I have an adtran 3448, I've got it set up, but I'm unable to comprehend the guide to create a failover.
2 DHCP connections through eth 0/1 and 0/2
Eth 0/1 is primary, eth 0/2 is backup
I would need to ping 8.8.8.8 to show that it's up
Here's my complete config, I need a complete config I can just copy and paste (I know how to do that lol) Contact me and let me know what you would charge? Thanks!
!
!
! ADTRAN, Inc. OS version R10.9.0
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number **************
!
!
hostname "ADM"
enable password password
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
domain-proxy
name-server 8.8.8.8 4.2.2.2
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password "password"
!
banner motd #
Authorized access only. #
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
!
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
ip dhcp pool "LANPool"
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2 3.3.3.3 5.5.5.5
default-router 10.10.10.1
ntp-server 199.36.250.70
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
!
!
no ethernet cfm
!
interface eth 0/1
description Primary
ip address dhcp
ip mtu 1500
ip access-policy Public
media-gateway ip primary
no awcp
no shutdown
!
!
interface eth 0/2
description Backup
ip address dhcp
ip mtu 1500
ip access-policy Public
no shutdown
!
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
no shutdown
!
interface switchport 0/7
no shutdown
!
interface switchport 0/8
no shutdown
!
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
!
!
!
!
!
ip access-list standard NAT
permit any
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended acleth0/1QosWizSignal21
permit udp any any eq 5060
permit tcp any any eq 5060
!
ip access-list extended DstAdptRTP
permit udp any any range 19560 24560 log
!
ip access-list extended DstAdptSIP
permit udp any any range 8933 8950 log
!
ip access-list extended PrivateSelf
permit ip any any log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended SrcAdptRTP
permit udp any range 19560 24560 any log
!
ip access-list extended SrcAdptSIP
permit udp any range 8933 8950 any log
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host 192.168.0.43 eq www log
!
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/2 overload
!
ip policy-class Public
nat destination list wizard-pfwd-1 address 10.10.10.201
!
!
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip rtp firewall-traversal
!
line con 0
login
!
line telnet 0 4
login
no shutdown
line ssh 0 4
login local-userlist
line-timeout 120
no shutdown
!
sntp server north-america.pool.ntp.org
!
!
!
!
!
!
end
This is a tough one, primarily because your primary connection is DHCP.
In trying to construct a probe that will succeed if 8.8.8.8 is reachable from the primary WAN but NOT succeed if it is reachable from the secondary, I ran into what seems to be an inconsistency in the way AOS handles self-sourced packets.
The first problem is in constructing the probe.
probe primary-probe icmp-echo
destination 8.8.8.8
period 3
timeout 500
tolerance consecutive fail 3 pass 3
no shutdown
With "Brand C" I would add the configuration
source-interface eth 0/1
which would send source the pings from the source interface. That option isn't available in AOS, only source-address. But because it's DHCP we don't know a source address at configuration time.
So then I tried an access policy on the secondary to block pings to 8.8.8.8 so that the probe would only succeed from the primary.
ip access-list extended no-primary-list
deny icmp host 8.8.8.8 any
deny icmp any host 8.8.8.8 | |
permit ip any any | |
Then I applied this to the backup interface policy.
ip policy-class Public-bkup
allow list no-primary-list self
interface eth 0/2
ip address dhcp 100
ip access-policy Public-bkup
no shutdown
But, the probe still succeeded when the primary went down.
Then I tried a route-map.
ip access-list extended local-test-list
permit icmp any host 8.8.8.8
!
route-map local-primary-map permit 10
match ip address local-test-list
set interface eth 0/1
!
ip local policy route-map local-primary-map
Traffic STILL went out the backup interface and caused the probe to succeed when the primary was down.
This would be a trivial problem if any of the following were possible:
I am very curious if anyone has solved this specific problem - detect reachability failure of a DHCP primary connection where the physical interface stays up and the gateway isn't known.
Another issue, once this one is solved - continue to probe a remote host via the primary even if the default route flips to the secondary. A route-map should solve this but a local route map should also fix the other issue.
My tests were on a TA900e running R10.5.3 but the same logic should apply to other devices.
We can definitely make the primary a static. in fact, done. The static is 192.168.0.2
Try this - may need some tweaks as I haven't tested it.
Assumption is that your gateway on the primary side is 192.168.0.1 with a /24 (255.255.255.0) mask. If not change the 0.0.0.0/0 default route.
Changes to your config in bold italics.
Note that you are doing NAT behind a device that is already behind a NAT. This isn't generally recommended, particularly with SIP involved. You might want to redesign to avoid this.
! ADTRAN, Inc. OS version R10.9.0
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number **************
!
!
hostname "ADM"
enable password password
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
domain-proxy
name-server 8.8.8.8 4.2.2.2
!
