[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

BGP Failover issues

Posted on 2011-02-15
14
Medium Priority
?
1,451 Views
Last Modified: 2012-05-11
Hello,

I am having some bgp issues within my network and was wondering if anyone can suggest a better design for this. I currently have dual path to the internet. Very basic bgp and ibgp configuration to always prefer router with highest weight. One link is 100mbps and the other is 10mbps. I am running hsrp on the LAN interfaces on these routers and 100mbps router is primary hsrp router.

However i keep having a problem of failover anytime there is an outage on the primary internet connection it takes almost 10minutes to failover. I will try to vpn into check what is going on. By the time i do it is already failover. How can i tune this for better failover.

Thank you,

0
Comment
Question by:hermanazefor
  • 6
  • 6
13 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 34902650
Network diagram and configs would be nice; this will allow us to assit you much better. Please remove any username and passwords from the configs.

Billy
0
 

Author Comment

by:hermanazefor
ID: 34909209
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
!
hostname router-primary
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 64000 notifications
logging rate-limit 4 except errors

!
aaa new-model
!
!
aaa authentication login default group tacacs+ line enable
aaa authentication login CONSOLE enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
!
dot11 syslog
no ip source-route
ip icmp rate-limit unreachable 750
ip cef
!
!
!
!
no ip domain lookup
ip domain name fnbm.corp
no ipv6 cef
ntp server 71.110.4.4
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
object-group network HOST-ALLOWING-VTY-ACCESS
 71.110.4.0 255.255.255.0
!
object-group network VTY-AUTHORIZED-USERS
 192.168.2.0 255.255.255.0
 192.168.6.0 255.255.255.0

!
archive
 log config
  hidekeys

ip ssh logging events
ip ssh version 2
buffers small permanent 239
buffers small max-free 342
buffers small min-free 71
buffers middle permanent 192
buffers middle max-free 275
buffers middle min-free 57
buffers big permanent 111
buffers big max-free 159
buffers big min-free 33
buffers verybig permanent 19
buffers verybig max-free 27
buffers verybig min-free 5
buffers large permanent 7
buffers large max-free 11
buffers large min-free 2
buffers huge permanent 5
buffers huge max-free 7
buffers huge min-free 1
!
!
!
!
interface Loopback0
 ip address 127.61.122.67 255.255.255.255
!
interface Loopback10
 description Loopback for NAT pool
 ip address 62.105.19.21 255.255.255.224
!
interface GigabitEthernet0/0
 description Internet Segment (71.110.4.0/24 - HSRP .2)
 ip address 192.168.250.3 255.255.255.0 secondary
 ip address 71.110.4.0 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip ospf authentication message-digest
 ip ospf message-digest-key
 ip ospf cost 100
 duplex full
 speed 100
 media-type rj45
 standby 1 ip 71.110.2
 standby 1 priority 115
 standby 1 preempt
 standby 2 ip 192.168.241.2
 standby 2 priority 115
 standby 2 preempt
 hold-queue 300 in
 hold-queue 300 out
!
interface GigabitEthernet0/1
 description  100MBPS INTERNET
 ip address 61.46.x.21 255.255.255.252
 ip access-group ACL-FROM-XO-V2008-09-22 in
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 no ip virtual-reassembly
 duplex full
 speed 100
 media-type rj45
 ntp disable
 standby 1 preempt
 hold-queue 300 in
 hold-queue 300 out
!
interface FastEthernet0/0/0
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/3
 switchport access vlan 10
 duplex full
 speed 100
!
interface Serial0/1/0
 description IBGP Connection
 bandwidth 1536
 no ip address
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface Vlan1
 no ip address
!
interface Vlan10
 description IBGP Connection
 ip address 10.1.21.1 255.255.255.252
 no ip proxy-arp
 ip flow ingress
!
router ospf 100
 router-id 64
 no compatible rfc1583
 log-adjacency-changes
 redistribute bgp 40202 metric 100 metric-type 1 subnets route-map BGP2OSPF
 passive-interface default
 no passive-interface GigabitEthernet0/0
 no passive-interface Vlan10
 no passive-interface Loopback0
 network 10.1.21.0 0.0.0.255 area 0
 network 71.110.4.0 0.0.0.255 area 0
 network 127.x.12.0 0.0.0.255 area 0
 default-information originate
!
router bgp 40202
 synchronization
 bgp log-neighbor-changes
 network 71.110.4.0 mask 255.255.255.0
 neighbor 61.46.x.21 remote-as 1021
 neighbor 61.46.x.21 filter-list 10 out
 neighbor 127.x.12.69 remote-as 40202
 neighbor 127.x.12.69 update-source Loopback0
 neighbor 127.x.12.69 next-hop-self
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.46.x.21
ip route 167.x.x.0 255.255.255.0 65.46.24.221
ip route 172.x.x.0 255.255.255.0 10.1.1.2
ip route 192.x.x.0 255.255.255.0 71.110.4.1
ip route 192.x.x.0 255.255.255.0 71.110.4.1
ip route 192.5.33.0 255.255.255.0 71.110.4.1
ip route 192.5.34.0 255.255.255.0 71.110.4.1
ip route 192.168.0.0 255.255.0.0 71.110.4.1

no ip http server
no ip http secure-server
!
ip as-path access-list 10 permit ^$
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet1/4
ip flow-export version 5
ip flow-export destination 192.168.x.x 2055
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 600000

!
ip access-list standard AUTHORIZED-VTY-FROM

 deny   any log
ip access-list standard
 permit 192.x.x.0 0.0.255.255
ip access-list standard

!

