route IF primary connection fails 1

[nelifecare]

OK. Here it goes. I'm writing this since I am still waiting from a vendor on this setup and want to see if anyone here can assist.

2 sites.

Each site's gateway is a 3560G.

Each site has as ASA for Internet

Site A has a 2811 with WIC-T1

Site B has a 1841 with WIC-T1

Site A and B are currently defaulted to use a VPN between the 2 for their primary connection. (Greater bandwidth)

Site A and B also are connected via the 1841 and 2811 with a private circuit. (Secondary)

What I would like to happen is IF the primary connection fails traffic is routed over the secondary connection automatically then faiback once the primary link is back up.

The vendor is playing around with IP SLA icmp-echo commands along with the track command.

This isn't working. Does anyone have any good examples of a similar setup that I may reference.

Thanks

 

[unclerico]

i cannot get to them from here due to non standard port for ftp. i'll have to wait until i get home tonight to take a look.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

OK.

Set to standard ftp port.

ftp://anonymous@71.173.77.129

Thanks

 

[unclerico]

i got 'em and am looking them over

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

i was able to glance at the configs and right off the top i see two things i would do:
1) on both ASA's remove the ospf neighbor configuration as well as remove the ospf traffic from your crypto acl.
2) add crypto map Outside_map 80 set reverse-route to site A ASA and crypto map outside_map 20 set reverse-route to site B ASA
3) when you add the 10.0.40/24 network into the OSPF process you can remove the static routes from each core switch using .2 as the next hop

i labbed this up in GNS3 and had it working without issue. here's a link to all of my config files and a topology:

http://www.box.net/shared/t9yfsbuqrr

i'll take a closer look at your configs later.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Nice! I'll check it out tonight and let you know.

Thanks again!

 

[nelifecare]

Works like a charm!

 

[unclerico]

good to hear. post back if you have other questions or issues.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Two more question...

Lets say my VPN is bouncing due to carrier/general internet issues and I want to change all traffic to traverse the PtP until the situation is stable.

I know I could shutdown either Site A or Site B ethernet's interface to the Internet BUT is there another easier option?

Is it possible to route some traffic over the VPN and everything else over the PtP?

Thanks,

Jeremy

 

[unclerico]

sure. are you familiar with policy-based routing (PBR)??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

I am not familiar with PBR but am reading up on it now.

Thanks again!