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password "password"
!
banner motd #
Authorized access only. #
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
no ip firewall alg sip
!
probe primary-probe icmp-echo
destination 8.8.8.8
period 3
timeout 500
source-address 192.168.0.2
tolerance consecutive fail 3 pass 40
no shutdown
!
! |
track primary-track
test if primary-probe
no shutdown
! |
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
ip dhcp pool "LANPool"
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2 3.3.3.3 5.5.5.5
default-router 10.10.10.1
ntp-server 199.36.250.70
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
!
!
no ethernet cfm
!
interface eth 0/1
description Primary
ip address 192.168.0.2 255.255.255.0
ip mtu 1500
ip access-policy Public-primary
media-gateway ip primary
no awcp
no shutdown
!
!
interface eth 0/2
description Backup
ip address dhcp 100
ip mtu 1500
ip access-policy Public-backup
media-gateway ip primary
no shutdown
!
!
!
interface switchport 0/1
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
no shutdown
!
interface switchport 0/7
no shutdown
!
interface switchport 0/8
no shutdown
!
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
!
!
!
!
!
!
ip access-list extended NAT-primary
permit ip any any track primary-track
!
ip access-list standard NAT-backup
permit any
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended acleth0/1QosWizSignal21
permit udp any any eq 5060
permit tcp any any eq 5060
!
ip access-list extended DstAdptRTP
permit udp any any range 19560 24560 log
!
ip access-list extended DstAdptSIP
permit udp any any range 8933 8950 log
!
ip access-list extended PrivateSelf
permit ip any any log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended SrcAdptRTP
permit udp any range 19560 24560 any log
!
ip access-list extended SrcAdptSIP
permit udp any range 8933 8950 any log
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host 192.168.0.43 eq www log
!
!
!
!
ip policy-class Private
allow list self self
nat source list NAT-primary interface eth 0/1 overload
nat source list NAT-backup interface eth 0/2 overload
!
ip policy-class Public-primary
nat destination list wizard-pfwd-1 address 10.10.10.201
!
ip policy-class Public-backup
nat destination list wizard-pfwd-1 address 10.10.10.201
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
ip firewall fast-nat-failover
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1 track primary-track
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip rtp firewall-traversal
!
line con 0
login
!
line telnet 0 4
login
no shutdown
line ssh 0 4
login local-userlist
line-timeout 120
no shutdown
!
sntp server north-america.pool.ntp.org
!
!
!
!
!
!
end
Hmm, doesn't seem to work.
What's interesting is when I unplug ETH0/1 the eth 0/2 light turns yellow.
I was reading a few points in the guide they gave:
Page 3 made mention of the route settings and having a administrative distance of 10 seconds
Then there was the segment of "Force the traffic out the correct interface"
thoughts?
Hmm, doesn't seem to work.
What's interesting is when I unplug ETH0/1 the eth 0/2 light turns yellow.
I was reading a few points in the AOS Guide: "configure multiple wan connections is aos"
(I can't share the link, it drop my response in moderation status)
Page 3 made mention of the route settings and having a administrative distance of 10 seconds
Then there was the segment of "Force the traffic out the correct interface"
thoughts?
listed1st wrote:
Hmm, doesn't seem to work.
What's interesting is when I unplug ETH0/1 the eth 0/2 light turns yellow.
Page 3 made mention of the route settings and having a administrative distance of 10 seconds
Then there was the segment of "Force the traffic out the correct interface"
thoughts?
Connect both circuits, wait two minutes, and capture the output of the following:
sh track
sh probe
sh ip route
sh int eth 0/1
sh int eth 0/2
Try, from a machine on the LAN to ping 4.2.2.2 and then capture "sh ip policy-session"
Then unplug or shut down the primary connection, wait 30 seconds, and run all of the same tests.
Post results.
As to the guide setting administrative distance to 10 (it is just a number with no units), my configuration was similar except I specified 100. Anything greater than 1 up to 254 is fine. The idea is to make the backup route less favored (farther away, with a greater distance...)
