cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
listed1st
New Contributor II

Need to commission someone to configure Adtran 3448 for failover

I have an adtran 3448, I've got it set up, but I'm unable to comprehend the guide to create a failover.

2 DHCP connections through eth 0/1 and 0/2

Eth 0/1 is primary, eth 0/2 is backup

I would need to ping 8.8.8.8 to show that it's up

Here's my complete config, I need a complete config I can just copy and paste (I know how to do that lol) Contact me and let me know what you would charge? Thanks!

!

!

! ADTRAN, Inc. OS version R10.9.0

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448, part number 1200821E1

! Serial number **************

!

!

hostname "ADM"

enable password password

!

clock timezone -6-Central-Time

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

domain-proxy

name-server 8.8.8.8 4.2.2.2

!

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password "password"

!

banner motd #

Authorized access only. #

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

!

!

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

!

ip dhcp pool "LANPool"

  network 10.10.10.0 255.255.255.0

  dns-server 8.8.8.8 4.2.2.2 3.3.3.3 5.5.5.5

  default-router 10.10.10.1

  ntp-server 199.36.250.70

!

!

!

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description Primary

  ip address dhcp

  ip mtu 1500

  ip access-policy Public

  media-gateway ip primary

  no awcp

  no shutdown

!

!

interface eth 0/2

  description Backup

  ip address dhcp

  ip mtu 1500

  ip access-policy Public

  no shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  no shutdown

!

interface switchport 0/7

  no shutdown

!

interface switchport 0/8

  no shutdown

!

!

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

!

!

!

!

!

ip access-list standard NAT

  permit any

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended acleth0/1QosWizSignal21

  permit udp any  any eq 5060  

  permit tcp any  any eq 5060 

!

ip access-list extended DstAdptRTP

  permit udp any  any range 19560 24560    log

!

ip access-list extended DstAdptSIP

  permit udp any  any range 8933 8950    log

!

ip access-list extended PrivateSelf

  permit ip any  any     log

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended SrcAdptRTP

  permit udp any range 19560 24560 any     log

!

ip access-list extended SrcAdptSIP

  permit udp any range 8933 8950 any     log

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any  host 192.168.0.43 eq www   log

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

ip policy-class Public

  nat destination list wizard-pfwd-1 address 10.10.10.201

!

!

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

no ip rtp firewall-traversal

!

line con 0

  login

!

line telnet 0 4

  login

  no shutdown

line ssh 0 4

  login local-userlist

  line-timeout 120

  no shutdown

!

sntp server north-america.pool.ntp.org

!

!

!

!

!

!

end

Labels (1)
12 Replies
jayh
Honored Contributor
Honored Contributor

Re: Need to commission someone to configure Adtran 3448 for failover

This is a tough one, primarily because your primary connection is DHCP.

In trying to construct a probe that will succeed if 8.8.8.8 is reachable from the primary WAN but NOT succeed if it is reachable from the secondary, I ran into what seems to be an inconsistency in the way AOS handles self-sourced packets.

The first problem is in constructing the probe.

probe primary-probe icmp-echo

  destination 8.8.8.8

  period 3

  timeout 500

  tolerance consecutive fail 3 pass 3

  no shutdown


With "Brand C" I would add the configuration

  source-interface eth 0/1

which would send source the pings from the source interface.  That option isn't available in AOS, only source-address. But because it's DHCP we don't know a source address at configuration time.

So then I tried an access policy on the secondary to block pings to 8.8.8.8 so that the probe would only succeed from the primary.

ip access-list extended no-primary-list

  deny   icmp host 8.8.8.8  any   

  deny   icmp any host 8.8.8.8 
  permit ip any any

Then I applied this to the backup interface policy.

ip policy-class Public-bkup

  allow list no-primary-list self


interface eth 0/2

  ip address dhcp 100

  ip access-policy Public-bkup

  no shutdown

But, the probe still succeeded when the primary went down.

Then I tried a route-map.

ip access-list extended local-test-list

  permit icmp any  host 8.8.8.8   

!

route-map local-primary-map permit 10

  match ip address local-test-list

  set interface eth 0/1

!

ip local policy route-map local-primary-map


Traffic STILL went out the backup interface and caused the probe to succeed when the primary was down.


This would be a trivial problem if any of the following were possible:

  • The primary connection is a static IP and not DHCP
  • The primary is DHCP within a known pool with a known gateway - in which case we would probe the gateway and not 8.8.8.8
  • Adtran gave us the source-interface command on probes
  • route-maps and ACLs were applied to self-generated probes
  • I stop doing something stupid and there's another way to make this work.

I am very curious if anyone has solved this specific problem - detect reachability failure of a DHCP primary connection where the physical interface stays up and the gateway isn't known.

Another issue, once this one is solved - continue to probe a remote host via the primary even if the default route flips to the secondary.  A route-map should solve this but a local route map should also fix the other issue.

My tests were on a TA900e running R10.5.3 but the same logic should apply to other devices.


listed1st
New Contributor II

Re: Need to commission someone to configure Adtran 3448 for failover

We can definitely make the primary a static. in fact, done. The static is 192.168.0.2

jayh
Honored Contributor
Honored Contributor

Re: Need to commission someone to configure Adtran 3448 for failover

Try this - may need some tweaks as I haven't tested it.

Assumption is that your gateway on the primary side is 192.168.0.1 with a /24 (255.255.255.0) mask. If not change the 0.0.0.0/0 default route.

Changes to your config in bold italics.

Note that you are doing NAT behind a device that is already behind a NAT.  This isn't generally recommended, particularly with SIP involved.  You might want to redesign to avoid this. 

