cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
billflippen
New Contributor

setting up IP fail over.

Jump to solution

Greetings from a Newb

So far what I have works from  the router but fails from computer.

Setup:

3448 siting on my desk

Eth 0/1 is plugged into comcast modem and using 1 of our static public IPs

Eth 0/2 is plugged into our local network and using a static private and is routed out a DSL connection.

I do a traceroute from router to 8.8.8.8 it routes out the comcast modem as expected

I unplug eth 0/1

I see the state go to fail

I do a traceroute from router to 8.8.8.8 it routes out the DSL modem as expected.

I plug eth 0/1 back in

I do a traceroute from router to 8.8.8.8 it routes out the comcast modem as expected

I do a traceroute from laptop to 8.8.8.8 it routes out the comcast modem as expected

I unplug eth 0/1

I see the state go to fail

I do a traceroute from laptop to 8.8.8.8 it gets to the VLAN interface 192.168.1.1 then times out .

I think it has something to do with the firewall or NAT but can't see it for the life of me

.

Here is some relevant info:

ip local policy route-map LOCAL

!

ip firewall

ip firewall fast-nat-failover

!

probe Charter icmp-echo

  destination 173.X.X.94

  source-address   173.X.X.91

  period 3

  tolerance consecutive fail 3 pass 3

  no shutdown

!

track Charter

  snmp trap state-change

  test if probe Charter

  no shutdown

!

interface eth 0/1

  description Charter Connection

  ip address  173.X.X.91  255.255.255.248

  ip access-policy Public

  ip flow egress

  media-gateway ip primary

  no awcp

  no shutdown

!

!

interface eth 0/2

  description Backup

  ip address  192.168.99.99  255.255.255.0   (this is a test IP that is on my existing network would be change to a public in real world)

  ip mtu 1500

  ip access-policy Public_Backup

  no shutdown

!

!

!

interface vlan 1

  ip address  192.168.1.1  255.255.255.0

  ip access-policy Private

  ip flow egress

  no awcp

  no shutdown

!

!

!

route-map LOCAL permit 10

  match ip address Charter

  set ip next-hop 192.168.99.249

  set interface eth 0/2

!

!

!

!

ip access-list standard Backup_ICS

  permit any

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended Audio_ACL

  permit udp any  any     log

!

ip access-list extended Charter

  permit icmp host 192.168.1.1  host X.X.X.X   

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended Signal_ACL

  permit udp any  any eq 5060    log

  permit tcp any  any eq 5061   log

!

ip access-list extended web-acl-10

  remark TCP_UDP_5060_5061

  permit tcp 208.X.X.0 0.0.0.255  any range 5060 5061   log

  permit udp 208.X.X.0 0.0.0.255  any range 5060 5061    log

!

ip access-list extended web-acl-11

  remark RTP fwd

  permit udp X.X.62.0 0.0.0.255  any range X X    log

!

ip access-list extended web-acl-12

  remark XXX

  permit tcp any  any eq XXXX   log

!

ip access-list extended web-acl-13

  remark XXX

  permit tcp any  any eq XXXX   log

!

ip access-list extended web-acl-14

  remark DIM

  permit tcp any  any eq XXXX   log

!

ip access-list extended web-acl-15

  remark Admin

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-16

  remark To_NetVanta

  permit ip any  any     log

!

ip access-list extended web-acl-17

  remark NAT_Backup

  permit ip any  any   

!

ip access-list extended web-acl-3

  remark Admin Access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

  nat source list Backup_ICS interface eth 0/2 overload

!

ip policy-class Public

  allow list web-acl-3 self

  nat destination list web-acl-12 address 192.168.1.250 port XX

  nat destination list web-acl-10 address 192.168.1.250

  nat destination list web-acl-11 address 192.168.1.251

  nat destination list web-acl-13 address 192.168.1.250

  nat destination list web-acl-14 address 192.168.1.250

!

ip policy-class Public_Backup

  allow list web-acl-15 self

!

!

!

ip route 0.0.0.0 0.0.0.0 173.X.X.94 track Charter

ip route 0.0.0.0 0.0.0.0 192.168.99.1 10

!

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: setting up IP fail over.

Jump to solution

Your NAT is still trying to go out Charter.  Change your wizard-ics access list to:

!

ip access-list extended wizard-ics

  remark Internet Connection Sharing

  permit ip any any track Charter

!


Also, to avoid a lot of flapping and churn, I usually require the primary link to be stable for a while before cutting back over.  With 3-second pings the following requires the cable to be down for 15 seconds to trigger backup and up-stable for 2 minutes before cutting back.

probe Charter icmp-echo

  destination 173.X.X.94

  source-address   173.X.X.91

  period 3

  tolerance consecutive fail 5 pass 40

  no shutdown

View solution in original post

0 Kudos
5 Replies
jayh
Honored Contributor
Honored Contributor

Re: setting up IP fail over.

Jump to solution

Your NAT is still trying to go out Charter.  Change your wizard-ics access list to:

!

ip access-list extended wizard-ics

  remark Internet Connection Sharing

  permit ip any any track Charter

!


Also, to avoid a lot of flapping and churn, I usually require the primary link to be stable for a while before cutting back over.  With 3-second pings the following requires the cable to be down for 15 seconds to trigger backup and up-stable for 2 minutes before cutting back.

probe Charter icmp-echo

  destination 173.X.X.94

  source-address   173.X.X.91

  period 3

  tolerance consecutive fail 5 pass 40

  no shutdown

0 Kudos

Re: setting up IP fail over.