Okay here it is is (Also, clicking through I see that both eth 0/1 and 0/2 have the "primary" as the address tpye in the Media Gateway section, don't know if that makes a difference
A side note for anyone using this guide in teh future, I tried some of the commands, and they said invalid command I have to run the "enable" command to enable those commands
ADM>sh track
Track primary-track:
Current State: PASS (Admin: UP)
Testing:
(NO TESTS)
Dampening Interval: 1 seconds
Time in current state: 4 days, 0 hours, 4 minutes, 16 seconds
Track State Changes: 0
Tracking:
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip access-list extended NAT-primary
permit ip any any
ADM>sh probe
Probe primary-probe:
Current State: FAIL Admin. Status: UP
Type: ICMP Echo Period: 3 sec Timeout: 5 msec
Source: 192.168.0.2 Destination: 8.8.8.8
Data size: 0
Tracked by: Nothing
Tests Run: 972273 Failed: 972271
Tolerance: 0 consecutive successes currently, 40 needed to PASS
Time in current state: 4 days, 0 hours, 4 minutes, 41 seconds
ADM>sh ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
IA - OSPF inter area
Gateway of last resort is 192.168.0.1 eth 0/1
S 0.0.0.0/0 [1/1/0] via 192.168.0.1, eth 0/1
C 10.10.10.0/24 is directly connected, vlan 1
C 192.168.0.0/24 is directly connected, eth 0/1
C 192.168.11.0/24 is directly connected, eth 0/2
ADM>sh int eth 0/1
eth 0/1 is UP, line protocol is UP
Description: Primary
Hardware address is 00:A0:C8:48:94:0F
Ip address is 192.168.0.2, netmask is 255.255.255.0
IP MTU is 1500 bytes
BW is 100000 Kbit
100Mb/s, negotiated full-duplex, configured full-duplex
ARP type: ARPA; ARP timeout is 20 minutes
Last clearing of "show interface" counters: never
5 minute input rate 3344 bits/sec, 4 packets/sec
5 minute output rate 864 bits/sec, 2 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
1677939 packets input, 288828936 bytes
1270783 unicasts, 307240 broadcasts, 99916 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
1 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 1 crc errors
1337074 packets output, 98321443 bytes
1324603 unicasts, 834 broadcasts, 11637 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
ADM>sh int eth 0/2
eth 0/2 is UP, line protocol is UP
Description: Backup
Hardware address is 00:A0:C8:48:94:10
Internet address is 192.168.11.32, netmask is 255.255.255.0 (via DHCP)
IP MTU is 1500 bytes
BW is 100000 Kbit
100Mb/s, negotiated full-duplex, configured full-duplex
ARP type: ARPA; ARP timeout is 20 minutes
Last clearing of "show interface" counters: never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 64 bits/sec, 0 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
9 packets input, 2130 bytes
6 unicasts, 3 broadcasts, 0 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
0 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 0 crc errors
42916 packets output, 1949121 bytes
42799 unicasts, 7 broadcasts, 110 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
ADM#sh ip policy-session
Src Vrf (if not default), Src policy class:
Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class
Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port
--------------- -------- --------------- -------- ----------------- --------
Policy class "Private":
icmp (53) -> Public-primary
10.10.10.4 25759 8.8.4.4 25759 s 192.168.0.2 25759
udp (46) -> Public-primary
10.10.10.4 53931 8.8.8.8 53 s 192.168.0.2 53931
udp (53) -> Public-primary
10.10.10.4 56609 8.8.8.8 53 s 192.168.0.2 56609
udp (39) -> Public-primary
10.10.10.4 63978 8.8.8.8 53 s 192.168.0.2 63978
tcp (600) -> self
10.10.10.4 59089 10.10.10.1 23
udp (53) -> self
10.10.10.4 5353 10.10.10.1 5351
udp (53) -> self
10.10.10.4 61697 10.10.10.1 1900
tcp (474) -> Public-primary
10.10.10.4 59342 17.149.36.104 5223 s 192.168.0.2 1038
tcp (544) -> Public-primary
10.10.10.4 59380 37.221.194.97 9911 s 192.168.0.2 1066
tcp (593) -> Public-primary
10.10.10.4 59476 46.37.22.20 8333 s 192.168.0.2 1135
tcp (544) -> Public-primary