! ADTRAN, Inc. OS version R10.9.0

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448, part number 1200821E1

! Serial number **************

!

!

hostname "ADM"

enable password password

!

clock timezone -6-Central-Time

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

domain-proxy

name-server 8.8.8.8 4.2.2.2

!

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password "password"

!

banner motd #

Authorized access only. #

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

no ip firewall alg sip

!

probe primary-probe icmp-echo

  destination 8.8.8.8

  period 3

  timeout 500

  source-address 192.168.0.2

  tolerance consecutive fail 3 pass 40

  no shutdown

!

track primary-track

  test if primary-probe

  no shutdown

!

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

!

ip dhcp pool "LANPool"

  network 10.10.10.0 255.255.255.0

  dns-server 8.8.8.8 4.2.2.2 3.3.3.3 5.5.5.5

  default-router 10.10.10.1

  ntp-server 199.36.250.70

!

!

!

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description Primary

  ip address 192.168.0.2 255.255.255.0

  ip mtu 1500

  ip access-policy Public-primary

  media-gateway ip primary

  no awcp

  no shutdown

!

!

interface eth 0/2

  description Backup

  ip address dhcp 100

  ip mtu 1500

  ip access-policy Public-backup

  media-gateway ip primary

  no shutdown

!

!

!

interface switchport 0/1

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

interface switchport 0/5

  no shutdown

!

interface switchport 0/6

  no shutdown

!

interface switchport 0/7

  no shutdown

!

interface switchport 0/8

  no shutdown

!

!

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  ip access-policy Private

  no shutdown

!

!

!

!

!

!

!

ip access-list extended NAT-primary

  permit ip any any track primary-track

!

ip access-list standard NAT-backup

permit any

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended acleth0/1QosWizSignal21

  permit udp any  any eq 5060  

  permit tcp any  any eq 5060 

!

ip access-list extended DstAdptRTP

  permit udp any  any range 19560 24560    log

!

ip access-list extended DstAdptSIP

  permit udp any  any range 8933 8950    log

!

ip access-list extended PrivateSelf

  permit ip any  any     log

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended SrcAdptRTP

  permit udp any range 19560 24560 any     log

!

ip access-list extended SrcAdptSIP

  permit udp any range 8933 8950 any     log

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any  host 192.168.0.43 eq www   log

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list NAT-primary interface eth 0/1 overload

  nat source list NAT-backup interface eth 0/2 overload

!

ip policy-class Public-primary

  nat destination list wizard-pfwd-1 address 10.10.10.201

!

ip policy-class Public-backup

  nat destination list wizard-pfwd-1 address 10.10.10.201

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

ip firewall fast-nat-failover

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1 track primary-track

!

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

no ip rtp firewall-traversal

!

line con 0

  login

!

line telnet 0 4

  login

  no shutdown

line ssh 0 4

  login local-userlist

  line-timeout 120

  no shutdown

!

sntp server north-america.pool.ntp.org

!

!

!

!

!

!

end

listed1st
New Contributor II

Re: Need to commission someone to configure Adtran 3448 for failover

Hmm, doesn't seem to work.

What's interesting is when I unplug ETH0/1 the eth 0/2 light turns yellow.

I was reading a few points in the guide they gave:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCkQFjAA&url=https%3A%2F%2Fsupp...

Page 3 made mention of the route settings and having a administrative distance of 10 seconds

Then there was the segment of "Force the traffic out the correct interface"

thoughts?

listed1st
New Contributor II

Re: Need to commission someone to configure Adtran 3448 for failover

Hmm, doesn't seem to work.

What's interesting is when I unplug ETH0/1 the eth 0/2 light turns yellow.

I was reading a few points in the AOS Guide: "configure multiple wan connections is aos"

(I can't share the link, it drop my response in moderation status)

Page 3 made mention of the route settings and having a administrative distance of 10 seconds

Then there was the segment of "Force the traffic out the correct interface"

thoughts?

jayh
Honored Contributor
Honored Contributor

Re: Need to commission someone to configure Adtran 3448 for failover


listed1st wrote:



Hmm, doesn't seem to work.



What's interesting is when I unplug ETH0/1 the eth 0/2 light turns yellow.



Page 3 made mention of the route settings and having a administrative distance of 10 seconds


Then there was the segment of "Force the traffic out the correct interface"




thoughts?



Connect both circuits, wait two minutes, and capture the output of the following:

sh track

sh probe

sh ip route

sh int eth 0/1

sh int eth 0/2

Try, from a machine on the LAN to ping 4.2.2.2 and then capture "sh ip policy-session"

Then unplug or shut down the primary connection, wait 30 seconds, and run all of the same tests.

Post results.

As to the guide setting administrative distance to 10 (it is just a number with no units), my configuration was similar except I specified 100.  Anything greater than 1 up to 254 is fine.  The idea is to make the backup route less favored (farther away, with a greater distance...)

listed1st
New Contributor II

Re: Need to commission someone to configure Adtran 3448 for failover

Okay here it is is (Also, clicking through I see that both eth 0/1 and 0/2 have the "primary" as the address tpye in the Media Gateway section, don't know if that makes a difference

A side note for anyone using this guide in teh future, I tried some of the commands, and they said invalid command I have to run the "enable" command to enable those commands

ADM>sh track

Track primary-track:

  Current State: PASS     (Admin: UP)

  Testing:

    (NO TESTS)

  Dampening Interval: 1 seconds

  Time in current state: 4 days, 0 hours, 4 minutes, 16 seconds

  Track State Changes: 0

  Tracking:

    ip route 0.0.0.0 0.0.0.0 192.168.0.1

    ip access-list extended NAT-primary

      permit ip any any

ADM>sh probe

Probe primary-probe:

