Solved

ISP Failover on cisco 891

Posted on 2014-09-12
5
403 Views
Last Modified: 2014-10-10
I am trying to set up a backup WAN connection on a cisco 891 router with IOS 15.2

I think I have the tracking setup correct, sh track says reachability down when I unplug the primary connection.

I can ping out from the secondary interface.

When I unplug the primary connection, I lose internet access and it also does not revert back to the primary when I plug it back in.

Here is my set up, let me know what I am missing:

track timer interface 5
!
track 1 ip sla 1 reachability

interface FastEthernet8
 description $ETH-WAN$
 ip address dhcp client-id FastEthernet8
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description $ETH-WAN$
 ip address X.X.X.X 255.255.255.0
 ip access-group 104 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
 service-policy output wan-qos

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet8 overload
ip nat inside source static tcp 10.3.99.230 21 71.251.18.90 21 extendable
ip nat inside source static tcp 10.3.99.143 3389 X.X.X.X 3389 extendable
ip nat inside source static tcp 10.3.99.230 15000 X.X.X.X 15000 extendable
ip nat inside source static tcp 10.3.99.230 15001 X.X.X.X 15001 extendable
ip nat inside source static tcp 10.3.99.143 16000 X.X.X.X 16000 extendable
ip nat inside source static tcp 10.3.99.143 16001 X.X.X.X 16001 extendable
ip nat inside source static tcp 10.3.99.143 16002 X.X.X.X 16002 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 Y.Y.Y.Y track 1
ip route 0.0.0.0 0.0.0.0 FastEthernet8 10

ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0
 frequency 10
ip sla schedule 1 life forever start-time now

access-list 199 deny   tcp host 10.3.99.143 eq 16002 any
access-list 199 deny   ip 10.5.99.0 0.0.0.255 10.86.0.0 0.0.15.255
access-list 199 remark IPSec Rule
access-list 199 deny   ip 10.5.99.0 0.0.0.255 10.86.20.0 0.0.0.255
access-list 199 remark IPSec Rule
access-list 199 deny   ip 10.3.99.0 0.0.0.255 10.86.20.0 0.0.0.255
access-list 199 deny   ip 10.3.99.0 0.0.0.255 10.86.0.0 0.0.15.255
access-list 199 remark IPSec Rule
access-list 199 deny   icmp 10.3.99.0 0.0.0.255 10.86.20.0 0.0.0.255
access-list 199 permit ip any any
!
route-map SDM_RMAP_1 permit 1
 match ip address 199
!
route-map SDM_RMAP_2 permit 1
 match ip address 199
0
Comment
Question by:bts86
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
First, you default routes should never be the interface on ethernet. It must be the upstream gateway ip address. In your case it should be learned via dhcp, assuming that it wont change often, use that ip as a static gateway.
Second, you need to specify a static route to 8.8.8.8 that will force it out one gateway or other, i.e.
ip route 8.8.8.8 255.255.255.255 y.y.y.y
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
I was thinking about it trying to figure out was was wrong, and lrmoore beat me to it. You need a static route to 8.8.8.8 to go out interface g0 towards y.y.y.y. I think the floating static to interface f8 is correct. That is exactly how I have it setup with my cellular interfaces if memory serves.

FYI I do IP SLA tracking of the Google public DNS resolvers and I get a lot of up/down notifications, so I wouldn't depend on them for picking your route if you want to minimize route flapping. I track multiple IPs and set multiple routes to 0.0.0.0 based upon those status of those tracked IPs.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
when you failover you should use an EEM applet to clear ip nat tran * :)
0
 
LVL 1

Author Comment

by:bts86
Comment Utility
I put in the static gateway on the dhcp interface as well as the static route to 8.8.8.8

Now the connection will revert back to the primary connection when I plug it back in.

I still cannot connect to the internet from inside when the connection fails over.

I believe it is a NAT issue.

When I unplug the primary connection I ran a: clear ip nat trans *
sh ip nat stat shows 0 dynamic  translations

After that, no new translations are created.

I can still ping out of that interface without issue.
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 250 total points
Comment Utility
in your route map you need to match your interface:

route-map SDM_RMAP_1 permit 1
 match ip address 199
 match interface GigabitEthernet0
!
route-map SDM_RMAP_2 permit 1
 match ip address 199
 match interface FastEthernet8
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now