10.10.10.4 59423 50.57.128.122 9911 s 192.168.0.2 1095
tcp (13) -> Public-primary
10.10.10.4 59455 54.227.107.222 9911 s 192.168.0.2 1172
tcp (586) -> Public-primary
10.10.10.4 59400 64.74.103.177 443 s 192.168.0.2 1077
tcp (544) -> Public-primary
10.10.10.4 59471 64.206.181.54 9911 s 192.168.0.2 1131
tcp (579) -> Public-primary
10.10.10.4 59460 74.125.193.189 443 s 192.168.0.2 1123
tcp (502) -> Public-primary
10.10.10.4 59417 74.125.225.169 80 s 192.168.0.2 1092
tcp (572) -> Public-primary
10.10.10.4 59433 74.125.225.189 443 s 192.168.0.2 1104
tcp (502) -> Public-primary
10.10.10.4 59416 74.125.225.206 80 s 192.168.0.2 1091
tcp (551) -> Public-primary
10.10.10.4 59405 74.125.225.207 443 s 192.168.0.2 1082
tcp (593) -> Public-primary
10.10.10.4 59431 74.125.225.213 443 s 192.168.0.2 1102
tcp (6) -> Public-primary
10.10.10.4 59440 78.31.106.19 9911 s 192.168.0.2 1162
tcp (544) -> Public-primary
10.10.10.4 59379 91.156.102.128 9911 s 192.168.0.2 1065
tcp (537) -> Public-primary
10.10.10.4 59478 91.190.218.54 12350 s 192.168.0.2 1136
tcp (572) -> Public-primary
10.10.10.4 59438 106.187.48.6 9911 s 192.168.0.2 1107
tcp (565) -> Public-primary
10.10.10.4 59340 108.160.162.116 80 s 192.168.0.2 1036
tcp (572) -> Public-primary
10.10.10.4 59341 108.160.163.46 80 s 192.168.0.2 1037
tcp (586) -> Public-primary
10.10.10.4 59437 111.93.187.74 9911 s 192.168.0.2 1105
tcp (586) -> Public-primary
10.10.10.4 59352 134.170.24.158 443 s 192.168.0.2 1048
tcp (593) -> Public-primary
10.10.10.4 59368 144.76.60.229 80 s 192.168.0.2 1060
tcp (572) -> Public-primary
10.10.10.4 59344 157.55.130.154 40028 s 192.168.0.2 1040
tcp (572) -> Public-primary
10.10.10.4 59378 173.230.155.65 9911 s 192.168.0.2 1064
tcp (544) -> Public-primary
10.10.10.4 59421 184.106.170.17 9911 s 192.168.0.2 1093
tcp (6) -> Public-primary
10.10.10.4 59497 192.168.1.39 6690 s 192.168.0.2 1163
tcp (6) -> Public-primary
10.10.10.4 59445 192.168.50.1 443 s 192.168.0.2 1165
tcp (6) -> Public-primary
10.10.10.4 59446 192.168.50.1 443 s 192.168.0.2 1164
tcp (6) -> Public-primary
10.10.10.4 59447 192.168.50.1 443 s 192.168.0.2 1167
tcp (6) -> Public-primary
10.10.10.4 59448 192.168.50.1 443 s 192.168.0.2 1166
tcp (6) -> Public-primary
10.10.10.4 59450 192.168.50.1 443 s 192.168.0.2 1169
tcp (6) -> Public-primary
10.10.10.4 59451 192.168.50.1 443 s 192.168.0.2 1168
tcp (6) -> Public-primary
10.10.10.4 59452 192.168.50.1 443 s 192.168.0.2 1171
tcp (6) -> Public-primary
10.10.10.4 59453 192.168.50.1 443 s 192.168.0.2 1170
tcp (13) -> Public-primary
10.10.10.4 59462 192.168.50.1 443 s 192.168.0.2 1179
tcp (13) -> Public-primary
10.10.10.4 59463 192.168.50.1 443 s 192.168.0.2 1180
tcp (13) -> Public-primary
10.10.10.4 59466 192.168.50.1 443 s 192.168.0.2 1181
tcp (20) -> Public-primary
10.10.10.4 59469 192.168.50.1 443 s 192.168.0.2 1184
tcp (13) -> Public-primary
10.10.10.4 59516 192.168.50.1 443 s 192.168.0.2 1175
tcp (13) -> Public-primary
10.10.10.4 59517 192.168.50.1 443 s 192.168.0.2 1176
tcp (13) -> Public-primary
10.10.10.4 59518 192.168.50.1 443 s 192.168.0.2 1177
tcp (13) -> Public-primary
10.10.10.4 59519 192.168.50.1 443 s 192.168.0.2 1178
tcp (13) -> Public-primary
10.10.10.4 59523 192.168.50.1 443 s 192.168.0.2 1182
tcp (13) -> Public-primary
10.10.10.4 59524 192.168.50.1 443 s 192.168.0.2 1183
tcp (20) -> Public-primary
10.10.10.4 59525 192.168.50.1 443 s 192.168.0.2 1185
tcp (20) -> Public-primary
10.10.10.4 59526 192.168.50.1 443 s 192.168.0.2 1186
tcp (600) -> Public-primary
10.10.10.4 59454 201.8.193.233 8333 s 192.168.0.2 1120
tcp (13) -> Public-primary
10.10.10.4 59515 223.21.223.107 8333 s 192.168.0.2 1174
Policy class "self":
icmp (60) -> Public-primary
192.168.0.2 1 8.8.8.8 1
ADM#
2013.09.09 15:00:02 FIREWALL id=firewall time="2013-09-09 15:00:02" fw=ADM pri=1 rule=4 proto=https src=10.10.10.4 dst=192.168.50.1 msg="Zero bytes transferred for connection Src 59516 Dst 443 from Private policy-class on interface vlan 1" agent=AdFirewall
