Solved

BGP Failover issues

Posted on 2011-02-15
14
1,425 Views
Last Modified: 2012-05-11
Hello,

I am having some bgp issues within my network and was wondering if anyone can suggest a better design for this. I currently have dual path to the internet. Very basic bgp and ibgp configuration to always prefer router with highest weight. One link is 100mbps and the other is 10mbps. I am running hsrp on the LAN interfaces on these routers and 100mbps router is primary hsrp router.

However i keep having a problem of failover anytime there is an outage on the primary internet connection it takes almost 10minutes to failover. I will try to vpn into check what is going on. By the time i do it is already failover. How can i tune this for better failover.

Thank you,

0
Comment
Question by:hermanazefor
  • 6
  • 6
14 Comments
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
Network diagram and configs would be nice; this will allow us to assit you much better. Please remove any username and passwords from the configs.

Billy
0
 

Author Comment

by:hermanazefor
Comment Utility
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
!
hostname router-primary
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 64000 notifications
logging rate-limit 4 except errors

!
aaa new-model
!
!
aaa authentication login default group tacacs+ line enable
aaa authentication login CONSOLE enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
!
dot11 syslog
no ip source-route
ip icmp rate-limit unreachable 750
ip cef
!
!
!
!
no ip domain lookup
ip domain name fnbm.corp
no ipv6 cef
ntp server 71.110.4.4
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
object-group network HOST-ALLOWING-VTY-ACCESS
 71.110.4.0 255.255.255.0
!
object-group network VTY-AUTHORIZED-USERS
 192.168.2.0 255.255.255.0
 192.168.6.0 255.255.255.0

!
archive
 log config
  hidekeys

ip ssh logging events
ip ssh version 2
buffers small permanent 239
buffers small max-free 342
buffers small min-free 71
buffers middle permanent 192
buffers middle max-free 275
buffers middle min-free 57
buffers big permanent 111
buffers big max-free 159
buffers big min-free 33
buffers verybig permanent 19
buffers verybig max-free 27
buffers verybig min-free 5
buffers large permanent 7
buffers large max-free 11
buffers large min-free 2
buffers huge permanent 5
buffers huge max-free 7
buffers huge min-free 1
!
!
!
!
interface Loopback0
 ip address 127.61.122.67 255.255.255.255
!
interface Loopback10
 description Loopback for NAT pool
 ip address 62.105.19.21 255.255.255.224
!
interface GigabitEthernet0/0
 description Internet Segment (71.110.4.0/24 - HSRP .2)
 ip address 192.168.250.3 255.255.255.0 secondary
 ip address 71.110.4.0 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip ospf authentication message-digest
 ip ospf message-digest-key
 ip ospf cost 100
 duplex full
 speed 100
 media-type rj45
 standby 1 ip 71.110.2
 standby 1 priority 115
 standby 1 preempt
 standby 2 ip 192.168.241.2
 standby 2 priority 115
 standby 2 preempt
 hold-queue 300 in
 hold-queue 300 out
!
interface GigabitEthernet0/1
 description  100MBPS INTERNET
 ip address 61.46.x.21 255.255.255.252
 ip access-group ACL-FROM-XO-V2008-09-22 in
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 no ip virtual-reassembly
 duplex full
 speed 100
 media-type rj45
 ntp disable
 standby 1 preempt
 hold-queue 300 in
 hold-queue 300 out
!
interface FastEthernet0/0/0
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/1
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/2
 switchport access vlan 10
 duplex full
 speed 100
!
interface FastEthernet0/0/3
 switchport access vlan 10
 duplex full
 speed 100
!
interface Serial0/1/0
 description IBGP Connection
 bandwidth 1536
 no ip address
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface Vlan1
 no ip address
!
interface Vlan10
 description IBGP Connection
 ip address 10.1.21.1 255.255.255.252
 no ip proxy-arp
 ip flow ingress
!
router ospf 100
 router-id 64
 no compatible rfc1583
 log-adjacency-changes
 redistribute bgp 40202 metric 100 metric-type 1 subnets route-map BGP2OSPF
 passive-interface default
 no passive-interface GigabitEthernet0/0
 no passive-interface Vlan10
 no passive-interface Loopback0
 network 10.1.21.0 0.0.0.255 area 0
 network 71.110.4.0 0.0.0.255 area 0
 network 127.x.12.0 0.0.0.255 area 0
 default-information originate
!
router bgp 40202
 synchronization
 bgp log-neighbor-changes
 network 71.110.4.0 mask 255.255.255.0
 neighbor 61.46.x.21 remote-as 1021
 neighbor 61.46.x.21 filter-list 10 out
 neighbor 127.x.12.69 remote-as 40202
 neighbor 127.x.12.69 update-source Loopback0
 neighbor 127.x.12.69 next-hop-self
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 61.46.x.21
ip route 167.x.x.0 255.255.255.0 65.46.24.221
ip route 172.x.x.0 255.255.255.0 10.1.1.2
ip route 192.x.x.0 255.255.255.0 71.110.4.1
ip route 192.x.x.0 255.255.255.0 71.110.4.1
ip route 192.5.33.0 255.255.255.0 71.110.4.1
ip route 192.5.34.0 255.255.255.0 71.110.4.1
ip route 192.168.0.0 255.255.0.0 71.110.4.1

no ip http server
no ip http secure-server
!
ip as-path access-list 10 permit ^$
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet1/4
ip flow-export version 5
ip flow-export destination 192.168.x.x 2055
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 600000

