route IF primary connection fails 1

[nelifecare]

OK. Here it goes. I'm writing this since I am still waiting from a vendor on this setup and want to see if anyone here can assist.

2 sites.

Each site's gateway is a 3560G.

Each site has as ASA for Internet

Site A has a 2811 with WIC-T1

Site B has a 1841 with WIC-T1

Site A and B are currently defaulted to use a VPN between the 2 for their primary connection. (Greater bandwidth)

Site A and B also are connected via the 1841 and 2811 with a private circuit. (Secondary)

What I would like to happen is IF the primary connection fails traffic is routed over the secondary connection automatically then faiback once the primary link is back up.

The vendor is playing around with IP SLA icmp-echo commands along with the track command.

This isn't working. Does anyone have any good examples of a similar setup that I may reference.

Thanks

 

[nelifecare]

I'm a bit confused. Site A and Site B primarily communicate over a VPN. I also have a PtP from Site A to Site B.

Currently I don't see any configuration taking this into account.

 

[unclerico]

If you look at the SiteA and SiteB snippets you'll see that each have a tracked static route configured to route over the VPN as primary. The PtP circuits are directly connected so if you do a show ip route you'll see them listed; however, you won't see the LAN segment in SiteB using the PtP for the next hop in SwitchA and you won't see the LAN segment in SiteA using the PtP for the next hop in SwitchB. If the VPN tunnel were to come down due to an interface failure on either side the static route will be removed from each routing table and the OSPF route will be added to use the PtP link to reach each LAN segment.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

OK. Does this change since the PtP are not directly connected to the Switch for either site? Will each sites router update the routing tables when the VPN fails?

 

[unclerico]

i apologize, they will be directly connected at your CE devices not at your core switches. as long as you have OSPF running across all of your PtP circuits and into your core then, yes, it will work flawlessly.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

OK. As soon as add in OSPF info on my routers, the PtP takes over.

router ospf 100
network 10.0.40.0 0.0.0.255 area 0

10.0.40.0 is Site A to Site B PtP subnet.

Is there an ospf cost I need to add?

 

[unclerico]

do you have the static routes in??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Yes.

Site A:

ip route 192.168.40.0 255.255.255.0 192.168.1.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.11
ip route 172.16.20.0 255.255.255.0 10.0.20.2
ip route 172.16.30.0 255.255.255.0 10.0.30.2
ip route 192.168.2.0 255.255.255.0 192.168.1.11
ip route 192.168.40.0 255.255.255.0 192.168.1.2 254
ip route 192.168.60.0 255.255.255.0 192.168.1.11
ip route 192.168.70.0 255.255.255.0 192.168.1.11
ip route 192.168.80.0 255.255.255.0 192.168.1.11


Site B:

ip route 192.168.1.0 255.255.255.0 192.168.40.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.40.11
ip route 192.168.1.0 255.255.255.0 192.168.40.2 254

 

[unclerico]

ok, post the output from sh ip sla monitor operational-state from both devices

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Seems like one side is up and the other is not.

Site A:

Round Trip Time (RTT) for Index 1
Latest RTT: 50 ms
Latest operation start time: 13:14:22.032 EST Thu Jan 21 2010
Latest operation return code: OK
Number of successes: 946
Number of failures: 0
Operation time to live: Forever


Site B:

Round Trip Time (RTT) for Index 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 13:12:53.378 EST Thu Jan 21 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 935
Operation time to live: Forever

 

[nelifecare]

Forget my previous posts. I found an issue that was causing the SLA to be down.

 

[unclerico]

so now you should be routing back over the L2L VPN correct??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Unfortunately I have to make these changes at night and not during the day time.

I will let you know what happens this evening.

Thanks for all you assistance, by the way.

 

[nelifecare]

OK. Now that the SLAs are working, communicating, when I add the PtP subnet to my router's OSPF, the VPN goes down and the PtP is down.

I did see OSPF updates when I added the below network on all devices BUT no traffic would pass.

router ospf 100
network 10.0.40.0 0.0.0.255 area 0

10.0.40.0 is Site A to Site B PtP subnet.


Any ideas?

 

[unclerico]

post the configs of the two routers and the core switches from site A and B. i'd also like to see the output of sh ip route from both routers when you have everything configured.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Update...

I've figured out what's going on BUT I'm not sure how to fix.

The SLA between the Switch A and Switch B is working when the VPN link is up and my router at Switch A isn't advertising the PtP network, 10.0.40.0 0.0.0.255 area 0.

When I add the 10.0.40.0 0.0.0.255 area 0 to the router at Site A, no one can get to Site B because the Default Gateway @ Site A has a static entry to Site B over the VPN but the router and firewall have OSPF routes to route over the PtP which is causing packets to drop.

If I add the 10.0.40.0 0.0.0.255 area 0 network to my router AND shut down the ethernet interface for one of my VPNs, all traffic routes correctly over the PtP.

So, How do I tell my router and firewall on each side to route traffic over the VPN when it's up BUT to route traffic over the PtP?

Make sense?

 

[unclerico]

i need to see scrubbed configs from each device at both site A and B:
- Firewall
- Core switch
- WAN router

upload them as .txt files if you can

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

I really appreciate the time you've spent on this.

 

[unclerico]

do you have an account at box.net or something similar where you can upload them??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

You can pickup all configs here: ftp://anonymous@71.173.77.129
:2121

Let me know if you are able to download them.

Again, much appreciated.

 

[nelifecare]

Try this link instead ftp://anonymous@71.173.77.129:2121