  Current State: FAIL  Admin. Status: UP

  Type: ICMP Echo  Period: 3 sec  Timeout: 5 msec

  Source: 192.168.0.2  Destination: 8.8.8.8

  Data size: 0

  Tracked by: Nothing

  Tests Run: 972273  Failed: 972271

  Tolerance: 0 consecutive successes currently, 40 needed to PASS

  Time in current state: 4 days, 0 hours, 4 minutes, 41 seconds

ADM>sh ip route

Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP

       E1 - OSPF external type 1, E2 - OSPF external type 2

       IA - OSPF inter area

Gateway of last resort is 192.168.0.1 eth 0/1

S    0.0.0.0/0 [1/1/0] via 192.168.0.1, eth 0/1

C    10.10.10.0/24 is directly connected, vlan 1

C    192.168.0.0/24 is directly connected, eth 0/1

C    192.168.11.0/24 is directly connected, eth 0/2

ADM>sh int eth 0/1

eth 0/1 is UP, line protocol is UP

  Description: Primary

  Hardware address is 00:A0:C8:48:94:0F

  Ip address is 192.168.0.2, netmask is 255.255.255.0

  IP MTU is 1500 bytes

  BW is 100000 Kbit

  100Mb/s, negotiated full-duplex, configured full-duplex

  ARP type: ARPA; ARP timeout is 20 minutes

  Last clearing of "show interface" counters: never

  5 minute input rate 3344 bits/sec, 4 packets/sec

  5 minute output rate 864 bits/sec, 2 packets/sec

    Queueing method: fifo

    Output queue: 0/256/0 (size/max total/drops)

    Interface Shaper: NOT ENABLED

    1677939 packets input, 288828936 bytes

    1270783 unicasts, 307240 broadcasts, 99916 multicasts input

    0 unknown protocol, 0 symbol errors, 0 discards

    1 input errors, 0 runts, 0 giants

    0 no buffer, 0 overruns, 0 internal receive errors

    0 alignment errors, 1 crc errors

    1337074 packets output, 98321443 bytes

    1324603 unicasts, 834 broadcasts, 11637 multicasts output

    0 output errors, 0 deferred, 0 discards

    0 single, 0 multiple, 0 late collisions

    0 excessive collisions, 0 underruns

    0 internal transmit errors, 0 carrier sense errors

    0 resets, 0 throttles

ADM>sh int eth 0/2

eth 0/2 is UP, line protocol is UP

  Description: Backup

  Hardware address is 00:A0:C8:48:94:10

  Internet address is 192.168.11.32, netmask is 255.255.255.0  (via DHCP)

  IP MTU is 1500 bytes

  BW is 100000 Kbit

  100Mb/s, negotiated full-duplex, configured full-duplex

  ARP type: ARPA; ARP timeout is 20 minutes

  Last clearing of "show interface" counters: never

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 64 bits/sec, 0 packets/sec

    Queueing method: fifo

    Output queue: 0/256/0 (size/max total/drops)

    Interface Shaper: NOT ENABLED

    9 packets input, 2130 bytes

    6 unicasts, 3 broadcasts, 0 multicasts input

    0 unknown protocol, 0 symbol errors, 0 discards

    0 input errors, 0 runts, 0 giants

    0 no buffer, 0 overruns, 0 internal receive errors

    0 alignment errors, 0 crc errors

    42916 packets output, 1949121 bytes

    42799 unicasts, 7 broadcasts, 110 multicasts output

    0 output errors, 0 deferred, 0 discards

    0 single, 0 multiple, 0 late collisions

    0 excessive collisions, 0 underruns

    0 internal transmit errors, 0 carrier sense errors

    0 resets, 0 throttles

ADM#sh ip policy-session

Src Vrf (if not default), Src policy class:

Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

  Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

  --------------- -------- --------------- -------- ----------------- --------

Policy class "Private":

