Solved

Router get hung up when switching back over from backup connection - Cisco

Posted on 2008-10-02
4
275 Views
Last Modified: 2012-05-05
Here is the deal, we have a remote site that has a Full T1 Running BGP From our T1 Providor (Verizon) as a primary connection back to our Headquarters and a Cable Connection with a VPN back to our headquarters as a backup connection.

The backup works fine, but not switch back over from when the T1 comes back up.

We run the default BGP cost on the T1 Routes, when they are lost we have higher cost routes that then take over when the BGP routes are lost, once the BGP routes come back into the routing table most traffic switches over however sometimes we have to bounce the interface that is connected to the cable modem to stop the backup connection from working and then finally all routes go back to using the BGP routes.

Thanks for any help, i will post config below

Richie
0
Comment
Question by:rtrice81
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22629886
Waiting on your config..
0
 
LVL 1

Author Comment

by:rtrice81
ID: 22630263
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.10.02 21:11:50 =~=~=~=~=~=~=~=~=~=~=~=

MO#show run
Building configuration...



Current configuration : 8557 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MO
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
!
no aaa new-model
clock timezone EST -5
 --More--         clock summer-time EDT recurring
no ip source-route
ip tcp synwait-time 10
ip telnet source-interface GigabitEthernet0/0
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup

ip name-server 10.5.0.191

!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
 --More--         !
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2381424600
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2381424600
 revocation-check none
 rsakeypair TP-self-signed-2381424600
!
!
crypto pki certificate chain TP-self-signed-2381424600
 certificate self-signed 01
 --More--           3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333831 34323436 3030301E 170D3037 30343034 31383033
  34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33383134
  32343630 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009B74 166A6223 9BAA70FE 5ED2E77A D80D8C70 F28ABAAC B3D98B89 61E60CFB
  6C123627 32D54521 E1C63218 A5309F3F 2E0B65F2 4E3D485F 017ADCAF 50F05532
  5195172A 2F1235DB 8E233579 01C98CD2 CA2ABFD7 40D0AD3C F42F4458 0E06D491
  E866AFE1 FB80DC2B 8EA5B8B1 8657A556 30C0FD69 7C0E28A7 0B416247 46FF29B3
  BFD90203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
  03551D11 04253023 82214461 6D617363 75734D4F 2E64656C 6D617276 61646174
  6163656E 7465722E 636F6D30 1F060355 1D230418 30168014 A2419E74 66AAFD5D
  0AF40347 74191A6F 723B41D5 301D0603 551D0E04 160414A2 419E7466 AAFD5D0A
  F4034774 191A6F72 3B41D530 0D06092A 864886F7 0D010104 05000381 81002CE3
  44D055AC 57D6241A 9616DDFB 3E329A94 434DA51F 27521C60 D8ABE110 37D4D068
  1672B865 CAEFDD02 9BF96239 A5C1E836 9A8A430C 0B984DCB 9A9B67A0 D758BFA0
  BBB3A04D 3B33B2AB C92B0071 7ECDD7FB 11CD97B1 05104F7E C2B81A00 2EB47C61
  F221C199 DEDB25D3 1C10CE14 2200EF68 88DAD27D 44F0BBCA F4AB5859 52E8
  quit
!
!
username admin privilege 15 secret 5 $1$dbQ/$/CRI1Op8S0WC4P7ih6/mi.
 --More--         !
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ITSPASSWORD address XX.XXX.XX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
!
!
!
dlsw local-peer peer-id 10.255.85.1
dlsw remote-peer 0 tcp 10.255.0.252
!
!
!
interface Loopback0
 --More--          ip address 10.255.85.1 255.255.255.255
!
interface Tunnel0
 bandwidth 1000
 ip address 192.168.0.55 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 192.168.0.1 65.162.26.248
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 192.168.0.1
 ip nhrp cache non-authoritative
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/1
 tunnel destination 65.162.26.248
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile1
!
interface GigabitEthernet0/0
 description Connection to LAN
 ip address 10.86.0.1 255.255.255.0
 no ip redirects
 --More--          no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 ip address 192.168.1.55 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 no ip address
 ip access-group damascus in
 no ip redirects
 --More--          no ip proxy-arp
 encapsulation frame-relay IETF
 ip route-cache flow
!
interface Serial0/0/0.100 point-to-point
 
