Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

failover issue

hello,

i have two connection between headend and branch, how can i failover between two link using static route, managing admin. distance in branch router the returning path is not getting from headend if the primary link goes down.

9 REPLIES
New Member

Re: failover issue

hi,

2 connections in 2 router or 1 router?

New Member

Re: failover issue

using single router with IPsec VPN

New Member

Re: failover issue

If both links are in one router on both sides.

Headend

ip route x.x.x.x m.m.m.m

ip route x.x.x.x m.m.m.m 10

Branch

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 10

New Member

Re: failover issue

i did the same, the backup link is come up when primary link goes down, but issue is there the headedn router could not forward any packet to branch, i m using IPsec VPN too.

New Member

Re: failover issue

How is the IPSec implemented? Can you paste all relevant configs?

New Member

Re: failover issue

here what i have done

BRANCH

-------

crypto isakmp policy 150

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234xx address 10.10.10.1

crypto isakmp key 5678xx address 10.11.11.1

!

!

crypto ipsec transform-set XX esp-3des esp-sha-hmac

!

crypto map MAP-A 10 ipsec-isakmp

set peer 10.10.10.1

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-ho

!

crypto map MAP-B 10 ipsec-isakmp

set peer 10.11.11.1

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-ho

interface FastEthernet0/0

description $$ Primary LINK $$

ip address 10.10.10.8 255.255.255.0

duplex auto

speed auto

crypto map MAP-A

!

interface FastEthernet0/1

escription $$ Seconday LINK $$

ip address 10.11.11.8 255.255.255.0

duplex auto

speed auto

crypto map MAP-B

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 0.0.0.0 0.0.0.0 10.11.11.1 9

ip access-list extended vpn-to-ho

permit ip xx xx

permit ip xx xx

HEADEND

--------

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234xx address 10.10.10.8

crypto isakmp key 5678xx address 10.11.11.8

crypto ipsec transform-set XX esp-3des esp-sha-hmac

crypto map MAP-A 100 ipsec-isakmp

set peer 10.10.10.8

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-branch

crypto map MAP-B 100 ipsec-isakmp

set peer 10.11.11.8

set security-association lifetime seconds 28800

set transform-set XX

match address vpn-to-branch

interface FastEthernet2/1

description $$ Primary-LINK $$

no switchport

ip address 10.10.10.1 255.255.255.0

crypto map MAP-A

!

interface FastEthernet2/2

description $$ Secondar-LINK $$

no switchport

ip address 10.11.11.1 255.255.255.0

crypto map MAP-B

ip route x.x.x.x x.x.x.x 10.10.10.8

ip route x.x.x.x x.x.x.x 10.11.11.8 9

ip access-list extended vpn-to-branch

New Member

Re: failover issue

I see. You are using LAN interfaces for these two links. The problem is this, static routes are valid as long as there is a valid route to the next hop IP address.

So, ip route x.x.x.x x.x.x.x 10.10.10.8 is valid as long as there is a valid route to 10.10.10.8. So, if FastEthernet2/1 on your headend router doesn't go down, then the other route will never take over.

Ultimately, probably the easiest solution is to setup some routing protocol. What protocol do you run internally on your network?

The other option you have is to setup a tracking object that would track IP reachability to 10.10.10.8, and cause the static route to become invalid when 10.10.10.8 is unreachable.

The configs would be something like this...

=============

HEADEND

=============

conf t

ip sla 1

icmp-echo 10.10.10.8

timeout 500

frequency 3

ip sla schedule 1 start-time now life forever

exit

!

track 1 rtr 1 reachability

!

ip route x.x.x.x x.x.x.x 10.10.10.8 track 1

ip route x.x.x.x x.x.x.x 10.11.11.8 9

============

BRANCH

============

conf t

ip sla 1

icmp-echo 10.10.10.1

timeout 500

frequency 3

ip sla schedule 1 start-time now life forever

exit

!

track 1 rtr 1 reachability

!

ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1

ip route 0.0.0.0 0.0.0.0 10.11.11.1 9

There is a similar concept here as well: http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Let me know how it goes

New Member

Re: failover issue

Also, you may have to adjust the above depending on IOS, but is should be similar.

New Member

Re: failover issue

Ryan, thanks for your kind full help, eventually i replaced static route with OSPF routing protocol, then the problem had been solved,

140
Views
0
Helpful
9
Replies