icmp (53) -> Public-primary

  10.10.10.4      25759    8.8.4.4         25759    s 192.168.0.2     25759  

udp (46) -> Public-primary

  10.10.10.4      53931    8.8.8.8         53       s 192.168.0.2     53931  

udp (53) -> Public-primary

  10.10.10.4      56609    8.8.8.8         53       s 192.168.0.2     56609  

udp (39) -> Public-primary

  10.10.10.4      63978    8.8.8.8         53       s 192.168.0.2     63978  

tcp (600) -> self

  10.10.10.4      59089    10.10.10.1      23                       

udp (53) -> self

  10.10.10.4      5353     10.10.10.1      5351                     

udp (53) -> self

  10.10.10.4      61697    10.10.10.1      1900                     

tcp (474) -> Public-primary

  10.10.10.4      59342    17.149.36.104   5223     s 192.168.0.2     1038   

tcp (544) -> Public-primary

  10.10.10.4      59380    37.221.194.97   9911     s 192.168.0.2     1066   

tcp (593) -> Public-primary

  10.10.10.4      59476    46.37.22.20     8333     s 192.168.0.2     1135   

tcp (544) -> Public-primary

  10.10.10.4      59423    50.57.128.122   9911     s 192.168.0.2     1095   

tcp (13) -> Public-primary

  10.10.10.4      59455    54.227.107.222  9911     s 192.168.0.2     1172   

tcp (586) -> Public-primary

  10.10.10.4      59400    64.74.103.177   443      s 192.168.0.2     1077   

tcp (544) -> Public-primary

  10.10.10.4      59471    64.206.181.54   9911     s 192.168.0.2     1131   

tcp (579) -> Public-primary

  10.10.10.4      59460    74.125.193.189  443      s 192.168.0.2     1123   

tcp (502) -> Public-primary

  10.10.10.4      59417    74.125.225.169  80       s 192.168.0.2     1092   

tcp (572) -> Public-primary

  10.10.10.4      59433    74.125.225.189  443      s 192.168.0.2     1104   

tcp (502) -> Public-primary

  10.10.10.4      59416    74.125.225.206  80       s 192.168.0.2     1091   

tcp (551) -> Public-primary

  10.10.10.4      59405    74.125.225.207  443      s 192.168.0.2     1082   

tcp (593) -> Public-primary

  10.10.10.4      59431    74.125.225.213  443      s 192.168.0.2     1102   

tcp (6) -> Public-primary

  10.10.10.4      59440    78.31.106.19    9911     s 192.168.0.2     1162   

tcp (544) -> Public-primary

  10.10.10.4      59379    91.156.102.128  9911     s 192.168.0.2     1065   

tcp (537) -> Public-primary

  10.10.10.4      59478    91.190.218.54   12350    s 192.168.0.2     1136   

tcp (572) -> Public-primary

  10.10.10.4      59438    106.187.48.6    9911     s 192.168.0.2     1107   

tcp (565) -> Public-primary

  10.10.10.4      59340    108.160.162.116 80       s 192.168.0.2     1036   

tcp (572) -> Public-primary

  10.10.10.4      59341    108.160.163.46  80       s 192.168.0.2     1037   

tcp (586) -> Public-primary

  10.10.10.4      59437    111.93.187.74   9911     s 192.168.0.2     1105   

tcp (586) -> Public-primary

  10.10.10.4      59352    134.170.24.158  443      s 192.168.0.2     1048   

tcp (593) -> Public-primary

  10.10.10.4      59368    144.76.60.229   80       s 192.168.0.2     1060   

tcp (572) -> Public-primary

  10.10.10.4      59344    157.55.130.154  40028    s 192.168.0.2     1040   

tcp (572) -> Public-primary

  10.10.10.4      59378    173.230.155.65  9911     s 192.168.0.2     1064   

tcp (544) -> Public-primary

  10.10.10.4      59421    184.106.170.17  9911     s 192.168.0.2     1093   

tcp (6) -> Public-primary

  10.10.10.4      59497    192.168.1.39    6690     s 192.168.0.2     1163   

tcp (6) -> Public-primary

  10.10.10.4      59445    192.168.50.1    443      s 192.168.0.2     1165   

tcp (6) -> Public-primary

  10.10.10.4      59446    192.168.50.1    443      s 192.168.0.2     1164   

tcp (6) -> Public-primary

  10.10.10.4      59447    192.168.50.1    443      s 192.168.0.2     1167   

tcp (6) -> Public-primary

  10.10.10.4      59448    192.168.50.1    443      s 192.168.0.2     1166   

tcp (6) -> Public-primary

  10.10.10.4      59450    192.168.50.1    443      s 192.168.0.2     1169   

tcp (6) -> Public-primary

  10.10.10.4      59451    192.168.50.1    443      s 192.168.0.2     1168   

tcp (6) -> Public-primary

  10.10.10.4      59452    192.168.50.1    443      s 192.168.0.2     1171   

tcp (6) -> Public-primary

  10.10.10.4      59453    192.168.50.1    443      s 192.168.0.2     1170   

tcp (13) -> Public-primary

  10.10.10.4      59462    192.168.50.1    443      s 192.168.0.2     1179   

tcp (13) -> Public-primary

  10.10.10.4      59463    192.168.50.1    443      s 192.168.0.2     1180   

tcp (13) -> Public-primary

  10.10.10.4      59466    192.168.50.1    443      s 192.168.0.2     1181   

tcp (20) -> Public-primary

  10.10.10.4      59469    192.168.50.1    443      s 192.168.0.2     1184   

tcp (13) -> Public-primary

  10.10.10.4      59516    192.168.50.1    443      s 192.168.0.2     1175   

tcp (13) -> Public-primary

  10.10.10.4      59517    192.168.50.1    443      s 192.168.0.2     1176   

tcp (13) -> Public-primary

  10.10.10.4      59518    192.168.50.1    443      s 192.168.0.2     1177   

tcp (13) -> Public-primary

  10.10.10.4      59519    192.168.50.1    443      s 192.168.0.2     1178   

tcp (13) -> Public-primary

  10.10.10.4      59523    192.168.50.1    443      s 192.168.0.2     1182   

tcp (13) -> Public-primary

  10.10.10.4      59524    192.168.50.1    443      s 192.168.0.2     1183   

tcp (20) -> Public-primary

  10.10.10.4      59525    192.168.50.1    443      s 192.168.0.2     1185   

tcp (20) -> Public-primary

  10.10.10.4      59526    192.168.50.1    443      s 192.168.0.2     1186   

tcp (600) -> Public-primary

  10.10.10.4      59454    201.8.193.233   8333     s 192.168.0.2     1120   

tcp (13) -> Public-primary

  10.10.10.4      59515    223.21.223.107  8333     s 192.168.0.2     1174   

Policy class "self":

icmp (60) -> Public-primary

  192.168.0.2     1        8.8.8.8         1                 

ADM#

2013.09.09 15:00:02 FIREWALL id=firewall time="2013-09-09 15:00:02" fw=ADM pri=1 rule=4  proto=https src=10.10.10.4 dst=192.168.50.1 msg="Zero bytes transferred for connection Src 59516 Dst 443 from Private policy-class on interface vlan 1" agent=AdFirewall

