Solved

Cisco Router Object Tracking

Posted on 2006-07-08
10
3,042 Views
Last Modified: 2008-01-09
Hi
I have configured a cisco 1721 for reliable static routing using oject tracking. The primary route is to a leased line connection on another router, and the secondary route is out through an adsl interface card on the 1721.

When all the equipment is plugged in, the track table shows as up and the primary route is to the leased line router. After unplugging the leased line router the track table shows down and the default route points to the dialer interface - great! The problem that I am having is that after plugging the leased line router back in the default route will not change back and sticks as the dialer interface.

If i change the seconday route to another device and specifiy a next hop as opposed to the dialer interface, the primary route comes back fine.

Do you know what could be causing this problem?

Thanks
0
Comment
Question by:willwetherman
  • 6
  • 4
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Did you follow the guidelines here:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html
Where only the primary route is monitored and using a floating static default with higher metric?

0
 

Author Comment

by:willwetherman
Comment Utility
I did yes. Here is a copy of my config

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Failover
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
no ip cef
no ip domain lookup
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600

ip sla monitor 1
 type echo protocol ipIcmpEcho (Removed)
 timeout 1000
 frequency 5
ip sla monitor schedule 1 life forever start-time now
!
!
!
track 123 rtr 1 reachability
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no ip redirects
 ip virtual-reassembly
 speed auto
!
interface Dialer0
 ip address (Removed)
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname (Removed)
 ppp chap password 0 (Removed)
!
ip local policy route-map MY_LOCAL_POLICY
ip route 0.0.0.0 0.0.0.0 192.168.1.101 track 123
ip route 0.0.0.0 0.0.0.0 Dialer0 254
no ip http server
no ip http secure-server
!
ip nat pool branch (Removed) netmask 255.255.255.248
ip nat inside source list 102 pool branch overload
!
!
access-list 101 permit icmp any host (Removed)
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map MY_LOCAL_POLICY permit 10
 match ip address 101
 set interface Null0
 set ip next-hop 192.168.1.101
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4

!
end
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I don't see a threshold setting under your sla monitor

ip sla monitor 1
 type echo protocol ipIcmpEcho (Removed)
 timeout 1000
 frequency 5
 threshold 2 <==



0
 

Author Comment

by:willwetherman
Comment Utility
I did try that to start with and have since changed the config to try and get it to work. I will try it again tomorrow though and let you know. Thanks
0
 

Author Comment

by:willwetherman
Comment Utility
No this didnt work. I did notice that I can ping the tracked IP address before I unplug the main router, when unplugged the track is down and the default route points to 0.0.0.0 0.0.0.0 dialer0. When I plug the main router back in I can no longer ping the tracked IP address. If i remove the local policy statement and then put it back in and remove 'ip route 0.0.0.0 0.0.0.0 dialer 0 254' it will start working again. I have double checked the route-map to ensure that the next hop is pointing to the main router.

Any more Ideas? Thanks
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:willwetherman
Comment Utility
Just looked again and all I have to do is delete' ip route 0.0.0.0 0.0.0.0 dialer 0 254' for the track and primary route to come back up.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
How long do you wait? It might take a couple of minutes which can seem like a very long time in Internet time where we expect stuff to happen almost instantaneously.
Else I would open a TAC case and get Cisco on the hook to help out. I just don't see anthing else at all...
0
 

Author Comment

by:willwetherman
Comment Utility
I have stripped down my config and it seems as if the problem could be with the route map.

Interface fa0
ip address 192.168.1.1 255.255.255.0

ip local policy route-map MY_LOCAL_POLICY

access-list 101 permit icmp any host 82.0.0.1

route-map MY_LOCAL_POLICY permit 10
match ip address 101
set interface null0
set ip next-hop 192.168.1.101

If i enter the above basic config i can ping 82.0.0.1 without any problems. If i add a default route of 'ip route 0.0.0.0 0.0.0.0 192.168.1.110' i can still ping 82.0.0.1

If I delete the above default route and add 'ip route 0.0.0.0 0.0.0.0 dialer0' I can no longer ping 82.0.0.1.

Is this expected behavior?

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
What the route-map is doing is making sure that the ping to the host identified in the sla monitor configuration only goes out the designated interface and all other traffic takes the proper route. That's the whole idea is that only if the primary route is available will you be able to ping that host.
If dialer0 is the prefered default route then the route-map will prevent icmp to that host from going out that way. It wouldn't do any good if you could ping that host  no matter which way is the default route.

You  might be able to refine acl 101:
 access-list 101 permit icmp host 192.168.1.1 host 82.0.0.1
This acl uses the router's own interface IP as the source and will not affect any other hosts icmp traffic.
One issue may be the next hop router @.101
This router looks like a 'router on a stick' so to speak
If this is the LAN default gateway and it redirects hosts to another router on the same LAN, then it's not really routing but rather sending those hosts icmp redirects to use the other gateway. It's just not quite the same.
0
 

Author Comment

by:willwetherman
Comment Utility
I understand that I dont want the ICMP packets generated by the router to go out any other interface other then to the next hop 192.168.1.101. What i was saying is that the pings stop even though the route specified in the route-map is still up.

I have just setup a lab where a PC is 82.0.0.1 with ethereal installed. With the basic config above I am receiving packets but as soon as I add the default route to the dialer interface they stop??

I think I am getting myself confused now but its kinda trying to simulate the situation that when the track goes down and the dialer interface becomes the primary route, that ICMP packets from the router completly stop to the next hop of 192.168.1.101 even though it is still up. It like it takes over as the default route for everything on the router.

I think the only work around to doing this is to install a basic adsl modem with an ip address within the 192.168.1.0 subnet and use that as the backup route

Thanks for your help, Definatley got me pulling my hair out :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now