Hi All,
I have just been looking into redundancy VPN's between ASA & IOS which has been successful with the exception of being able to get the floating static route to work correctly.
Set up is ASA at head end with a single IP/ISP but at the far end I have an 887 router with 2 ISP connections.
ISP 1 is connected to di1 (6.6.6.6) ADSL
ISP 2 is another ADSL (7.7.7.7) connected to a BT Business Hub which has 5 IP's, one of these is provided to SVI 62 on the same 887 router.
ISP 2 is the Primary link and IP SLA is used to track reachability over this link to a public address at the far end.
Problem is that when both ISP 1 & 2 are up all works fine with traffic going over ISP 2 which is the primary. When I shut down int vlan 62 or there is a break in the path across ISP 2 the tracked default-route is pulled from the routing table correctly and we failover to ISP 1. The problem is that if ISP 1 is down and ISP 2 comes back up the tracked default-route for ISP 2 does not get added back to the routing table and the only thing I can is the ISP 2 router which is the next hop. If ISP 1 comes back up the tracked default-route gets populated into the routing table and tunnel 2 comes back up and is used again as the Primary, it's almost like di1/ISP 2 has to be up to route any traffic?
Here is the configuration
interface Dialer1
description External IP:
ip address negotiated
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1380
dialer pool 1
dialer-group 1
no cdp enable
hold-queue 224 in
!
interface Vlan62
description 4G Assure
ip address 7.7.7.7 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1380
hold-queue 224 in
!
RTR#sh run | s ip sla
track 1 ip sla 1 reachability
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-ip 7.7.7.7
threshold 2000
timeout 2000
frequency 2
ip sla schedule 1 life forever start-time now
!
RTR#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 Vlan62 7.7.7.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10
Test_ADSL_VPN_RTR#sh run | s track
!
track 1 ip sla 1 reachability
!
RTR#sh run | s ip route
ip route 0.0.0.0 0.0.0.0 Vlan62 7.7.7.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10
Example of both ISP's being up
S* 0.0.0.0/0 is directly connected, Vlan62
RTR#sh ip sla sum
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending
ID Type Destination Stats Return Last
(ms) Code Run
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 RTT=19 OK 0 seconds ago
=================================================================
Shutdown Primary link to simulate failure of ISP 2 which works correct
RTR(config)#int vlan 62
RTR(config-if)#shut
RTR(config-if)#
*Nov 20 15:34:37.356: %LINK-5-CHANGED: Interface Vlan62, changed state to administratively down
*Nov 20 15:34:38.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan62, changed state to down
RTR(config-if)#
*Nov 20 15:34:39.079: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
RTR(config-if)#
*Nov 20 15:34:39.551: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
RTR(config-if)#
*Nov 20 15:34:42.491: %BGP-5-ADJCHANGE: neighbor 15.0.0.1 Up
RTR(config-if)#
*Nov 20 15:34:49.523: %BGP-3-NOTIFICATION: sent to neighbor 15.0.0.5 4/0 (hold time expired) 0 bytes
RTR(config-if)#
*Nov 20 15:34:49.527: %BGP-5-NBR_RESET: Neighbor 15.0.0.5 reset (BGP Notification sent)
*Nov 20 15:34:49.527: %BGP-5-ADJCHANGE: neighbor 15.0.0.5 Down BGP Notification sent
*Nov 20 15:34:49.527: %BGP_SESSION-5-ADJCHANGE: neighbor 15.0.0.5 IPv4 Unicast topology base removed from session BGP Notification sent
RTR(config-if)#end
RTR#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer1
RTR#sh ip sla sum
------------------------------------------------------
*1 icmp-echo 8.8.8.8 - Timeout 4 seconds ago
===============================================
ISP 2 comes back online which also works ok
RTR(config)#int vlan 62
RTR(config-if)#shut
RTR(config-if)#no shut
RTR(config-if)#
*Nov 20 15:37:17.385: %LINK-3-UPDOWN: Interface Vlan62, changed state to up
*Nov 20 15:37:18.384: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan62, changed state to up
Test_ADSL_VPN_RTR(config-if)#
*Nov 20 15:37:24.068: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
Test_ADSL_VPN_RTR(config-if)#
*Nov 20 15:37:38.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
Test_ADSL_VPN_RTR(config-if)#
*Nov 20 15:37:40.923: %BGP-3-NOTIFICATION: received from neighbor 15.0.0.1 4/0 (hold time expired) 84 bytes 00000000 00000000 00000000 00000000 00
Test_ADSL_VPN_RTR(config-if)#
