[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Dynamic routing using static routes

Posted on 2011-09-30
9
Medium Priority
?
260 Views
Last Modified: 2012-05-12
hi,

this may seem like a strange question, but i am trying to achieve some kind of dynamic route failover using static routes. The reason I need to do this is because some of our remote sites use Cisco 850 series routers, and don't support EIGRP.

We are the central data centre in a hub and spoke topology. All remoote sites route via the hub. Each site has a single Cisco router and connects back to the core data centre via a secure VPN tunnel over GRE. Actually, we use 2 dedicated routers at the data centre for terminating the remote site VPN tunnels. 1 router routes out over 1 provider cloud, and the other goes out over another. This gives us some redundancy for the remote sites - although they only have 1 router they have 2 VPN tunnels back to the core, if 1 router at the core went down then the other VPN tunnel would take care of the routing. This works well for sites that have EIGRP running on the router.

On sites that don't support EIGRP, i have tried to work around this by configuring a static route pointing back to the data server  network with AD of 1, and a 2nd static route pointing down the 2nd IPSEC GRE tunnel with an AD of 2. It was my understanding that, if there was a problem with the 1st tunnel, then the packets would route out of the 2nd tunnel via the static route with AD of 2.

However, it seems that when using IPSEC GRE tunnels, even if i manually shutdown the tunnel interface on the remote sites, the core site router still sees the GRE tunnel to the remote site as being up, and so does not failover to the 2nd VPN router. Therefore, the remote site sees the local tunnel interface as down, routes via the 2nd tunnel as per the higher AD, but the return packets will not arrive because the routers at the core site do not see a problem on the GRE tunnel and don't failover accordingly.

Has anybody got any suggestions on how this could be improved? Or do we simply need to use a routing protocol to achieve anything dynamic in this situation?

thanks in advance
0
Comment
Question by:L-Plate
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 36891120
The only way your static routes will fail over now is if it is a detectable failure of the physical interface.  Which is but one of many possible failures.

To accomplish what you want without dynamic routes, you'll need to use static routes with SLA.

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36893425
Hi,

Have you enabled keepalives on the GRE tunnel?

e.g.

Router(config)#interface tunnel0
Router(config-if)#keepalive 5 4          

!--- The syntax of this command is keepalive [seconds [retries]].
!--- Keepalives are sent every 5 seconds and 4 retries.
!--- Keepalives must be missed before the tunnel is shut down.
!--- The default values are 10 seconds for the interval and 3 retries.
0
 

Author Comment

by:L-Plate
ID: 36902483
thank you both for your responses. Both options look very good, but i am trying to with the option of GRE tunnel keepalive at the moment.

i have set the keepalives at both ends of the tunnel. however, the router on the remote side of the tunnel sees the tunnel as being down when keepalives are enabled, even though it is not.

my config on the remote tunnel is as follows...

interface Tunnel179
 description ## ENCRYPT GRE TUNNEL TO UK BILSTON ##
 bandwidth 2048
 ip unnumbered Vlan1
 no ip redirects
 no ip proxy-arp
 ip mtu 1440
 ip virtual-reassembly
 keepalive 5 4
 tunnel source Dialer1
 tunnel destination 213.86.84.36
 crypto map PORTUGALWH

and for the hub site my tunnel config is as follows...

interface Tunnel178
 description ## ENCRYPT GRE TUNNEL TO PORTUGAL WH ##
 bandwidth 2048
 ip unnumbered GigabitEthernet0/0
 no ip redirects
 no ip proxy-arp
 ip mtu 1440
 ip virtual-reassembly
 keepalive 5 4
 tunnel source 213.86.84.36
 tunnel destination 62.28.21.152
!

With the above configuration, the remote site sees it's own tunnel interface 179 as being down (up/down), but the hub site still sees it's own tunnel interface 178 as being up and up. if i manually shutdown the gre tunnel interface on the remote site (int t179), then the hub site does correctly notice this and puts it own interface (t178) in to a down/down state.

so the tunnel keepalive mechanism does seem to be working from the hub, but seems to be some issue on the spoke.

any ideas what this could be?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:rochey2009
ID: 36905250

You have a crypto map at one end but not at the other.

what is the tunnel source address for Dialer 1 - Does it match the tunnel destination at the remote end?

try "debug tunnel keepalive".
0
 

Author Comment

by:L-Plate
ID: 36908911
dialer 1 IP address is 62.28.21.152. don't get me wrong, these ARE fully functional IPSEC GRE tunnels. The reason you don't see the crypto map applied to the tunnel interface at the hub router is because i was told we no longer had to apply the crypto map on each tunnel interface in later IOS versions, that is - we have just applied the crypto map on the physical (outside) interface, and this seems to take care of all the IPSEC GRE tunnels.

i will take some outputs from your debug suggestion and post them back.
0
 

Author Comment

by:L-Plate
ID: 36908949
I have enabled 2 debugs - debug tunnel, and debug tunnel keepalive

these are the outputs i see relevant to the tunnel in question (tunnel is still in up / down state since keepalives enabled on the tunnel)...

277303: Oct  4 11:37:11.473 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18840

277304: Oct  4 11:37:11.473 GMT: Tunnel179: GRE/IP encapsulated 62.28.21.152->21
3.86.84.36 (linktype=7, len=48)



277337: Oct  4 11:37:16.472 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18841

277338: Oct  4 11:37:16.472 GMT: Tunnel179: GRE/IP encapsulated 62.28.21.152->21
3.86.84.36 (linktype=7, len=48)


277345: Oct  4 11:37:21.471 GMT: Tunnel179: sending keepalive, 213.86.84.36->62.
28.21.152 (len=24 ttl=255), counter=18842

277346: Oct  4 11:37:21.471 GMT: Tunnel179: GRE/IP encapsulated 62.28.21.152->21
3.86.84.36 (linktype=7, len=48)

0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 2000 total points
ID: 36912476
Have you done the debug at the other end?
0
 

Author Comment

by:L-Plate
ID: 36915337
if i enable the debug from the hub router, the replys are received...

UK-VPN-RTR-3825-01#
Oct  5 07:56:50.456: Tunnel178: sending keepalive, 62.28.21.152->213.86.84.36 (l
en=24 ttl=255), counter=1
Oct  5 07:56:50.520: Tunnel178: keepalive received, 62.28.21.152->213.86.84.36 (
len=24 ttl=245), resetting counter

but for some reason, when same test from the remote side, the replys are not received and the tunnel interface on the remote router is in up/down state
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36947903

try to ping 213.86.84.36 source 62.28.21.152..
traceroute with source IP

do above test from HUB

and paste it

U have to block the reachability from HUB to spoke ie source to destination IP.
As remote location IP is rechable via secondary link it creates a problem.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question