The default route for site B is to our firewall, but we do have static IPs from our cable ISP. Here's a rough mock up config, with some questions:

ip sla 1

icmp-echo

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

delay down 10 up 20

ip route 0.0.0.0 0.0.0.0 track 1 (does this work because the address the track command is attached to isn't the icmp-echo address?)

ip route 0.0.0.0 0.0.0.0 200 (is this right?)

I kind of cobbled that together from several sites. That looks similar to your config, John.

The track command on the static route basically states "keep this route in the table as long as the reachability to it is valid." Then on the track command you're monitoring the sla. If the sla fails, reachability goes down for the track command and your static is taken out of the routing table. Then your floating static comes into play.

If your sla is trying to ping the ISP's router and that fails, your route will still fail because you're depending on the sla to succeed. So, it's ok that your router is behind the firewall because this should still work.

HTH,

John

Here's the final config:

ip sla monitor 1

type echo protocol ipicmpecho

frequency 5

ip sla monitor schedule 1 life forever start now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 track 1

ip route 0.0.0.0 0.0.0.0 254

For the problem child, I've tried Site A's router's MPLS interface, it's inside router interface, and Site A's default gateway. No luck. Trace route site B shows it's not making the hop over the mpls even though the MPLS line is fully functional besides this.

What am I missing? Is there something I need to put in Router A's config? Note: Pings over MPLS to all of the problem child interfaces I tried come back good, so the Router B can see them just fine. Note: The failover portion works fine in that it is trying to directing it over the mpls, there's just the problem child situation to deal with.

Any help is very much appreciated as this site is cut off from the internet besides RDP right now.

Thanks in advance.

Hello Adam,

I have noticed the following line in your initial post:

>> The MPLS line is routed using BGP.

If this is a MPLS L3 VPN service in order to be able to use the MPLS link as an alternate internet access you need to advertise a default route over BGP from the site that will provide internet access to the other one.

Because if this is an MPLS L3 VPN you are peering at each site with SP routers and you need to make them know that a default route is available and to have it propagated to the other site.

So instead of configuring static routes on one site pointing to the other one, you may need to advertise the default route over BGP from the other site.

Hope to help

Giuseppe

Can I get IP SLA to failover to this advertised BGP route or do I need to start from scratch since I'm using BGP?

Looks like this might be along the lines of what I'm looking for:

https://supportforums.cisco.com/thread/2006404

Investigating giving "weight" to bgp routes right now...

Hello Adam,

if the idea is to have a backup internet access via the MPLS cloud, you can keep the part relative to the main default static route, so that it is tracked with an IP SLA. But you need to advertise network 0.0.0.0/0 in BGP from the other router to the MPLS cloud over the existing eBGP session to provide the secondary default route over eBGP.

Hope to help

Giuseppe

Having backup internet access via the MPLS cloud is exactly what I'm trying to do. So do I keep my IP SLA config the same and just advertise a default route via BGP or is there something else I need to change? I don't understand BGP too well but I'm thinking I'll have say some way in my advertisment that this is a backup default route. Currently researching that angle...

Hello Adam,

for the presence of the ASA boxes you will need almost all of what you have discussed with John and you need to add specific commands for having the default route propagated.

One of simplest ways is to use

router bgp

network 0.0.0.0

to have the CE MPLS router to advertise a default route to the eBGP neighbor. This has to be done on the site that will provide the internet access to the other site.

At the remote end you have to verify that you are receving the default route over eBGP using

show ip bgp 0.0.0.0

If there are no route filters the route should be propagated to the remote MPLS router.

eBGP has AD = 20 > 1 AD of the main static default route

On that node the main default route will be provided by tracked static route and will point to local ASA, the backup route will be provided by eBGP.

As John has said on the ASA of the site providing the internet access you will need additional NAT statements to accomodate the IP subnets of the other site and also  some additional static routes for  the other site IP subnets to provide return path from the internet.

Hope to help

Giuseppe

All of this has helped immensely, I think I'm almost there. With my NATting, all I did was add the following line to Site A's firewall:

nat (inside) 1

The connection isn't consistent, but it looks to be enough to do some surfing. Does this NATting look right?

Adam,

The natting looks correct, but you also need to make sure that you have a route on your ASA for that subnet pointing back to the router that you have at Site A. If everything is right, you should be able to ping your siteB internal addresses from the ASA at site A.

John

I apologize for ignorance on the topic, but I cannot find in my router config where it defines what networks are being let back in. Any help, again, is greatly appreciated.

This would be in your routing table. On your router A, do a "show ip route ". You should get back something if you're advertising these networks from router B.

Suppose I was on router A and was interested in seeing my internal subnet at site B:

My internal subnet is 172.11.10.0/24, so on router A I would type "sh ip route 172.11.10.0/24"

Routing entry for 172.11.10.0/24

  Known via "bgp 2", distance 20, metric 0

  Tag 1, type external

  Last update from 172.12.0.1 12:17:59 ago

  Routing Descriptor Blocks:

  * 172.12.0.1, from 172.12.0.1, 12:17:59 ago

      Route metric is 0, traffic share count is 1

      AS Hops 1

      Route tag 1

On this router, I show I learned it from 172.12.0.1 (site B's IP address) and my next hop to get to 172.11.10.0/24 is 172.12.0.1.

If your site A router has site B's internal address, then you'll need to add the route to get to site B go to router A:

ASA# route inside 172.11.10.0 255.255.255.0 192.168.1.1

I'm assuming that router A's interface that connects to the ASA is 192.168.1.1 and the ASA is addressed at 192.168.1.2 (just a huge assumption).

Then when your natted traffic comes back in, the ASA will send to 192.168.1.1 for 172.11.10.0 and router A will send to 172.12.0.1 to get to the 172.11.10.0/24.

Oh, and to see what addresses bgp knows on any of your routers, you can do a "sho ip bgp". The *> means that the route is selected and put in the routing table. * means valid and > means the best route. By default, BGP will only put 1 route in the routing table even if you have multiple destinations out.

John