*Nov 20 15:37:40.923: %BGP-5-NBR_RESET: Neighbor 15.0.0.1 reset (BGP Notification received)
*Nov 20 15:37:40.927: %BGP-5-ADJCHANGE: neighbor 15.0.0.1 Down BGP Notification received
*Nov 20 15:37:40.927: %BGP_SESSION-5-ADJCHANGE: neighbor 15.0.0.1 IPv4 Unicast topology base removed from session BGP Notification received
RTR(config-if)#
*Nov 20 15:37:47.822: %BGP-5-ADJCHANGE: neighbor 15.0.0.5 Up
RTR(config-if)#end
RTR#sh ip
*Nov 20 15:39:42.179: %SYS-5-CONFIG_I: Configured from console by console
RTR#sh ip route
Gateway of last resort is 7.7.7.1 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Vlan62
RTR#sh ip sla sum
--------------------------------------------------
*1 icmp-echo 8.8.8.8 RTT=20 OK 0 seconds ago
==================================================================
Now if I shutdown di1 simulating a failure of ISP 1 and then shutdown Vlan 62 to simulate a failure of ISP 2 at the same time. If I then bring ISP 2 back online the tracked IP 8.8.8.8 is not reachable and the default-route for ISP 2 is not added to the routing table until ISP 1 is also back online which the below output shows
RTR(config)#int di1
RTR(config-if)#shut
RTR(config-if)#
*Nov 20 15:42:52.930: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Nov 20 15:42:52.930: Di1 DDR: dialer shutdown complete
*Nov 20 15:42:52.930: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Nov 20 15:42:52.934: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
RTR(config-if)#
*Nov 20 15:42:52.938: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
RTR(config-if)#
*Nov 20 15:42:54.929: %LINK-5-CHANGED: Interface Dialer1, changed state to administratively down
RTR(config)#int vlan 62
RTR(config-if)#shut
RTR(config-if)#
*Nov 20 15:43:16.552: %LINK-5-CHANGED: Interface Vlan62, changed state to administratively down
RTR(config-if)#
*Nov 20 15:43:17.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan62, changed state to down
RTR(config-if)#
*Nov 20 15:43:19.044: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
RTR(config-if)#
*Nov 20 15:43:19.520: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
RTR(config-if)#do sh ip route
*Nov 20 15:43:26.807: %BGP-3-NOTIFICATION: sent to neighbor 15.0.0.5 4/0 (hold time expired) 0 bytes
RTR(config-if)#do sh ip route
Gateway of last resort is not set
RTR(config-if)#do sh ip sla sum
--------------------------------------------------
*1 icmp-echo 8.8.8.8 - Timeout 4 seconds ago
RTR(config-if)#no shut
RTR(config-if)#
*Nov 20 15:43:52.301: %LINK-3-UPDOWN: Interface Vlan62, changed state to up
*Nov 20 15:43:53.301: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan62, changed state to up
RTR(config-if)#
RTR(config-if)#do sh ip route
Gateway of last resort is not set
RTR(config-if)#do sh ip sla sum
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 - Timeout 2 seconds ago
RTR(config-if)#int di1
RTR(config-if)#no shut
RTR(config-if)#
*Nov 20 15:44:24.483: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
RTR(config-if)#
*Nov 20 15:44:36.302: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Nov 20 15:44:36.306: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
RTR(config-if)#
*Nov 20 15:44:36.886: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Nov 20 15:44:37.222: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
RTR(config-if)#
*Nov 20 15:44:39.686: %BGP-5-ADJCHANGE: neighbor 15.0.0.1 Up
RTR(config-if)#
*Nov 20 15:44:44.038: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up
RTR(config-if)#
*Nov 20 15:44:45.090: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
RTR(config-if)#
*Nov 20 15:44:48.886: %BGP-5-ADJCHANGE: neighbor 15.0.0.5 Up
RTR(config-if)#end
RTR#
*Nov 20 15:44:57.201: %SYS-5-CONFIG_I: Configured from console by console
RTR#
*Nov 20 15:45:05.484: %BGP-3-NOTIFICATION: received from neighbor 15.0.0.1 4/0 (hold time expired) 84 bytes 00000000 00000000 00000000 00000000 00
RTR#
*Nov 20 15:45:05.484: %BGP-5-NBR_RESET: Neighbor 15.0.0.1 reset (BGP Notification received)
*Nov 20 15:45:05.484: %BGP-5-ADJCHANGE: neighbor 15.0.0.1 Down BGP Notification received
*Nov 20 15:45:05.484: %BGP_SESSION-5-ADJCHANGE: neighbor 15.0.0.1 IPv4 Unicast topology base removed from session BGP Notification received
RTR#sh ip route
Gateway of last resort is 7.7.7.1 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Vlan62
RTR#sh ip sla sum
IPSLAs Latest Operation Summary
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 RTT=20 OK 1 second ago
Any help would be much appreciated.