Okay, primary unplugged, rerun of tests:




ADM#sh track

Track primary-track:

  Current State: PASS     (Admin: UP)

  Testing:

    (NO TESTS)

  Dampening Interval: 1 seconds

  Time in current state: 4 days, 0 hours, 17 minutes, 47 seconds

  Track State Changes: 0

  Tracking:

    ip route 0.0.0.0 0.0.0.0 192.168.0.1

    ip access-list extended NAT-primary

      permit ip any any

ADM#sh probe

Probe primary-probe:

  Current State: FAIL  Admin. Status: UP

  Type: ICMP Echo  Period: 3 sec  Timeout: 5 msec

  Source: 192.168.0.2  Destination: 8.8.8.8

  Data size: 0

  Tracked by: Nothing

  Tests Run: 1067791  Failed: 1067789

  Tolerance: 0 consecutive successes currently, 40 needed to PASS

  Time in current state: 4 days, 0 hours, 18 minutes, 28 seconds

ADM#sh ip route

Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP

       E1 - OSPF external type 1, E2 - OSPF external type 2

       IA - OSPF inter area

Gateway of last resort is 192.168.11.2 eth 0/2

S    0.0.0.0/0 [100/1/0] via 192.168.11.2, eth 0/2

C    10.10.10.0/24 is directly connected, vlan 1

C    192.168.11.0/24 is directly connected, eth 0/2

ADM#sh ip route

Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP

       E1 - OSPF external type 1, E2 - OSPF external type 2

       IA - OSPF inter area

Gateway of last resort is 192.168.11.2 eth 0/2

S    0.0.0.0/0 [100/1/0] via 192.168.11.2, eth 0/2

C    10.10.10.0/24 is directly connected, vlan 1

C    192.168.11.0/24 is directly connected, eth 0/2

ADM#sh int eth 0/1

eth 0/1 is DOWN, line protocol is DOWN

  Description: Primary

  Hardware address is 00:A0:C8:48:94:0F

  Ip address is 192.168.0.2, netmask is 255.255.255.0

  IP MTU is 1500 bytes

  BW is 0 Kbit

  ?b/s, negotiated ? duplex, configured full-duplex

  ARP type: ARPA; ARP timeout is 20 minutes

  Last clearing of "show interface" counters: never

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

    Queueing method: fifo

    Output queue: 0/256/0 (size/max total/drops)

    Interface Shaper: NOT ENABLED

    1681894 packets input, 290714006 bytes

    1274286 unicasts, 307573 broadcasts, 100035 multicasts input

    0 unknown protocol, 0 symbol errors, 0 discards

    1 input errors, 0 runts, 0 giants

    0 no buffer, 0 overruns, 0 internal receive errors

    0 alignment errors, 1 crc errors

    1341219 packets output, 98894081 bytes

    1328683 unicasts, 890 broadcasts, 11646 multicasts output

    0 output errors, 0 deferred, 0 discards

    0 single, 0 multiple, 0 late collisions

    0 excessive collisions, 0 underruns

    0 internal transmit errors, 0 carrier sense errors

    0 resets, 0 throttles

ADM#sh int eth 0/2

eth 0/2 is UP, line protocol is UP

  Description: Backup

  Hardware address is 00:A0:C8:48:94:10

  Internet address is 192.168.11.32, netmask is 255.255.255.0  (via DHCP)

  IP MTU is 1500 bytes

  BW is 100000 Kbit

  100Mb/s, negotiated full-duplex, configured full-duplex

  ARP type: ARPA; ARP timeout is 20 minutes

  Last clearing of "show interface" counters: never

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 82976 bits/sec, 226 packets/sec

    Queueing method: fifo

    Output queue: 0/256/0 (size/max total/drops)

    Interface Shaper: NOT ENABLED

    10 packets input, 2190 bytes

    7 unicasts, 3 broadcasts, 0 multicasts input

    0 unknown protocol, 0 symbol errors, 0 discards

    0 input errors, 0 runts, 0 giants

    0 no buffer, 0 overruns, 0 internal receive errors

    0 alignment errors, 0 crc errors

    164403 packets output, 7444314 bytes

    164258 unicasts, 8 broadcasts, 137 multicasts output

    0 output errors, 0 deferred, 0 discards

    0 single, 0 multiple, 0 late collisions

    0 excessive collisions, 0 underruns

    0 internal transmit errors, 0 carrier sense errors

    0 resets, 0 throttles

ADM#sh ip policy-session

Src Vrf (if not default), Src policy class:

Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

  Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

  --------------- -------- --------------- -------- ----------------- --------

Policy class "Private":

