Solved

ISP Failover on cisco 891

Posted on 2014-09-12
5
411 Views
Last Modified: 2014-10-10
I am trying to set up a backup WAN connection on a cisco 891 router with IOS 15.2

I think I have the tracking setup correct, sh track says reachability down when I unplug the primary connection.

I can ping out from the secondary interface.

When I unplug the primary connection, I lose internet access and it also does not revert back to the primary when I plug it back in.

Here is my set up, let me know what I am missing:

track timer interface 5
!
track 1 ip sla 1 reachability

interface FastEthernet8
 description $ETH-WAN$
 ip address dhcp client-id FastEthernet8
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description $ETH-WAN$
 ip address X.X.X.X 255.255.255.0
 ip access-group 104 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
 service-policy output wan-qos

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet8 overload
ip nat inside source static tcp 10.3.99.230 21 71.251.18.90 21 extendable
ip nat inside source static tcp 10.3.99.143 3389 X.X.X.X 3389 extendable
ip nat inside source static tcp 10.3.99.230 15000 X.X.X.X 15000 extendable
ip nat inside source static tcp 10.3.99.230 15001 X.X.X.X 15001 extendable
ip nat inside source static tcp 10.3.99.143 16000 X.X.X.X 16000 extendable
ip nat inside source static tcp 10.3.99.143 16001 X.X.X.X 16001 extendable
ip nat inside source static tcp 10.3.99.143 16002 X.X.X.X 16002 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 Y.Y.Y.Y track 1
ip route 0.0.0.0 0.0.0.0 FastEthernet8 10

ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0
 frequency 10
ip sla schedule 1 life forever start-time now

access-list 199 deny   tcp host 10.3.99.143 eq 16002 any
access-list 199 deny   ip 10.5.99.0 0.0.0.255 10.86.0.0 0.0.15.255
access-list 199 remark IPSec Rule
access-list 199 deny   ip 10.5.99.0 0.0.0.255 10.86.20.0 0.0.0.255
access-list 199 remark IPSec Rule
access-list 199 deny   ip 10.3.99.0 0.0.0.255 10.86.20.0 0.0.0.255
access-list 199 deny   ip 10.3.99.0 0.0.0.255 10.86.0.0 0.0.15.255
access-list 199 remark IPSec Rule
access-list 199 deny   icmp 10.3.99.0 0.0.0.255 10.86.20.0 0.0.0.255
access-list 199 permit ip any any
!
route-map SDM_RMAP_1 permit 1
 match ip address 199
!
route-map SDM_RMAP_2 permit 1
 match ip address 199
0
Comment
Question by:bts86
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 40320824
First, you default routes should never be the interface on ethernet. It must be the upstream gateway ip address. In your case it should be learned via dhcp, assuming that it wont change often, use that ip as a static gateway.
Second, you need to specify a static route to 8.8.8.8 that will force it out one gateway or other, i.e.
ip route 8.8.8.8 255.255.255.255 y.y.y.y
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40320998
I was thinking about it trying to figure out was was wrong, and lrmoore beat me to it. You need a static route to 8.8.8.8 to go out interface g0 towards y.y.y.y. I think the floating static to interface f8 is correct. That is exactly how I have it setup with my cellular interfaces if memory serves.

FYI I do IP SLA tracking of the Google public DNS resolvers and I get a lot of up/down notifications, so I wouldn't depend on them for picking your route if you want to minimize route flapping. I track multiple IPs and set multiple routes to 0.0.0.0 based upon those status of those tracked IPs.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40321548
when you failover you should use an EEM applet to clear ip nat tran * :)
0
 
LVL 1

Author Comment

by:bts86
ID: 40350774
I put in the static gateway on the dhcp interface as well as the static route to 8.8.8.8

Now the connection will revert back to the primary connection when I plug it back in.

I still cannot connect to the internet from inside when the connection fails over.

I believe it is a NAT issue.

When I unplug the primary connection I ran a: clear ip nat trans *
sh ip nat stat shows 0 dynamic  translations

After that, no new translations are created.

I can still ping out of that interface without issue.
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 250 total points
ID: 40358741
in your route map you need to match your interface:

route-map SDM_RMAP_1 permit 1
 match ip address 199
 match interface GigabitEthernet0
!
route-map SDM_RMAP_2 permit 1
 match ip address 199
 match interface FastEthernet8
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question