!
ip access-list standard AUTHORIZED-VTY-FROM

 deny   any log
ip access-list standard
 permit 192.x.x.0 0.0.255.255
ip access-list standard

!

!
!
!
r
!
route-map BGP2OSPF permit 10
 match ip address prefix-list DEFAULT-ONLY
!
!
s
!
!
!
!
!


!
line con 0
 exec-timeout 30 0
 logging synchronous
 login authentication CONSOLE
line aux 0
line vty 0 4
 access-class AUTHORIZED-VTY-FROM in
 exec-timeout 30 0
 logging synchronous
 transport input ssh
line vty 5 15
 access-class AUTHORIZED-VTY-FROM in
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
end
0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
For a solid solution to be provided for "BGP Failover issues" and BGP Tuning, all configurations and network diagrams should be provided. What you are asking for is not just a simple answer, this could be a very complex issue/config, etc. So please, provide a network diagram so that we can visualize your network, the connections that exists and the configurations that have been applied.

Billy
0
 

Author Comment

by:hermanazefor
Comment Utility
0
 

Author Comment

by:hermanazefor
Comment Utility
Hell Billy-

I just added a diagram.

Thank you
0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
Great, so tell me a bit about what is going on, you state "However i keep having a problem of failover anytime there is an outage on the primary internet connection it takes almost 10minutes to failover. " But what type of troubeshooting have you completed this far. Are you able to send the configs of all devices in the network (Minus the ASAs for now), just the switches and routers.

Billy
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:hermanazefor
Comment Utility
The switches are just layer two devices that hand vlan traffic. the configuration you see is identical to the other router but for ip addresses. Anytime this has happened i have had to login remotely and before i do problem is already resolved.

I guess my problem is seeking a bgp failover solution which is more efficient and quick.

Thank you
0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
I am sure it is identical, but having both configus will allows to view for misconfigurations.

Billy
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
Comment Utility
Are you tracking the default route on the other router? I agree with Billy that seeing both configs would help.

A couple of thoughts without seeing all the configurations:

It could be that because the routers are not configured to be actively checking for connectivity that it is the reason for the long failover.

Also you have set the priority group 1 and 2 with the same priority number. This sets this interface as active for both ip addresses in the standby groups. Default priority for standby is 100 so remove the priority configuration for the failover route from the primary router's interface. On the secondary router you can configure a lower priority than what is on group 1 but default will be fine.

In my adjustments below I am assuming that standby 1 is the primary ip address and standby 2 has the failover.

try adding this to the primary router:

Primary router

track 5 ip route 0.0.0.0 0.0.0 reachability

interface GigabitEthernet0/0
standby 1 ip 71.110.2
standby 1 priority 115
standby 1 preempt
standby 1 track 5 decrement 20
standby 2 ip 192.168.241.2
standby 2 preempt

Secondary router

interface <interface number>
standby 2 ip 192.168.241.2
standby 2 preempt
standby 2 priority 105
standby 1 ip 71.110.2
standby 1 preempt

The decrement command on the track will lower the priority of standby 1 by 20 ( so essentially to 95). The track ip route 0.0.0.0 0.0.0.0 tells the router to keep an eye on the default route to the internet and when it is down lower the priority of group 1 and then group two will take over.



0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
That is assuming if the link upstream is down; no doubt I agree that adding a track will benefit, however, at that point if the link is down, OSPF should reconverge (default route would not be available and no longer will be redistributed into OSPF) and routing via OSPF should occur, meaning the default would not be via the upstream gi0/1 interface, but rather the OSPF neighbor via the 10Mbps upstream link. So basically, traffic from would ingress gi0/0, a route table lookup would be performed and traffic would egress back out gi0/0 then via vlan 50 to the other router (ideally). If convergence is taking 10 minutes, there is other issues. I see that you are not filtering inbound so you are either taking a full route or you upstream is filtering outbound to you (Default only), is this the case? If there is an issue with the RIB/FIB upstream, routing would ultimately be non-existent as the BGP session is directly connected, the session ultimately remains up (Traffic would be blacked-holed); IP SLA would benefit from this scenario.

That do you think MAG?

Billy
0
 

Author Comment

by:hermanazefor
Comment Utility
Ok Billy how do I perform IP SLA in this situation
0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
0
 

Author Comment

by:hermanazefor
Comment Utility
thanks for your help.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now