icmp (60) -> Public-backup

  10.10.10.4      43167    8.8.4.4         43167    s 192.168.0.2     43167  

udp (60) -> Public-backup

  10.10.10.4      51595    8.8.4.4         53       s 192.168.0.2     1311   

udp (60) -> Public-backup

  10.10.10.4      51614    8.8.4.4         53       s 192.168.0.2     1313   

udp (11) -> Public-backup

  10.10.10.4      51807    8.8.4.4         53       s 192.168.0.2     51807  

udp (39) -> Public-backup

  10.10.10.4      53365    8.8.4.4         53       s 192.168.0.2     53365  

udp (18) -> Public-backup

  10.10.10.4      54709    8.8.4.4         53       s 192.168.0.2     1308   

udp (60) -> Public-backup

  10.10.10.4      57962    8.8.4.4         53       s 192.168.0.2     57962  

udp (11) -> Public-backup

  10.10.10.4      63070    8.8.4.4         53       s 192.168.0.2     63070  

udp (46) -> Public-backup

  10.10.10.4      63451    8.8.4.4         53       s 192.168.0.2     63451  

udp (60) -> Public-backup

  10.10.10.4      63993    8.8.4.4         53       s 192.168.0.2     1312   

udp (53) -> Public-backup

  10.10.10.4      51595    8.8.8.8         53       s 192.168.0.2     51595  

udp (53) -> Public-backup

  10.10.10.4      51614    8.8.8.8         53       s 192.168.0.2     51614  

udp (39) -> Public-backup

  10.10.10.4      51807    8.8.8.8         53       s 192.168.0.2     1307   

udp (32) -> Public-backup

  10.10.10.4      53365    8.8.8.8         53       s 192.168.0.2     1309   

udp (32) -> Public-backup

  10.10.10.4      63451    8.8.8.8         53       s 192.168.0.2     1310   

udp (53) -> Public-backup

  10.10.10.4      63993    8.8.8.8         53       s 192.168.0.2     63993  

tcp (600) -> self

  10.10.10.4      59089    10.10.10.1      23                       

tcp (6) -> Public-backup

  10.10.10.4      60803    23.20.77.213    9911     s 192.168.0.2     60803  

tcp (19) -> Public-primary

  10.10.10.4      59380    37.221.194.97   9911     s 192.168.0.2     1066   

tcp (593) -> Public-primary

  10.10.10.4      59476    46.37.22.20     8333     s 192.168.0.2     1135   

tcp (13) -> Public-backup

  10.10.10.4      61024    54.200.18.186   9911     s 192.168.0.2     61024  

tcp (13) -> Public-backup

  10.10.10.4      60816    58.69.101.41    9911     s 192.168.0.2     60816  

tcp (6) -> Public-backup

  10.10.10.4      60993    64.4.23.165     80       s 192.168.0.2     60993  

tcp (544) -> Public-primary

  10.10.10.4      59544    67.9.89.138     8333     s 192.168.0.2     1198   

tcp (6) -> Public-backup

  10.10.10.4      60995    79.233.140.67   8333     s 192.168.0.2     60995  

tcp (20) -> Public-backup

  10.10.10.4      60937    81.169.167.53   9911     s 192.168.0.2     60937  

tcp (13) -> Public-backup

  10.10.10.4      61011    84.255.204.25   9911     s 192.168.0.2     61011  

tcp (20) -> Public-backup

  10.10.10.4      60983    89.235.159.62   9911     s 192.168.0.2     60983  

tcp (13) -> Public-backup

  10.10.10.4      60840    91.190.218.54   12350    s 192.168.0.2     60840  

tcp (20) -> Public-backup

  10.10.10.4      60845    91.190.218.54   443      s 192.168.0.2     60845  

tcp (20) -> Public-backup

  10.10.10.4      60850    91.190.218.54   80       s 192.168.0.2     60850  

tcp (6) -> Public-backup

  10.10.10.4      60994    91.210.235.78   9911     s 192.168.0.2     60994  

tcp (6) -> Public-backup

  10.10.10.4      61007    111.221.74.18   33033    s 192.168.0.2     61007  

tcp (13) -> Public-backup

  10.10.10.4      61013    111.221.74.18   443      s 192.168.0.2     61013  

tcp (13) -> Public-backup

  10.10.10.4      61019    111.221.74.18   80       s 192.168.0.2     61019  

tcp (13) -> Public-backup

  10.10.10.4      61012    128.175.89.92   8333     s 192.168.0.2     61012  

tcp (6) -> Public-backup

  10.10.10.4      60992    157.55.130.146  40018    s 192.168.0.2     60992  

tcp (6) -> Public-backup

  10.10.10.4      60996    157.55.130.146  443      s 192.168.0.2     60996  

tcp (6) -> Public-backup

  10.10.10.4      60999    157.55.130.146  80       s 192.168.0.2     60999  

tcp (13) -> Public-backup

  10.10.10.4      60835    183.64.239.21   9911     s 192.168.0.2     60835  

udp (46) -> Public-backup

  10.10.10.4      53709    192.168.0.12    161      s 192.168.0.2     53709  

tcp (13) -> Public-backup

  10.10.10.4      61014    192.168.50.1    443      s 192.168.0.2     61014  

tcp (13) -> Public-backup

  10.10.10.4      61015    192.168.50.1    443      s 192.168.0.2     61015  

tcp (6) -> Public-backup

  10.10.10.4      60947    192.241.186.111 9911     s 192.168.0.2     60947  

tcp (13) -> Public-backup

  10.10.10.4      61025    199.71.213.209  8333     s 192.168.0.2     61025  

tcp (6) -> Public-backup

  10.10.10.4      60811    204.93.75.136   443      s 192.168.0.2     60811  

tcp (6) -> Public-backup

  10.10.10.4      60812    204.93.75.136   443      s 192.168.0.2     60812  

tcp (6) -> Public-backup

  10.10.10.4      60813    204.93.75.136   443      s 192.168.0.2     60813  

tcp (6) -> Public-backup

  10.10.10.4      60814    204.93.75.136   443      s 192.168.0.2     60814  