Okay, primary unplugged, rerun of tests:
ADM#sh track
Track primary-track:
Current State: PASS (Admin: UP)
Testing:
(NO TESTS)
Dampening Interval: 1 seconds
Time in current state: 4 days, 0 hours, 17 minutes, 47 seconds
Track State Changes: 0
Tracking:
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip access-list extended NAT-primary
permit ip any any
ADM#sh probe
Probe primary-probe:
Current State: FAIL Admin. Status: UP
Type: ICMP Echo Period: 3 sec Timeout: 5 msec
Source: 192.168.0.2 Destination: 8.8.8.8
Data size: 0
Tracked by: Nothing
Tests Run: 1067791 Failed: 1067789
Tolerance: 0 consecutive successes currently, 40 needed to PASS
Time in current state: 4 days, 0 hours, 18 minutes, 28 seconds
ADM#sh ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
IA - OSPF inter area
Gateway of last resort is 192.168.11.2 eth 0/2
S 0.0.0.0/0 [100/1/0] via 192.168.11.2, eth 0/2
C 10.10.10.0/24 is directly connected, vlan 1
C 192.168.11.0/24 is directly connected, eth 0/2
ADM#sh ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
IA - OSPF inter area
Gateway of last resort is 192.168.11.2 eth 0/2
S 0.0.0.0/0 [100/1/0] via 192.168.11.2, eth 0/2
C 10.10.10.0/24 is directly connected, vlan 1
C 192.168.11.0/24 is directly connected, eth 0/2
ADM#sh int eth 0/1
eth 0/1 is DOWN, line protocol is DOWN
Description: Primary
Hardware address is 00:A0:C8:48:94:0F
Ip address is 192.168.0.2, netmask is 255.255.255.0
IP MTU is 1500 bytes
BW is 0 Kbit
?b/s, negotiated ? duplex, configured full-duplex
ARP type: ARPA; ARP timeout is 20 minutes
Last clearing of "show interface" counters: never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
1681894 packets input, 290714006 bytes
1274286 unicasts, 307573 broadcasts, 100035 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
1 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 1 crc errors
1341219 packets output, 98894081 bytes
1328683 unicasts, 890 broadcasts, 11646 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
ADM#sh int eth 0/2
eth 0/2 is UP, line protocol is UP
Description: Backup
Hardware address is 00:A0:C8:48:94:10
Internet address is 192.168.11.32, netmask is 255.255.255.0 (via DHCP)
IP MTU is 1500 bytes
BW is 100000 Kbit
100Mb/s, negotiated full-duplex, configured full-duplex
ARP type: ARPA; ARP timeout is 20 minutes
Last clearing of "show interface" counters: never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 82976 bits/sec, 226 packets/sec
Queueing method: fifo
Output queue: 0/256/0 (size/max total/drops)
Interface Shaper: NOT ENABLED
10 packets input, 2190 bytes
7 unicasts, 3 broadcasts, 0 multicasts input
0 unknown protocol, 0 symbol errors, 0 discards
0 input errors, 0 runts, 0 giants
0 no buffer, 0 overruns, 0 internal receive errors
0 alignment errors, 0 crc errors
164403 packets output, 7444314 bytes
164258 unicasts, 8 broadcasts, 137 multicasts output
0 output errors, 0 deferred, 0 discards
0 single, 0 multiple, 0 late collisions
0 excessive collisions, 0 underruns
0 internal transmit errors, 0 carrier sense errors
0 resets, 0 throttles
ADM#sh ip policy-session
Src Vrf (if not default), Src policy class:
Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class
Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port
--------------- -------- --------------- -------- ----------------- --------
Policy class "Private":
icmp (60) -> Public-backup
10.10.10.4 43167 8.8.4.4 43167 s 192.168.0.2 43167
udp (60) -> Public-backup
10.10.10.4 51595 8.8.4.4 53 s 192.168.0.2 1311
udp (60) -> Public-backup
10.10.10.4 51614 8.8.4.4 53 s 192.168.0.2 1313
udp (11) -> Public-backup
10.10.10.4 51807 8.8.4.4 53 s 192.168.0.2 51807
udp (39) -> Public-backup
10.10.10.4 53365 8.8.4.4 53 s 192.168.0.2 53365
udp (18) -> Public-backup
10.10.10.4 54709 8.8.4.4 53 s 192.168.0.2 1308
udp (60) -> Public-backup
10.10.10.4 57962 8.8.4.4 53 s 192.168.0.2 57962
udp (11) -> Public-backup
10.10.10.4 63070 8.8.4.4 53 s 192.168.0.2 63070
