?
Solved

failover questions

Posted on 2012-08-31
3
Medium Priority
?
420 Views
Last Modified: 2012-09-03
Good morning everyone. I have a client that has a Cisco router with a T1 connection and a secondary connection through the fast ethernet 0/1. Last week, the T1 line was "down" although it was not really down. A call to the ISP showed that they were in an up/up state and they could loop to the customer. It turned out to be an issue at the CO. This was resolved and the client was back online again. The issue is that they were not able to pass any traffic through Fa0/1.

In looking at the configuration, there were two routes in place and was using the one weighted at 100 and not the other weighted at 150 as the line was theoretically up. I am looking at making a change on the configuration to try to get it to pass traffic should this ever happen again. Basically, a setting that will maybe have a keep-alive set for the serial and if it does not pass traffic in a set amount of time, it will route to the Fa0/1. I have attached the config below:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers no service dhcp !
hostname
!
boot-start-marker
boot-end-marker
!
logging snmp-authfail
logging buffered 4096 notifications
logging console critical
logging monitor notifications
!
aaa new-model
!
!
aaa group server tacacs+ invision_tacacs
  server 69.18.
  server 69.18.
!
aaa authentication banner  
!!!-----------------------------!!!
!!!   AAA User Authentication   !!!
!!!-----------------------------!!!
 
aaa authentication login default local-case group tacacs+ enable aaa authentication enable default enable aaa authentication ppp default local aaa authentication ppp direct_serial none aaa authorization exec default local group tacacs+ aaa authorization commands 1 default if-authenticated none aaa authorization network default local aaa accounting send stop-record authentication failure aaa accounting nested aaa accounting update newinfo aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default stop-only group tacacs+ aaa accounting commands 10 default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ !
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip telnet source-interface Serial0/0/0
no ip dhcp use vrf connected
!
!
ip ftp source-interface Serial0/0/0
ip ftp username
ip ftp password 7 05030B2C7641473C4D0A4319082F37323D29
ip tftp source-interface Serial0/0/0
no ip bootp server
ip domain name invision.net
ip name-server
ip name-server
ip rcmd source-interface Serial0/0/0
!
username
!
!
interface Null0
  no ip unreachables
!
interface FastEthernet0/0
  description
  ip address 69.18.xxx.xxx
  no ip redirects
  no ip unreachables
  ip accounting access-violations
  ip nat inside
  duplex auto
  speed auto
  no cdp enable
!
interface FastEthernet0/1
  description connection to Cable_Modem
  ip address dhcp
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip accounting access-violations
  ip nat outside
  duplex auto
  speed auto
  no cdp enable
!
interface Serial0/0/0
  description
  bandwidth 1536
  ip unnumbered FastEthernet0/0
  ip access-group int_s0_out out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip accounting access-violations
  no fair-queue
  down-when-looped
  service-module t1 fdl ansi
!
router eigrp 17
  redistribute connected
  redistribute static
  network 69.18 0.0.0.3
  network 69.18 0.0.127.255
  distribute-list prefix int_e17_distrib out
  no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 100
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 150
no ip http server
ip http access-class 10
ip http authentication local
ip http timeout-policy idle 600
life 86400 requests 10000 ip nat inside source list 50 interface FastEthernet0/1 overload
!
ip access-list extended int_s0_out
  remark ----------------------------------------
  remark At
  remark outgoing
  remark allow only assigned ip addresses outbound
  remark ---------------------------------------
  remark ---- allow our netblocks
  permit ip 69. any
  remark ---- allow pings
  deny   icmp any any redirect
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any traceroute
  permit icmp any any source-quench
  permit icmp any any administratively-prohibited
  permit icmp any any unreachable
  permit icmp any any parameter-problem
  permit icmp any any time-exceeded
  deny   icmp any any
  remark ---- block spoofed addresses
  deny   ip any any log-input
!
!
!
control-plane
!
banner exec  
Welcome - Authorized use only.

Do a 'show users' to make sure you
are not making conflicting changes.

Remeber to 'write' and copy start
tftp 'cst' after all changes.

For assistance call InVision's
NOC at (631) 543-1000 x404
 
banner login  
InVision.com, Inc.

This is an InVision system, restricted to authorized persons and for official InVision business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement officials for prosecution. Violators will be prosecuted to the fullest extent of both civil and criminal law.
 
alias configure rb router bgp 12251
alias configure re router eigrp 17
 
  logout-warning 30
  absolute-timeout 720
  history size 128
line aux 0
  modem InOut
  flowcontrol hardware
line vty 0 4
  session-timeout 10  output
  access-class 10 in
  exec-timeout 0 0
  privilege level 15
  logout-warning 30
  absolute-timeout 180
  history size 128
  transport preferred none
  transport input telnet
line vty 5 15
  privilege level 15
  transport input telnet
!
exception protocol ftp
exception dump
end
0
Comment
Question by:INV_support
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 2000 total points
ID: 38354525
KeepAlive (if supported by the provider) is a good thing, though it will not protect you all the way ... there may still be situations in which the interface (and keepalive) are up, but you can't pass traffic. Only "real" solution would be to have your provider enable some routing protocol on both links, with higher cost on the backup link, and go through that ... that way, you wouldn't need/use static routes and manual admin distances, but just rely on receiving the correct routes through the two links.

Another solution would be to have some remote station with static route via the serial link, set up IP SLA, and track that state ... use the tracking for the primary route, and if it goes down, so does the route, with the backup route becoming active ...
0
 

Author Comment

by:INV_support
ID: 38354811
Thanks. The provider is running with no keepalive which I have matched. What if we were to call the cable modem provider and pay for the static IP address and then weight each route the same, allowing traffic to pass through both routes almost like a load balancer in a sense? I am sure it couldn't be that simple though as I know they are also using a VPN connection that does pass through the router to the ASA behind it and that is set up as a L2L with the static on serial subnet or could we just append the crypto map to include the new static from the cable modem since they would be allocated a block of five usables?
0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 2000 total points
ID: 38355178
Easiest thing is probably running IP SLA to an IP after der ser-Link provider or inside their network ... set up tracking with a combination of that IP SLA and interface ser0 routing state, and you should be fine ...
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question