tcp (13) -> Public-backup

  10.10.10.4      60817    204.93.75.136   443      s 192.168.0.2     60817  

tcp (13) -> Public-backup

  10.10.10.4      60818    204.93.75.136   443      s 192.168.0.2     60818  

tcp (13) -> Public-backup

  10.10.10.4      60829    204.93.75.136   443      s 192.168.0.2     60829  

tcp (13) -> Public-backup

  10.10.10.4      60830    204.93.75.136   443      s 192.168.0.2     60830  

tcp (13) -> Public-backup

  10.10.10.4      60831    204.93.75.136   443      s 192.168.0.2     60831  

tcp (13) -> Public-backup

  10.10.10.4      60832    204.93.75.136   443      s 192.168.0.2     60832  

tcp (20) -> Public-backup

  10.10.10.4      60847    204.93.75.136   443      s 192.168.0.2     60847  

tcp (20) -> Public-backup

  10.10.10.4      60848    204.93.75.136   443      s 192.168.0.2     60848  

tcp (6) -> Public-backup

  10.10.10.4      60942    204.93.75.136   443      s 192.168.0.2     60942  

tcp (6) -> Public-backup

  10.10.10.4      60943    204.93.75.136   443      s 192.168.0.2     60943  

tcp (6) -> Public-backup

  10.10.10.4      60944    204.93.75.136   443      s 192.168.0.2     60944  

tcp (6) -> Public-backup

  10.10.10.4      60945    204.93.75.136   443      s 192.168.0.2     60945  

tcp (13) -> Public-backup

  10.10.10.4      60952    204.93.75.136   443      s 192.168.0.2     60952  

tcp (13) -> Public-backup

  10.10.10.4      60953    204.93.75.136   443      s 192.168.0.2     60953  

tcp (13) -> Public-backup

  10.10.10.4      60960    204.93.75.136   443      s 192.168.0.2     60960  

tcp (13) -> Public-backup

  10.10.10.4      60961    204.93.75.136   443      s 192.168.0.2     60961  

tcp (13) -> Public-backup

  10.10.10.4      60962    204.93.75.136   443      s 192.168.0.2     60962  

tcp (13) -> Public-backup

  10.10.10.4      60963    204.93.75.136   443      s 192.168.0.2     60963  

tcp (13) -> Public-backup

  10.10.10.4      60970    204.93.75.136   443      s 192.168.0.2     60970  

tcp (13) -> Public-backup

  10.10.10.4      60971    204.93.75.136   443      s 192.168.0.2     60971  

tcp (20) -> Public-backup

  10.10.10.4      60979    204.93.75.136   443      s 192.168.0.2     60979  

tcp (20) -> Public-backup

  10.10.10.4      60980    204.93.75.136   443      s 192.168.0.2     60980  

tcp (6) -> Public-backup

  10.10.10.4      60997    204.93.75.136   443      s 192.168.0.2     60997  

tcp (6) -> Public-backup

  10.10.10.4      60998    204.93.75.136   443      s 192.168.0.2     60998  

tcp (6) -> Public-backup

  10.10.10.4      61000    204.93.75.136   443      s 192.168.0.2     61000  

tcp (6) -> Public-backup

  10.10.10.4      61001    204.93.75.136   443      s 192.168.0.2     61001  

tcp (6) -> Public-backup

  10.10.10.4      61020    204.93.75.136   443      s 192.168.0.2     61020  

tcp (6) -> Public-backup

  10.10.10.4      61021    204.93.75.136   443      s 192.168.0.2     61021  

tcp (6) -> Public-backup

  10.10.10.4      61022    204.93.75.136   443      s 192.168.0.2     61022  

tcp (6) -> Public-backup

  10.10.10.4      61023    204.93.75.136   443      s 192.168.0.2     61023  

tcp (13) -> Public-backup

  10.10.10.4      61026    204.93.75.136   443      s 192.168.0.2     61026  

tcp (13) -> Public-backup

  10.10.10.4      61027    204.93.75.136   443      s 192.168.0.2     61027  

tcp (13) -> Public-backup

  10.10.10.4      61031    204.93.75.136   443      s 192.168.0.2     61031  

tcp (13) -> Public-backup

  10.10.10.4      61032    204.93.75.136   443      s 192.168.0.2     61032  

tcp (13) -> Public-backup

  10.10.10.4      61033    204.93.75.136   443      s 192.168.0.2     61033  

tcp (13) -> Public-backup

  10.10.10.4      61034    204.93.75.136   443      s 192.168.0.2     61034  

tcp (20) -> Public-backup

  10.10.10.4      61037    204.93.75.136   443      s 192.168.0.2     61037  

tcp (20) -> Public-backup

  10.10.10.4      61038    204.93.75.136   443      s 192.168.0.2     61038  

tcp (6) -> Public-backup

  10.10.10.4      60965    210.45.121.32   9911     s 192.168.0.2     60965  

tcp (6) -> Public-backup

  10.10.10.4      61008    213.199.179.145 443      s 192.168.0.2     61008  

tcp (6) -> Public-backup

  10.10.10.4      61016    213.199.179.145 80       s 192.168.0.2     61016  

tcp (6) -> Public-backup

  10.10.10.4      61010    213.199.179.149 443      s 192.168.0.2     61010  

tcp (6) -> Public-backup

  10.10.10.4      61018    213.199.179.149 80       s 192.168.0.2     61018  

tcp (6) -> Public-backup

  10.10.10.4      61009    213.199.179.154 443      s 192.168.0.2     61009  

tcp (6) -> Public-backup

  10.10.10.4      61017    213.199.179.154 80       s 192.168.0.2     61017  

Policy class "self":

icmp (60) -> Public-backup

  192.168.0.2     1        8.8.8.8         1

And it keeps echoing this

ADM#

2013.09.09 15:10:53 FIREWALL id=firewall time="2013-09-09 15:10:53" fw=ADM pri=1 rule=4  proto=https src=10.10.10.4 dst=204.93.75.136 msg="Zero bytes transferred for connection Src 60856 Dst 443 from Private policy-class on interface vlan 1" agent=AdFirewall