udp (46) -> Public-backup
10.10.10.4 63451 8.8.4.4 53 s 192.168.0.2 63451
udp (60) -> Public-backup
10.10.10.4 63993 8.8.4.4 53 s 192.168.0.2 1312
udp (53) -> Public-backup
10.10.10.4 51595 8.8.8.8 53 s 192.168.0.2 51595
udp (53) -> Public-backup
10.10.10.4 51614 8.8.8.8 53 s 192.168.0.2 51614
udp (39) -> Public-backup
10.10.10.4 51807 8.8.8.8 53 s 192.168.0.2 1307
udp (32) -> Public-backup
10.10.10.4 53365 8.8.8.8 53 s 192.168.0.2 1309
udp (32) -> Public-backup
10.10.10.4 63451 8.8.8.8 53 s 192.168.0.2 1310
udp (53) -> Public-backup
10.10.10.4 63993 8.8.8.8 53 s 192.168.0.2 63993
tcp (600) -> self
10.10.10.4 59089 10.10.10.1 23
tcp (6) -> Public-backup
10.10.10.4 60803 23.20.77.213 9911 s 192.168.0.2 60803
tcp (19) -> Public-primary
10.10.10.4 59380 37.221.194.97 9911 s 192.168.0.2 1066
tcp (593) -> Public-primary
10.10.10.4 59476 46.37.22.20 8333 s 192.168.0.2 1135
tcp (13) -> Public-backup
10.10.10.4 61024 54.200.18.186 9911 s 192.168.0.2 61024
tcp (13) -> Public-backup
10.10.10.4 60816 58.69.101.41 9911 s 192.168.0.2 60816
tcp (6) -> Public-backup
10.10.10.4 60993 64.4.23.165 80 s 192.168.0.2 60993
tcp (544) -> Public-primary
10.10.10.4 59544 67.9.89.138 8333 s 192.168.0.2 1198
tcp (6) -> Public-backup
10.10.10.4 60995 79.233.140.67 8333 s 192.168.0.2 60995
tcp (20) -> Public-backup
10.10.10.4 60937 81.169.167.53 9911 s 192.168.0.2 60937
tcp (13) -> Public-backup
10.10.10.4 61011 84.255.204.25 9911 s 192.168.0.2 61011
tcp (20) -> Public-backup
10.10.10.4 60983 89.235.159.62 9911 s 192.168.0.2 60983
tcp (13) -> Public-backup
10.10.10.4 60840 91.190.218.54 12350 s 192.168.0.2 60840
tcp (20) -> Public-backup
10.10.10.4 60845 91.190.218.54 443 s 192.168.0.2 60845
tcp (20) -> Public-backup
10.10.10.4 60850 91.190.218.54 80 s 192.168.0.2 60850
tcp (6) -> Public-backup
10.10.10.4 60994 91.210.235.78 9911 s 192.168.0.2 60994
tcp (6) -> Public-backup
10.10.10.4 61007 111.221.74.18 33033 s 192.168.0.2 61007
tcp (13) -> Public-backup
10.10.10.4 61013 111.221.74.18 443 s 192.168.0.2 61013
tcp (13) -> Public-backup
10.10.10.4 61019 111.221.74.18 80 s 192.168.0.2 61019
tcp (13) -> Public-backup
10.10.10.4 61012 128.175.89.92 8333 s 192.168.0.2 61012
tcp (6) -> Public-backup
10.10.10.4 60992 157.55.130.146 40018 s 192.168.0.2 60992
tcp (6) -> Public-backup
10.10.10.4 60996 157.55.130.146 443 s 192.168.0.2 60996
tcp (6) -> Public-backup
10.10.10.4 60999 157.55.130.146 80 s 192.168.0.2 60999
tcp (13) -> Public-backup
10.10.10.4 60835 183.64.239.21 9911 s 192.168.0.2 60835
udp (46) -> Public-backup
10.10.10.4 53709 192.168.0.12 161 s 192.168.0.2 53709
tcp (13) -> Public-backup
10.10.10.4 61014 192.168.50.1 443 s 192.168.0.2 61014
tcp (13) -> Public-backup
10.10.10.4 61015 192.168.50.1 443 s 192.168.0.2 61015
tcp (6) -> Public-backup
10.10.10.4 60947 192.241.186.111 9911 s 192.168.0.2 60947
tcp (13) -> Public-backup
10.10.10.4 61025 199.71.213.209 8333 s 192.168.0.2 61025
tcp (6) -> Public-backup
10.10.10.4 60811 204.93.75.136 443 s 192.168.0.2 60811
tcp (6) -> Public-backup
10.10.10.4 60812 204.93.75.136 443 s 192.168.0.2 60812
tcp (6) -> Public-backup
10.10.10.4 60813 204.93.75.136 443 s 192.168.0.2 60813
tcp (6) -> Public-backup
10.10.10.4 60814 204.93.75.136 443 s 192.168.0.2 60814
tcp (13) -> Public-backup
10.10.10.4 60817 204.93.75.136 443 s 192.168.0.2 60817
tcp (13) -> Public-backup
10.10.10.4 60818 204.93.75.136 443 s 192.168.0.2 60818
tcp (13) -> Public-backup
10.10.10.4 60829 204.93.75.136 443 s 192.168.0.2 60829
tcp (13) -> Public-backup
10.10.10.4 60830 204.93.75.136 443 s 192.168.0.2 60830
tcp (13) -> Public-backup
10.10.10.4 60831 204.93.75.136 443 s 192.168.0.2 60831
tcp (13) -> Public-backup
10.10.10.4 60832 204.93.75.136 443 s 192.168.0.2 60832
tcp (20) -> Public-backup
10.10.10.4 60847 204.93.75.136 443 s 192.168.0.2 60847
tcp (20) -> Public-backup
10.10.10.4 60848 204.93.75.136 443 s 192.168.0.2 60848
tcp (6) -> Public-backup
10.10.10.4 60942 204.93.75.136 443 s 192.168.0.2 60942
tcp (6) -> Public-backup