 ip address XX.XX.XX.XX subnet here
 no ip proxy-arp
 frame-relay interface-dlci 100 IETF  
!
interface Serial0/2/0
 mtu 1600
 no ip address
 encapsulation sdlc
 half-duplex
 no keepalive
 clock rate 9600
 sdlc role primary
 sdlc vmac 4000.7000.7300
 sdlc address C2
 sdlc xid C2 017154C2
 sdlc partner 4000.1703.2354 C2
 sdlc dlsw default
 --More--         !
interface Serial0/2/1
 no ip address
 shutdown
 clock rate 125000
!
interface Async0/1/0
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation slip
 ip route-cache flow
!
router eigrp 100
 redistribute connected
 network 10.86.0.0 0.0.0.255
 network 192.168.0.0
 no auto-summary
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 --More--          neighbor XX.XXX.XX.X remote-as 65000
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
ip route 65.162.26.248 255.255.255.255 192.168.1.1
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip access-list extended damascus
 permit ip 10.6.0.0 0.0.255.255 any
 permit ip 10.5.0.0 0.0.255.255 any
 permit ip 10.4.0.0 0.0.255.255 any
 permit ip host 10.255.0.253 any
 permit ip 10.86.0.0 0.0.255.255 any
 permit ip 10.146.0.0 0.0.255.255 any
 permit ip 10.90.0.0 0.0.255.255 any
 permit ip 10.88.0.0 0.0.255.255 any
 --More--          permit ip 10.140.0.0 0.0.255.255 any
 permit ip host 10.45.105.1 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 permit ip any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.86.0.0 0.0.0.255

!
!
!
!
!
!
control-plane
!
!
!
!
!
 --More--         !
!
!
!
banner exec ^CC
 ***************************************************************************
 *                        DELMARVA DATA CTR NETWORK                        *
 * WARNING:                                                                *
 *          THIS SYSTEM IS FOR THE USE OF AUTHORIZED CLIENTS ONLY!         *
 *          INDIVIDUALS USING THE COMPUTER NETWORK SYSTEM WITHOUT          *
 *          AUTHORIZATION, OR IN EXCESS OF THEIR AUTHORIZATION, ARE        *
 *          SUBJECT TO HAVING ALL THEIR ACTIVITY ON THIS COMPUTER          *
 *          NETWORK SYSTEM MONITORED AND RECORDED BY SYSTEM                *
 *          PERSONNEL.   TO PROTECT THE COMPUTER NETWORK SYSTEM            *
 *          FROM UNAUTHORIZED USE AND TO ENSURE THE COMPUTER NETWORK       *
 *          SYSTEMS IS FUNCTIONING PROPERLY, SYSTEM ADMINISTRATORS         *
 *          MONITOR THIS SYSTEM.   ANYONE USING THIS COMPUTER NETWORK      *
 *          SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING AND IS ADVISED    *
 *          THAT IF SUCH MONITORING REVEALS POSSIBLE CONDUCT OF            *
 *          CRIMINAL ACTIVITY, SYSTEM PERSONNEL MAY PROVIDE THE            *
 *          EVIDENCE OF SUCH ACTIVITY TO LAW ENFORCEMENT OFFICERS.         *
 *                                                                         *
 *          ACCESS IS RESTRICTED TO AUTHORIZED USERS ONLY!                 *
 --More--          *          UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,       *
 *          CIVIL AND CRIMINAL LAWS.                                       *
 ***************************************************************************
^C
banner motd ^CC
****************************************************************************
*                                 WARNING!!                                *
*                                                                          *
*  STATE AND FEDERAL STATUTES MAKE IT A CRIME TO GAIN UNAUTHORIZED ACCESS  *
*  INTO THIS SYSTEM. VIOLATORS WILL BE PROSECUTED. SYSTEM USE IS FOR       *
*  AUTHORIZED BUSINESS PURPOSES ONLY.                                      *
****************************************************************************
^C
!
line con 0
 login local
line aux 0
line 0/1/0
 stopbits 1
 speed 115200
 flowcontrol hardware
line vty 0 4
 privilege level 15
 --More--          login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.0.6.101 source GigabitEthernet0/0 prefer
!
end

# exit
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 250 total points
ID: 22631137
Hi Richie,
Usually this is used in a failover environment between two devices in either an A/A or A/S failover configuration, or with HSRP (Hot Standby Router Protocol), so I don't know if it will work for your exact situation (although it IS what is used on ASA firewalls that aren't in failover mode to make a backup interface come to life and then go back to normal when the other comes back online).
You need to track the interfaces on the router for failover with the track command.
I know this document has nothing to do with the 2800 series (it's related to the 880 series - still current generation) but you might be able to get a bit of insight as to how this should be accomplished since both the 880 and 2821 run the same IOS 12.4 software and should have for the most part the same commands.
Regardless of if that document helps, if you want a backup interface on a router, you need some form of interface tracking as I mentioned.
I'll keep searching...
Let me know if this helps! :)
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 22635037
You're doing BGP over the Serial and EIGRP over the Tunnel?
Is your main site advertising a default through BGP?
BGP learned routes should have a lower cost (20) can EIGRP (90) and it should be almost instant.
I've never seen an encrypted tunnel going through a natted interface

interface Serial0/0/0
 no ip address
 ip access-group damascus in <==

I don't see BGP being allowed from your neighbor X.X.X.X in the damascus ACL, unless it is one of those IP's that you mask one place and not in the other just to confuse us.


0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now