2013.09.09 15:11:21 FIREWALL id=firewall time="2013-09-09 15:11:21" fw=ADM pri=1 rule=4 proto=9911/tcp src=10.10.10.4 dst=202.99.230.232 msg="Zero bytes transferred for connection Src 60915 Dst 9911 from Private policy-class on interface vlan 1" agent=AdFirewall

jayh
Honored Contributor
Honored Contributor

Re: Need to commission someone to configure Adtran 3448 for failover

OK, on your first set of data with the eth 0/1 link connected, your Internet connection is broken or misconfigured.  Note where you have:

ADM>sh probe

Probe primary-probe:

  Current State: FAIL  Admin. Status: UP

  Type: ICMP Echo  Period: 3 sec  Timeout: 5 msec

  Source: 192.168.0.2  Destination: 8.8.8.8

  Data size: 0

  Tracked by: Nothing

  Tests Run: 972273  Failed: 972271


Your pings from the primary interface are failing.  You indicated that this was a static IP.  In your configs you are using 192.168.0.2 with a gateway of 192.168.0.1.  These are private IPs not found directly on the Internet.  They're used for private networks or behind a NAT.  So the first thing to do is to fix the primary connection.  If you're getting a true static IP from your ISP, it won't begin with any of the following:

  • 10.x.x.x
  • 172.16.x.x through 172.31.x.x
  • 192.168.x.x

So you'll need to fix that and get the probe to succeed with eth 0/1 connected.  Everywhere in the config where you have 192.168.0.2 replace it with the static IP from your ISP.  Everywhere you have 192.168.0.1 substitute the gateway from your ISP.

Second, your track isn't tracking the probe.  You have:

ADM>sh track

Track primary-track:

  Current State: PASS     (Admin: UP)

  Testing:

    (NO TESTS)

  Dampening Interval: 1 seconds


See the "(NO TESTS)" ?  Your track should be testing the probe.  Does your configuration look like: 

track primary-track

  test if primary-probe

  no shutdown

Let us know when you get the probe to succeed and the track to track it.  At this point you should be able to get to the Internet with the primary connection and you can then unplug it and continue testing the backup.

Doing a NAT (to 10.10.10.x) from behind another NAT (192.168.0.2 is a NAT or private address) is something you really want to avoid, especially if there are SIP devices involved.



listed1st
New Contributor II

Re: Need to commission someone to configure Adtran 3448 for failover

Okay!

Got the static IP up, running beautifully, sh probe is working wonderfully:

sh probe

Probe primary-probe:

  Current State: PASS  Admin. Status: UP

  Type: ICMP Echo  Period: 3 sec  Timeout: 500 msec

  Source: 50.198.18.173  Destination: 8.8.8.8

  Data size: 0

  Tracked by: Nothing

  Tests Run: 543  Failed: 226

  Tolerance: 0 consecutive failures currently, 2 needed to FAIL

  Time in current state: 0 days, 0 hours, 9 minutes, 23 seconds

(The fails are when I unplugged it)

The problem is the sh track, not working still

ADM#sh track

Track primary-track:

  Current State: PASS     (Admin: UP)

  Testing:

    (NO TESTS)

  Dampening Interval: 1 seconds

  Time in current state: 0 days, 0 hours, 18 minutes, 32 seconds

  Track State Changes: 0

  Tracking:

    ip route 0.0.0.0 0.0.0.0 50.198.18.173

    ip access-list extended NAT-primary

      permit ip any any

It's current in my system as:

!

probe primary-probe icmp-echo

  destination 8.8.8.8

  period 3

  timeout 500

  source-address 50.198.18.173

  tolerance consecutive fail 2 pass 40

  no shutdown

!

track primary-track

  test if primary-probe

  no shutdown

!

!

!

!

!

!

!

!

!

no dot11ap access-point-control

(I also tried it with an extra ! added above and another below. I don't know what the ! do)

Getting so close! Thank you!

jayh
Honored Contributor
Honored Contributor

Re: Need to commission someone to configure Adtran 3448 for failover

Strange.  According to the configuration, the track should be monitoring the probe.

See if a reboot fixes it.  Write mem, then reload from the enabled mode. If that doesn't fix it, try shutting down the track and re-enabling it.

enable

config t

track primary-track

shutdown

no shutdown


Then do a "show track" and see if it is now testing the probe.

If this doesn't fix it, try removing the track completely and then re-add it.  If you do this you might need to redo the other statements that reference the track.

enable

config t

no track primary-track

track primary-track

  test if primary-probe

  no shutdown

end


With the Adtran CLI it is normal that most commands will fail unless you are in the enable mode.  You can tell what mode you are in by the prompt:


prompt> initial (disabled) mode - limited show commands and non-intrusive tests.

prompt#  enable mode, allows rebooting, saving, all commands, entry to configuration.

prompt(config)# global configuration mode - allows commands to configure system-wide parameters

prompt(config-foo)# subsection configuration mode - allows commands to configure item "foo" (interface, track, etc.)


An exclamation point "!" indicates a comment.  Anything on that line beyond it is ignored, including the "!" itself. Written configurations generated by the device often have multiple blank lines with just a "!" to separate sections for human reading.



Anonymous
Not applicable

Re: Need to commission someone to configure Adtran 3448 for failover

- Do you need any further assistance regarding this configuration? If so, please do not hesitate to reply to this post and we will be happy to help you.

Thanks,

Noor

Anonymous
Not applicable

Re: Need to commission someone to configure Adtran 3448 for failover

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor