Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2320
Views
5
Helpful
7
Replies

IP SLA FAILOVER OVER IPSEC VPN

johnlloyd_13
Level 9
Level 9

‎09-29-2014 01:44 AM - edited ‎03-04-2019 11:51 PM

hi all,

i've been trying to make this work for few days now but can't seem to get IP SLA work and route over the backup IPsec VPN tunnel.

not sure if my EEM (not from me) is correct.

ip route 0.0.0.0 0.0.0.0 172.27.5.188 name Default track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 250 name Tunnel805
ip route 53.123.45.14 255.255.255.255 GigabitEthernet0/1 name Tunnel805
ip route 53.123.45.199 255.255.255.255 GigabitEthernet0/1 name Tunnel805


interface Loopback0
 ip address 172.29.208.2 255.255.255.255
 

interface Tunnel805
 ip vrf forwarding CUST1
 ip address 172.17.208.222 255.255.255.252
 tunnel source 172.29.208.2
 tunnel destination 53.123.45.19


interface Serial0/0/0   <<< LINK1/MAIN
 ip address 172.27.5.189 255.255.255.254


interface GigabitEthernet0/1   <<< LINK2
 ip address dhcp   <<< PUBLIC IP (SINGLE IP AS PER PLAN; EVEN W/ SHUT/NO SHUT)
 duplex full
 speed 100
 no cdp enable
 crypto map CMAP


ip sla 1
 icmp-echo 172.27.5.188 source-interface Serial0/0/0
 frequency 15
ip sla schedule 1 life forever start-time now

 

ip access-list extended TUNNEL805
 permit ip host 172.29.208.2 host 53.123.45.199


crypto isakmp policy 10
 encr 3des
 group 2
crypto isakmp key cisco address 53.123.45.14

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp
 set peer 53.123.45.14
 set transform-set TSET
 match address TUNNEL805


event manager applet LINK1_DOWN
 event track 1 state down
 action 1.0 syslog msg "Reply timed out; LINK1 is down"
 action 2.0 cli command "enable"
 action 3.0 cli command "conf t"
 action 4.0 cli command "int g0/1"
 action 5.0 cli command "no shutdown"
 action 6.0 cli command "end"
 action 7.0 syslog msg "Interface Gi0/1 Up"
event manager applet LINK1_UP
 event track 1 state up
 action 1.0 syslog msg "Ping received; LINK1 Link is up"
 action 2.0 cli command "enable"
 action 3.0 cli command "conf t"
 action 4.0 cli command "int g0/1"
 action 5.0 cli command "shutdown"
 action 6.0 cli command "end"
 action 7.0 syslog msg "Interface Gi0/1 Down"

 

----

 

*Sep 29 07:41:41 UTC: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Sep 29 07:41:41.658 UTC: %HA_EM-6-LOG: LINK1_DOWN: Reply timed out; LINK1 Link is down


*Sep 29 07:57:53 UTC: %TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up
*Sep 29 07:57:53.106 UTC: %HA_EM-6-LOG: LINK1_UP: Ping received; LINK1 Link is up
*Sep 29 07:57:54.870 UTC: %HA_EM-6-LOG: LINK1_UP: Interface Gi0/1 Down

 

#sh track
Track 1
IP SLA 1 reachability
Reachability is Down
39 changes, last change 00:11:00
Delay up 60 secs, down 30 secs
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
EEM applet LINK1_UP
EEM applet LINK1_DOWN

 

#show ip route track-table
ip route 0.0.0.0 0.0.0.0 172.27.5.188 name Default track 1 state is [down]

 

#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/1

<SNIP>

 

#sh ip ro vrf CUST1

Routing Table: CUST1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 172.27.5.190 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.27.5.190

<SNIP>

 

#ping vrf CUST1 172.17.208.221

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.208.221, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

#sh crypto is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA\

 

Labels:
0 Helpful
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎09-29-2014 05:16 AM

John

 

I notice a couple of things in what you have posted.

- First I notice that while your configuration suggests that your default route should use the Serial interface that it is not for some reason and your current default is using Gig0/1

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/1

- Then I notice that the static routes that you configured using Gig0/1 just specify the interface and not a next hop. This is a potential problem since it can only work if the next hop supports proxy arp. And if it does work then it makes the router work harder. I recognize that since the interface is set to learn its IP via DHCP that configuring routes is more of a challenge but you might look for some alternatives. For example even if your router interface address may change it is likely that the upstream IP is stable and you might be able to use that in route statements. Also it is likely that the DHCP may advertise a default route that you might use.

- I did not look closely at the EEM but notice that it seems to be dependent on ping through the serial interface. If there is some issue with the serial interface (which would explain my point about which default route is being used) it could also explain issues with EEM.

 

HTH

 

Rick

HTH

Rick
0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Richard Burts

‎09-29-2014 06:47 AM

hi rick,

should my static default route look like below?

ip route 0.0.0.0 0.0.0.0 dhcp 250 name Tunnel805

EEM and IP SLA look like it's working as it show TRACKING and HA syslogs (i felt like they're redundant through). i remembered my routing table changed and IP SLA kicked in as i was playing around with the static routes. i'm still finding a way to to put it back though.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎09-29-2014 10:07 AM

John

 

I believe that this is much better for the backup default route. Can you do something for these static routes?

ip route 53.123.45.14 255.255.255.255 GigabitEthernet0/1 name Tunnel805
ip route 53.123.45.199 255.255.255.255 GigabitEthernet0/1 name Tunnel805

 

I am still curious about the primary static route and the serial interface. Is that working? do you see it in the output of show ip route? What do you get in show ip interface brief?

 

HTH

 

Rick

HTH

Rick
0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Richard Burts

‎09-29-2014 04:47 PM

hi rick,

what change do you want me to do with the 2 static routes? i tried putting them as floating static route with AD of 250 and also put a track 1 at the end but nothing.

the primary route and serial interface are working fine. and yes, i can see it in the normal routing table. i'll try to lab this later and see how it goes.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎09-29-2014 05:28 PM

John

 

I do not see any benefit in making those static routes floating. The real issue is that you have static routes that specify an Ethernet interface as the outbound interface without specifying any next hop information. As I tried to explain before this depends on the next hop device supporting proxy arp, and even if the next hop device does support proxy arp it makes the router work harder. What I suggest is that you specify a next hop (show arp and look for the IP associated with Gig0/1 that is not your address) rather than just the outbound interface.

 

HTH

 

Rick

HTH

Rick

johnlloyd_13
Level 9
Level 9
In response to Richard Burts

‎09-29-2014 09:44 PM

hi rick,

i managed to make the IPsec VPN work by forcing the route to hop via dhcp IP.

ip route 53.123.45.14 255.255.255.255 dhcp

ip route 53.123.45.199 255.255.255.255 dhcp

i saw the ISP GW IP via the show arp but this might change in the future so i stick with the dhcp keyword.

#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
53.123.45.14   126.75.357.91   QM_IDLE           1001 ACTIVE

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎09-30-2014 04:23 AM

John

 

Thanks for posting back and letting us know that you got it to work and how you worked out the static routes. I agree that if it works with the dhcp parameter then it is better than discovering the provider IP address and using that. I have used the dhcp parameter with default routes before but not with network/subnet routes. So I leaned something from this :)  And thanks for the rating.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card