I have recently taken a oposition with a firm where the existing infrastructure has just been installed by a third-party.
A Cisco 891 has been intalled with IP SLA configured to provide failover to a secondary ISP link.
Within days of my arrival the 891 stoped routing to either WAN interface serval times a week. When this would happen it was possible to to Ping both WAN devices connected to the router from inside and outside, but not possible to ping past them in ether direction.
My immediate suspicions were that the IP SLAs were incorrectly configured. I have disabled them and have not ecperienced any problems since. But I am concerned as to why they were causing the device to stop routing.
If any one fancies taking a look below and making suggestions please go ahead.
For security some details have been altered for this exercise. The relevant sections are in bold
Current configuration : 6797 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname XXXX001 ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 52000 ! aaa new-model ! ! aaa authentication login default local ! ! aaa session-id common clock timezone AEST 10 clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00 ! crypto pki trustpoint TP-self-signed-xxxx enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-xxxx revocation-check none rsakeypair TP-self-signed-4057743359 ! ! crypto pki certificate chain TP-self-signed-xxx certificate self-signed 01 ! Lines removed for security quit no ip source-route ! ! ! ! ip cef no ip bootp server ip domain name xxx.com no ipv6 cef ! ! multilink bundle-name authenticated vpdn enable ! ! ! ! no spanning-tree vlan 1 no spanning-tree vlan 2 username xxxxx privilege 15 secret 5 xxxx username xxxxx privilege 15 secret 5 xxxx ! ! ! archive log config hidekeys ! ! ! track 1 ip sla 1 reachability delay down 10 up 10 ! track 2 ip sla 2 reachability delay down 10 up 10 ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ip address xxx.yyy.13.214 255.255.255.252 ip nbar protocol-discovery ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0 description ***2M / 2M SHDSL*** ip address xxx.yyy.13.118 255.255.255.252 ip flow ingress ip nat outside ip virtual-reassembly duplex full speed auto ! interface Vlan1 description ***LAN*** ip address 192.168.120.253 255.255.255.0 ip access-group 120 in ip nbar protocol-discovery ip flow ingress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Async1 no ip address encapsulation slip ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 xxx.yyy.13.213 240 track 1 ip route 0.0.0.0 0.0.0.0 xxx.yyy.13.117 250 track 2 ip route 220.127.116.11 255.255.255.0 192.168.120.254 ip route 192.168.121.0 255.255.255.0 192.168.120.254 no ip http server ip http access-class 50 ip http authentication local ip http secure-server ip http secure-port 50443 ip http timeout-policy idle 60 life 86400 requests 10000 ip http path flash: ! ip flow-top-talkers top 10 sort-by bytes ! ip dns server ip nat inside source route-map NAT1 interface FastEthernet8 overload ip nat inside source route-map NAT2 interface GigabitEthernet0 overload ip nat inside source static tcp 192.168.120.41 25 xxx.yyy.13.118 25 route-map NAT2 extendable ip nat inside source static tcp 192.168.120.41 80 xxx.yyy.13.118 80 route-map NAT2 extendable ip nat inside source static tcp 192.168.120.41 443 xxx.yyy.13.118 443 route-map NAT2 extendable ip nat inside source static tcp 18.104.22.168 1723 xxx.yyy.13.118 1723 extendable ip nat inside source static tcp 192.168.120.47 3389 xxx.yyy.13.118 3389 route-map NAT2 extendable ip nat inside source static tcp 192.168.120.41 25 xxx.yyy.13.214 25 route-map NAT1 extendable ip nat inside source static tcp 192.168.120.41 80 xxx.yyy.13.214 80 route-map NAT1 extendable ip nat inside source static tcp 192.168.120.41 443 xxx.yyy.13.214 443 route-map NAT1 extendable ip nat inside source static tcp 22.214.171.124 1723 xxx.yyy.13.214 1723 extendable ip nat inside source static tcp 126.96.36.199 3389 xxx.yyy.13.214 3389 route-map NAT1 extendable ! ip access-list extended VPN_ADDRESS permit ip 192.168.120.0 0.0.0.255 192.168.192.0 0.0.0.255 ! ip sla 1 icmp-echo xxx.yyy.13.213 source-ip xxx.yyy.13.214 timeout 1000 frequency 5 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo xxx.yyy.13.117 source-ip xxx.yyy.13.118 timeout 1000 frequency 5 ip sla schedule 2 life forever start-time now access-list 50 remark ***RemoteAccess*** access-list 50 permit 188.8.131.52 access-list 50 permit 184.108.40.206 access-list 50 permit 192.168.0.0 0.0.255.255 access-list 50 permit 220.127.116.11 0.0.0.255 access-list 101 permit ip 192.168.0.0 0.0.255.255 any access-list 101 permit ip 18.104.22.168 0.0.0.255 any access-list 120 permit tcp host 22.214.171.124 any eq smtp access-list 120 permit tcp host 126.96.36.199 any eq smtp access-list 120 permit tcp host 192.168.120.41 any eq smtp access-list 120 deny tcp 188.8.131.52 0.0.0.255 any eq smtp access-list 120 deny tcp 192.168.120.0 0.0.0.255 any eq smtp access-list 120 deny tcp 192.168.121.0 0.0.0.255 any eq smtp access-list 120 permit ip any any snmp-server community xxx RO 50 snmp-server location xxxxxxxxxx no cdp run ! ! ! ! route-map NAT2 permit 10 match ip address 101 match interface GigabitEthernet0 ! route-map NAT1 permit 10 match ip address 101 match interface FastEthernet8 ! ! ! ! control-plane ! privilege exec level 15 configure ! line con 0 timeout login response 300 privilege level 15 logging synchronous line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 access-class 50 in privilege level 15 logging synchronous transport input ssh line vty 5 193 access-class 50 in privilege level 15 logging synchronous transport input ssh ! scheduler max-task-time 5000 ntp server 184.108.40.206 ntp server 220.127.116.11 ntp server 18.104.22.168 end
I do not believe you are missing anything in the configuration. IP SLA should continue to send ICMP echo requests forever as soon as the router finishes loading. Even if the track goes down, the IP SLA process should continue. Are the IP SLAs currently in a filed state? If so, please grab the output of show ip sla stat and show track.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...