Jump to solution

@jayh I didn't get a chance to see your reply before I started over from scratch and went on sight.

I like the idea of the higher threshhold for the cutover. WIll have to implement.

Below is most of the config I ended up with (copied from a Adtran white paper I found)

It seems to work very nice. 1 problem though....

when it switches from one to another and we do a remote in a few things work and a few things don't

1) we port forward 8001 to a device port 80. (Webro)that fails to connect when on backup, works fine when on primary

2) HTTPS to the 3448 works fine on both interfaces

3) SSH to the 3448 fails when on Back up

4)Telnet to the device on port 8002 works fie in primary and backup mode.

I tried setting up a 2nd ACL just for WebPro back up  ACL 14 just to test to see if that was needed. did not fix.

interface eth 0/1

  description Charter Connection

  ip address  97.X.X.78  255.255.255.252

  ip access-policy WAN1

  no awcp

  no shutdown

interface eth 0/2

  description Backup

  ip address  199.1X.X.22  255.255.255.252

  ip access-policy WAN2

  no shutdown

interface vlan 1

  ip address  192.168.1.1  255.255.255.0

  ip access-policy Private

  ip flow egress

  no awcp

  no shutdown

route-map LOCAL permit 10

  match ip address WAN1

  set ip next-hop 97.X.X.77

  set interface null 0

ip access-list extended AdminAccess

  remark Admin Access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended AFP

  remark AFP Backup

  permit tcp any  any eq 548   log

!

ip access-list extended DIM

  remark DIM Backup

  permit tcp any  any eq 8002   log

!

ip access-list extended FTP

  remark FTP Backup

  permit tcp any  any eq ftp   log

!

ip access-list extended NAT-Backup

  permit ip any  any   

!

ip access-list extended NAT-Primary

  permit ip any  any   

!

ip access-list extended PCPro

  remark PC Pro Backup

  permit tcp any  any eq 8000   log

!

ip access-list extended self

  permit ip any  any   

!

ip access-list extended SIP_RTP

  permit udp 208.X.X.0 0.0.0.255  any range 20000 20031    log

!

ip access-list extended SIP_Signal

  remark NAT list SIP_Signal

  permit tcp 208.X.X.0 0.0.0.255  any range 5060 5061   log

  permit udp 208.X.X.0 0.0.0.255  any range 5060 5061    log

!

ip access-list extended TIMBUKTU

  remark Timbuktu Backup

  permit tcp any  any eq 407   log

  permit udp any  any eq 407    log

!

ip access-list extended WAN1

  permit icmp host 97.X.X9.78  host 97.X.X.77   

!

ip access-list extended web-acl-14

  remark WebProBackup

  permit tcp any  any eq 8001   log

!

ip access-list extended WebPro

  permit tcp any  any eq 8001   log

ip policy-class Private

  nat source list NAT-Primary interface eth 0/1 overload policy WAN1

  nat source list NAT-Backup interface eth 0/2 overload policy WAN2

  allow list self self

!

ip policy-class WAN1

  allow list AdminAccess self

  nat destination list SIP_RTP address 192.168.1.251

  nat destination list SIP_Signal address 192.168.1.250

  nat destination list AFP address 192.168.1.10

  nat destination list TIMBUKTU address 192.168.1.10

  nat destination list WebPro address 192.168.1.250 port 80

  nat destination list PCPro address 192.168.1.250

  nat destination list DIM address 192.168.1.250

  nat destination list FTP address 192.168.1.10

!

ip policy-class WAN2

  allow list AdminAccess self

  nat destination list SIP_RTP address 192.168.1.251

  nat destination list SIP_Signal address 192.168.1.250

  nat destination list TIMBUKTU address 192.168.1.10

  nat destination list AFP address 192.168.1.10

  nat destination list web-acl-14 address 192.168.1.250 port 80

  nat destination list PCPro address 192.168.1.250

  nat destination list DIM address 192.168.1.250

  nat destination list FTP address 192.168.1.10

ip route 0.0.0.0 0.0.0.0 97.X.X.77 track Charter

ip route 0.0.0.0 0.0.0.0 199.X.X.21 10

Anonymous
Not applicable

Re: setting up IP fail over.

Jump to solution

- Are you attempting to test these connections while the primary circuit is up? Or are you attempting the backup connections when the backup route is active?

Thanks,

Noor

Re: setting up IP fail over.

Jump to solution

I was trying to test with the main connection physically disconnected form Eth0/1 and the back up connection still connected to Eth 0/2.

I have not had a chance to go back out on site to trouble shoot.

My main concern was that the SIP trunks would encounter the same scenario, but I was able to confirm that they do indeed work in failover. I can live with not being abl to connect to the phone system for admin purposes when in failover. I can't for see but a very small chance that I would need to access it in that condition. My other concern was that their remote applications (timbuktu and apple file share) wouldn;t work...this I have not had a chance to confirm.

jayh
Honored Contributor
Honored Contributor

Re: setting up IP fail over.

Jump to solution

Change your NAT-Primary to a tracked ACL.

!

ip access-list extended NAT-Primary

  permit ip any any track Charter

!