesn't 'Up' the Track object unless the ping returns successful atleast twice;

track 12 ip sla 12 reachability

delay down 60 up 15

Hope this helps.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card