10.10.10.4 60943 204.93.75.136 443 s 192.168.0.2 60943
tcp (6) -> Public-backup
10.10.10.4 60944 204.93.75.136 443 s 192.168.0.2 60944
tcp (6) -> Public-backup
10.10.10.4 60945 204.93.75.136 443 s 192.168.0.2 60945
tcp (13) -> Public-backup
10.10.10.4 60952 204.93.75.136 443 s 192.168.0.2 60952
tcp (13) -> Public-backup
10.10.10.4 60953 204.93.75.136 443 s 192.168.0.2 60953
tcp (13) -> Public-backup
10.10.10.4 60960 204.93.75.136 443 s 192.168.0.2 60960
tcp (13) -> Public-backup
10.10.10.4 60961 204.93.75.136 443 s 192.168.0.2 60961
tcp (13) -> Public-backup
10.10.10.4 60962 204.93.75.136 443 s 192.168.0.2 60962
tcp (13) -> Public-backup
10.10.10.4 60963 204.93.75.136 443 s 192.168.0.2 60963
tcp (13) -> Public-backup
10.10.10.4 60970 204.93.75.136 443 s 192.168.0.2 60970
tcp (13) -> Public-backup
10.10.10.4 60971 204.93.75.136 443 s 192.168.0.2 60971
tcp (20) -> Public-backup
10.10.10.4 60979 204.93.75.136 443 s 192.168.0.2 60979
tcp (20) -> Public-backup
10.10.10.4 60980 204.93.75.136 443 s 192.168.0.2 60980
tcp (6) -> Public-backup
10.10.10.4 60997 204.93.75.136 443 s 192.168.0.2 60997
tcp (6) -> Public-backup
10.10.10.4 60998 204.93.75.136 443 s 192.168.0.2 60998
tcp (6) -> Public-backup
10.10.10.4 61000 204.93.75.136 443 s 192.168.0.2 61000
tcp (6) -> Public-backup
10.10.10.4 61001 204.93.75.136 443 s 192.168.0.2 61001
tcp (6) -> Public-backup
10.10.10.4 61020 204.93.75.136 443 s 192.168.0.2 61020
tcp (6) -> Public-backup
10.10.10.4 61021 204.93.75.136 443 s 192.168.0.2 61021
tcp (6) -> Public-backup
10.10.10.4 61022 204.93.75.136 443 s 192.168.0.2 61022
tcp (6) -> Public-backup
10.10.10.4 61023 204.93.75.136 443 s 192.168.0.2 61023
tcp (13) -> Public-backup
10.10.10.4 61026 204.93.75.136 443 s 192.168.0.2 61026
tcp (13) -> Public-backup
10.10.10.4 61027 204.93.75.136 443 s 192.168.0.2 61027
tcp (13) -> Public-backup
10.10.10.4 61031 204.93.75.136 443 s 192.168.0.2 61031
tcp (13) -> Public-backup
10.10.10.4 61032 204.93.75.136 443 s 192.168.0.2 61032
tcp (13) -> Public-backup
10.10.10.4 61033 204.93.75.136 443 s 192.168.0.2 61033
tcp (13) -> Public-backup
10.10.10.4 61034 204.93.75.136 443 s 192.168.0.2 61034
tcp (20) -> Public-backup
10.10.10.4 61037 204.93.75.136 443 s 192.168.0.2 61037
tcp (20) -> Public-backup
10.10.10.4 61038 204.93.75.136 443 s 192.168.0.2 61038
tcp (6) -> Public-backup
10.10.10.4 60965 210.45.121.32 9911 s 192.168.0.2 60965
tcp (6) -> Public-backup
10.10.10.4 61008 213.199.179.145 443 s 192.168.0.2 61008
tcp (6) -> Public-backup
10.10.10.4 61016 213.199.179.145 80 s 192.168.0.2 61016
tcp (6) -> Public-backup
10.10.10.4 61010 213.199.179.149 443 s 192.168.0.2 61010
tcp (6) -> Public-backup
10.10.10.4 61018 213.199.179.149 80 s 192.168.0.2 61018
tcp (6) -> Public-backup
10.10.10.4 61009 213.199.179.154 443 s 192.168.0.2 61009
tcp (6) -> Public-backup
10.10.10.4 61017 213.199.179.154 80 s 192.168.0.2 61017
Policy class "self":
icmp (60) -> Public-backup
192.168.0.2 1 8.8.8.8 1
And it keeps echoing this
ADM#
2013.09.09 15:10:53 FIREWALL id=firewall time="2013-09-09 15:10:53" fw=ADM pri=1 rule=4 proto=https src=10.10.10.4 dst=204.93.75.136 msg="Zero bytes transferred for connection Src 60856 Dst 443 from Private policy-class on interface vlan 1" agent=AdFirewall
2013.09.09 15:11:21 FIREWALL id=firewall time="2013-09-09 15:11:21" fw=ADM pri=1 rule=4 proto=9911/tcp src=10.10.10.4 dst=202.99.230.232 msg="Zero bytes transferred for connection Src 60915 Dst 9911 from Private policy-class on interface vlan 1" agent=AdFirewall
OK, on your first set of data with the eth 0/1 link connected, your Internet connection is broken or misconfigured. Note where you have:
ADM>sh probe
Probe primary-probe:
Current State: FAIL Admin. Status: UP
Type: ICMP Echo Period: 3 sec Timeout: 5 msec
Source: 192.168.0.2 Destination: 8.8.8.8
Data size: 0
Tracked by: Nothing
Tests Run: 972273 Failed: 972271