!
!
!
r
!
route-map BGP2OSPF permit 10
 match ip address prefix-list DEFAULT-ONLY
!
!
s
!
!
!
!
!


!
line con 0
 exec-timeout 30 0
 logging synchronous
 login authentication CONSOLE
line aux 0
line vty 0 4
 access-class AUTHORIZED-VTY-FROM in
 exec-timeout 30 0
 logging synchronous
 transport input ssh
line vty 5 15
 access-class AUTHORIZED-VTY-FROM in
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
end
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34909581
For a solid solution to be provided for "BGP Failover issues" and BGP Tuning, all configurations and network diagrams should be provided. What you are asking for is not just a simple answer, this could be a very complex issue/config, etc. So please, provide a network diagram so that we can visualize your network, the connections that exists and the configurations that have been applied.

Billy
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:hermanazefor
ID: 34910135
Hell Billy-

I just added a diagram.

Thank you
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34910235
Great, so tell me a bit about what is going on, you state "However i keep having a problem of failover anytime there is an outage on the primary internet connection it takes almost 10minutes to failover. " But what type of troubeshooting have you completed this far. Are you able to send the configs of all devices in the network (Minus the ASAs for now), just the switches and routers.

Billy
0
 

Author Comment

by:hermanazefor
ID: 34910449
The switches are just layer two devices that hand vlan traffic. the configuration you see is identical to the other router but for ip addresses. Anytime this has happened i have had to login remotely and before i do problem is already resolved.

I guess my problem is seeking a bgp failover solution which is more efficient and quick.

Thank you
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34910864
I am sure it is identical, but having both configus will allows to view for misconfigurations.

Billy
0
 
LVL 17

Accepted Solution

by:
Marius Gunnerud earned 2000 total points
ID: 34936698
Are you tracking the default route on the other router? I agree with Billy that seeing both configs would help.

A couple of thoughts without seeing all the configurations:

It could be that because the routers are not configured to be actively checking for connectivity that it is the reason for the long failover.

Also you have set the priority group 1 and 2 with the same priority number. This sets this interface as active for both ip addresses in the standby groups. Default priority for standby is 100 so remove the priority configuration for the failover route from the primary router's interface. On the secondary router you can configure a lower priority than what is on group 1 but default will be fine.

In my adjustments below I am assuming that standby 1 is the primary ip address and standby 2 has the failover.

try adding this to the primary router:

Primary router

track 5 ip route 0.0.0.0 0.0.0 reachability

interface GigabitEthernet0/0
standby 1 ip 71.110.2
standby 1 priority 115
standby 1 preempt
standby 1 track 5 decrement 20
standby 2 ip 192.168.241.2
standby 2 preempt

Secondary router

interface <interface number>
standby 2 ip 192.168.241.2
standby 2 preempt
standby 2 priority 105
standby 1 ip 71.110.2
standby 1 preempt

The decrement command on the track will lower the priority of standby 1 by 20 ( so essentially to 95). The track ip route 0.0.0.0 0.0.0.0 tells the router to keep an eye on the default route to the internet and when it is down lower the priority of group 1 and then group two will take over.



0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34939019
That is assuming if the link upstream is down; no doubt I agree that adding a track will benefit, however, at that point if the link is down, OSPF should reconverge (default route would not be available and no longer will be redistributed into OSPF) and routing via OSPF should occur, meaning the default would not be via the upstream gi0/1 interface, but rather the OSPF neighbor via the 10Mbps upstream link. So basically, traffic from would ingress gi0/0, a route table lookup would be performed and traffic would egress back out gi0/0 then via vlan 50 to the other router (ideally). If convergence is taking 10 minutes, there is other issues. I see that you are not filtering inbound so you are either taking a full route or you upstream is filtering outbound to you (Default only), is this the case? If there is an issue with the RIB/FIB upstream, routing would ultimately be non-existent as the BGP session is directly connected, the session ultimately remains up (Traffic would be blacked-holed); IP SLA would benefit from this scenario.

That do you think MAG?

Billy
0
 

Author Comment

by:hermanazefor
ID: 34944066
Ok Billy how do I perform IP SLA in this situation
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34945982
0
 

Author Comment

by:hermanazefor
ID: 35288484
thanks for your help.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question