Your pings from the primary interface are failing. You indicated that this was a static IP. In your configs you are using 192.168.0.2 with a gateway of 192.168.0.1. These are private IPs not found directly on the Internet. They're used for private networks or behind a NAT. So the first thing to do is to fix the primary connection. If you're getting a true static IP from your ISP, it won't begin with any of the following:
So you'll need to fix that and get the probe to succeed with eth 0/1 connected. Everywhere in the config where you have 192.168.0.2 replace it with the static IP from your ISP. Everywhere you have 192.168.0.1 substitute the gateway from your ISP.
Second, your track isn't tracking the probe. You have:
ADM>sh track
Track primary-track:
Current State: PASS (Admin: UP)
Testing:
(NO TESTS)
Dampening Interval: 1 seconds
See the "(NO TESTS)" ? Your track should be testing the probe. Does your configuration look like:
! |
track primary-track
test if primary-probe
no shutdown
Let us know when you get the probe to succeed and the track to track it. At this point you should be able to get to the Internet with the primary connection and you can then unplug it and continue testing the backup.
Doing a NAT (to 10.10.10.x) from behind another NAT (192.168.0.2 is a NAT or private address) is something you really want to avoid, especially if there are SIP devices involved.
Okay!
Got the static IP up, running beautifully, sh probe is working wonderfully:
sh probe
Probe primary-probe:
Current State: PASS Admin. Status: UP
Type: ICMP Echo Period: 3 sec Timeout: 500 msec
Source: 50.198.18.173 Destination: 8.8.8.8
Data size: 0
Tracked by: Nothing
Tests Run: 543 Failed: 226
Tolerance: 0 consecutive failures currently, 2 needed to FAIL
Time in current state: 0 days, 0 hours, 9 minutes, 23 seconds
(The fails are when I unplugged it)
The problem is the sh track, not working still
ADM#sh track
Track primary-track:
Current State: PASS (Admin: UP)
Testing:
(NO TESTS)
Dampening Interval: 1 seconds
Time in current state: 0 days, 0 hours, 18 minutes, 32 seconds
Track State Changes: 0
Tracking:
ip route 0.0.0.0 0.0.0.0 50.198.18.173
ip access-list extended NAT-primary
permit ip any any
It's current in my system as:
!
probe primary-probe icmp-echo
destination 8.8.8.8
period 3
timeout 500
source-address 50.198.18.173
tolerance consecutive fail 2 pass 40
no shutdown
!
track primary-track
test if primary-probe
no shutdown
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
(I also tried it with an extra ! added above and another below. I don't know what the ! do)
Getting so close! Thank you!
Strange. According to the configuration, the track should be monitoring the probe.
See if a reboot fixes it. Write mem, then reload from the enabled mode. If that doesn't fix it, try shutting down the track and re-enabling it.
enable
config t
track primary-track
shutdown
no shutdown
Then do a "show track" and see if it is now testing the probe.
If this doesn't fix it, try removing the track completely and then re-add it. If you do this you might need to redo the other statements that reference the track.
enable
config t
no track primary-track
track primary-track
test if primary-probe
no shutdown
end
With the Adtran CLI it is normal that most commands will fail unless you are in the enable mode. You can tell what mode you are in by the prompt:
prompt> initial (disabled) mode - limited show commands and non-intrusive tests.
prompt# enable mode, allows rebooting, saving, all commands, entry to configuration.
prompt(config)# global configuration mode - allows commands to configure system-wide parameters
prompt(config-foo)# subsection configuration mode - allows commands to configure item "foo" (interface, track, etc.)
An exclamation point "!" indicates a comment. Anything on that line beyond it is ignored, including the "!" itself. Written configurations generated by the device often have multiple blank lines with just a "!" to separate sections for human reading.
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor