10 Replies Latest reply on Sep 6, 2013 12:40 PM by noor

    Failover on NV3120

    vmirinav New Member

      I am trying to implement fail-over on NV3120. Unfortunately fail-over does not work, I think I am doing everything correct here. Eth 0/1 Plugs in to ISP1 Sw0/1 plugs in to ISP2

       

      ! ADTRAN OS version 18.03.01.00.E

      ! Boot ROM version 14.04.00

      ! Platform: NetVanta 3120, part number 1700600L2

      ! Serial number LBADTN0639AC502

      !

      !

      hostname "NetVanta3120"

      enable password xxxxxxx

      !

      !

      ip subnet-zero

      ip classless

      ip routing

      domain-proxy

      name-server 24.29.99.35 24.29.99.36

      !

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "xxxxxxxxx"

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      !

      !

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      probe "TimeWarner Failover" icmp-echo

        destination 8.8.8.8

        timeout 10000

      tolerance consecutive fail 1 pass 1

        no shutdown

      !

      track "WAN1"

        snmp trap state-change

        test if probe TimeWarner Failover

        no shutdown

      !

      !

      !

      !

      ip dhcp pool "Private"

        network 10.10.10.0 255.255.255.0

        dns-server 10.10.10.1

        netbios-node-type h-node

        default-router 10.10.10.1

      !

      !

      !

      ip crypto

      !

      crypto ike policy 100

        initiate main

        respond anymode

        local-id fqdn AIP1

        peer xx.212.173.10

        attribute 1

          encryption 3des

          hash md5

      authentication pre-share

      !

      crypto ike remote-id fqdn AIP2 preshared-key xxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      crypto ike remote-id address xx.212.173.10 preshared-key xxxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      !

      crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

      !

      crypto map VPN 10 ipsec-ike

        description AIP Site-to-Site VPN test

        match address VPN-10-vpn-selectors

        set peer xx.212.173.10

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      vlan 301

        name "WAN Failover"

      !

      !

      interface eth 0/1

        description Time Warner

        ip address xx.74.62.200  255.255.255.224

        ip access-policy Public

        crypto map VPN

        media-gateway ip primary

        no shutdown

        no lldp send-and-receive

      !

      !

      interface switchport 0/1

        no shutdown

        switchport access vlan 301

      !

      interface switchport 0/2

        no shutdown

      !

      interface switchport 0/3

        no shutdown

      !

      interface switchport 0/4

        no shutdown

      !

      !

      !

      interface vlan 1

        ip address xx.10.10.1  255.255.255.0

        ip access-policy Private

        no shutdown

      !

      interface vlan 301

        ip address xx.212.173.11  255.255.255.192

        ip mtu 1500

        media-gateway ip primary

        no awcp

        shutdown

      !

      interface modem 0/1

        shutdown

      !

      !

      !

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any any     log

      !

      ip access-list extended VPN-10-vpn-selectors

        permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255   

      !

      ip access-list extended web-acl-3

        remark Public Allow

        permit ip any any   

      !

      !

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors

        allow list web-acl-3

      !

      !

      ip route 0.0.0.0 0.0.0.0 xx.74.62.193

      ip route 0.0.0.0 0.0.0.0 xx.212.173.1 track WAN1

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      !

      ip sip udp 5060

      ip sip tcp 5060

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      ip rtp quality-monitoring

      ip rtp quality-monitoring udp

      ip rtp quality-monitoring sip

      !

      line con 0

        login

      !

      line telnet 0 4

        login local-userlist

        password xxxxx

        shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      !

      !

      !

      !

      !

      !

      end

        • Re: Failover on NV3120
          vmaxdawg05 Past_Featured_Member

          Have you tested the track?  In my initial scan of the configuration, I notice the probe name has a space in it so it is identified between quotation marks ( "TimWarner Failover"  ).

          Your track is configured to test if the probe TimeWarner Failover is true.  In the configuration text, it is not enclosed in quotation marks.  It is possible that it is not testing that probe because of the space.

          See below:

          ==================================

          track "WAN1"

            snmp trap state-change

            test if probe TimeWarner Failover

            no shutdown

          ==============================


          Also, in the probe, you have a destination of 8.8.8.8.  That is fine, I use google's DNS server address for my probes as well.  You should add a static route to 8.8.8.8 using your default gateway, and add a secondary route to 8.8.8.8 using NULL.  That forces the router to only use the primary WAN interface gateway to probe 8.8.8.8.  If you do not do this, then the probe will eventually reach 8.8.8.8 via the secondary WAN interface and falsely bring the probe and track back to a PASS state.  It will bounce back and forth between pass and fail.  I've been there. 


          Try this  (minus the notes in parenthesis of course):


          ip route 8.8.8.8 255.255.255.255 xx.74.62.193

          ip route 8.8.8.8 2255.255.255.255 null 0

          ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1   (ETH 0/1 is the primary ISP WAN interface, but we don't want this route if the track fails)

          ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10  (VLAN 301 is the secondary ISP WAN interface.  With a cost of 10, it will only be considered when the probe/track is in a FAILED state.)


          Also make sure you have the following in your config.

          ip firewall fast-nat-failover  (Clear NAT policy-sessions which would be reworked on route table change).


          I hope this helps.


          • Re: Failover on NV3120
            vmaxdawg05 Past_Featured_Member

            I also found this document very helpful: 

            Configuring Multiple WAN Connection Failover in AOS

            • Re: Failover on NV3120
              vmirinav New Member

              Thank you very much for your reply, I did the following changes:

               

              !

              !

              ! ADTRAN OS version 18.03.01.00.E

              ! Boot ROM version 14.04.00

              ! Platform: NetVanta 3120, part number 1700600L2

              ! Serial number LBADTN0639AC502

              !

              !

              hostname "NetVanta3120"

              enable password xxxxxxx

              !

              !

              ip subnet-zero

              ip classless

              ip routing

              domain-proxy

              name-server 24.29.99.35 24.29.99.36

              !

              !

              no auto-config

              !

              event-history on

              no logging forwarding

              logging forwarding priority-level info

              no logging email

              !

              no service password-encryption

              !

              username "admin" password "xxxxxxx"

              !

              !

              ip firewall

              ip firewall fast-nat-failover

              no ip firewall alg msn

              no ip firewall alg mszone

              no ip firewall alg h323

              !

              !

              !

              !

              !

              !

              !

              no dot11ap access-point-control

              !

              !

              !

              probe TimeWarner icmp-echo

                destination 8.8.8.8

                timeout 10000

                tolerance consecutive fail 1 pass 1

                no shutdown

              !

              track "WAN1"

                snmp trap state-change

                test if probe TimeWarner

                no shutdown

              !

              !

              !

              !

              ip dhcp pool "Private"

                network 10.10.10.0 255.255.255.0

                dns-server 10.10.10.1

                netbios-node-type h-node

                default-router 10.10.10.1

              !

              !

              !

              ip crypto

              !

              crypto ike policy 100

                initiate main

                respond anymode

                local-id fqdn AIP1

                peer xx.212.173.10

                attribute 1

                  encryption 3des

                  hash md5

                  authentication pre-share

              !

              crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

              crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

              !

              crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              crypto map VPN 10 ipsec-ike

                description AIP Site-to-Site VPN test

                match address VPN-10-vpn-selectors

                set peer xx.212.173.10

                set transform-set esp-3des-esp-md5-hmac

                ike-policy 100

              !

              !

              !

              !

              vlan 1

                name "Default"

              !

              vlan 301

                name "WAN Failover"

              !

              !

              interface eth 0/1

                description Time Warner

                ip address  xx.74.62.200  255.255.255.224

                ip access-policy Public

                crypto map VPN

                media-gateway ip primary

                no shutdown

                no lldp send-and-receive

              !

              !

              interface switchport 0/1

                no shutdown

                switchport access vlan 301

              !

              interface switchport 0/2

                no shutdown

              !

              interface switchport 0/3

                no shutdown

              !

              interface switchport 0/4

                no shutdown

              !

              !

              !

              interface vlan 1

                ip address  10.10.10.1  255.255.255.0

                ip access-policy Private

                no shutdown

              !

              interface vlan 301

                ip address  xx.212.173.11  255.255.255.192

                ip mtu 1500

                ip access-policy Public

                media-gateway ip primary

                no awcp

                no shutdown

              !

              interface modem 0/1

                shutdown

              !

              !

              !

              !

              ip access-list standard wizard-ics

                remark Internet Connection Sharing

                permit any

              !

              !

              ip access-list extended self

                remark Traffic to NetVanta

                permit ip any  any     log

              !

              ip access-list extended VPN-10-vpn-selectors

                permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255   

              !

              ip access-list extended web-acl-3

                remark Public Allow

                permit ip any  any   

              !

              !

              !

              ip policy-class Private

                allow list VPN-10-vpn-selectors

                allow list self self

                nat source list wizard-ics interface eth 0/1 overload

              !

              ip policy-class Public

                allow reverse list VPN-10-vpn-selectors

                allow list web-acl-3

              !

              !

              ip route 0.0.0.0 0.0.0.0 xx.212.173.1 track WAN1

              ip route 0.0.0.0 0.0.0.0 xx.74.62.193 10

              ip route 8.8.8.8 255.255.255.255 xx.74.62.193

              ip route 8.8.8.8 255.255.255.255 null 0

              !

              no tftp server

              no tftp server overwrite

              http server

              http secure-server

              no snmp agent

              no ip ftp server

              ip ftp server default-filesystem flash

              no ip scp server

              no ip sntp server

              !

              !

              !

              !

              !

              !

              !

              !

              !

              ip sip udp 5060

              ip sip tcp 5060

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              ip rtp quality-monitoring

              ip rtp quality-monitoring udp

              ip rtp quality-monitoring sip

              !

              line con 0

                login

              !

              line telnet 0 4

                login local-userlist

                password xxxxxx

                shutdown

              line ssh 0 4

                login local-userlist

                no shutdown

              !

              !

              !

              !

              !

              !

              !

              end

               

              when I unplug the primary I see that the probe fails now however even from the router I cant ping the failover gateway (xx.212.173.1). Also I get this error

              1. NETMON.TRACK WAN1 WAN1 changed from pass to fail.
                2008.10.01 19:23:25 FIREWALL id=firewall time="2008-10-01 19:23:25" fw=NetVanta3120 pri=1  proto=https src=10.10.10.2 dst=xx.78.56.105 msg="Unable to determine route to destination, dropping packet Src 51066 Dst 443 from Private policy-class on interface vlan 1" agent=AdFirewall NetVanta3120#
                NetVanta3120#



              Maybe this has something to do with the firewall rules. Somehow the traffice seems does not want to reach xx.212.173.1 over that sw interface.

               

              Thank you so much for your input I am making amazing progress.

                • Re: Failover on NV3120
                  vmaxdawg05 Past_Featured_Member

                  My mistake.  I thought xx.212.173.1 is the gateway for your primary WAN?

                  This is how your route table entries should be entered:

                   

                  ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1

                  ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10

                  ip route 8.8.8.8 255.255.255.255 xx.74.62.193

                  ip route 8.8.8.8 255.255.255.255 null 0 10


                  ALSO:

                  I totally skipped over your policy classes.

                   

                  You should have a a third policy-class similar to your Public policy class this:

                  ============================================

                  ip policy-class Public2

                    allow reverse list VPN-10-vpn-selectors

                    allow list web-acl-3  ( <--  you should not have this in either public policy.  only allow ports required for secure admin access.  web-acl-3 allows any -> any.)

                  =======================================

                  You should then add a new statement in your Private policy class:

                  =======================================

                  ip policy-class Private

                    allow list VPN-10-vpn-selectors

                    allow list self self

                    nat source list wizard-ics interface eth 0/1 overload policy Public

                    nat source list wizard-ics interface vlan 301 overload policy Public2

                  =======================================

                   

                  Assign interface VLAN 301 to access-policy Public2

                   

                  Interface config should look like this:

                   

                  interface vlan 301

                    ip address  xx.212.173.11  255.255.255.192

                    ip mtu 1500

                  ip access-policy Public2

                    media-gateway ip primary

                    no awcp

                    no shutdown

                  !

                  • Re: Failover on NV3120
                    vmaxdawg05 Past_Featured_Member

                    Here is the config as it should be (minus what goes in the xx)  It might be easier to follow than my broken up notes:

                     

                    !

                    !

                    ! ADTRAN OS version 18.03.01.00.E

                    ! Boot ROM version 14.04.00

                    ! Platform: NetVanta 3120, part number 1700600L2

                    ! Serial number LBADTN0639AC502

                    !

                    !

                    hostname "NetVanta3120"

                    enable password xxxxxxx

                    !

                    !

                    ip subnet-zero

                    ip classless

                    ip routing

                    domain-proxy

                    name-server 24.29.99.35 24.29.99.36

                    !

                    !

                    no auto-config

                    !

                    event-history on

                    no logging forwarding

                    logging forwarding priority-level info

                    no logging email

                    !

                    no service password-encryption

                    !

                    username "admin" password "xxxxxxx"

                    !

                    !

                    ip firewall

                    ip firewall fast-nat-failover

                    no ip firewall alg msn

                    no ip firewall alg mszone

                    no ip firewall alg h323

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    no dot11ap access-point-control

                    !

                    !

                    !

                    probe TimeWarner icmp-echo

                      destination 8.8.8.8

                      timeout 10000

                      tolerance consecutive fail 1 pass 1

                      no shutdown

                    !

                    track "WAN1"

                      snmp trap state-change

                      test if probe TimeWarner

                      no shutdown

                    !

                    !

                    !

                    !

                    ip dhcp pool "Private"

                      network 10.10.10.0 255.255.255.0

                      dns-server 10.10.10.1

                      netbios-node-type h-node

                      default-router 10.10.10.1

                    !

                    !

                    !

                    ip crypto

                    !

                    crypto ike policy 100

                      initiate main

                      respond anymode

                      local-id fqdn AIP1

                      peer xx.212.173.10

                      attribute 1

                        encryption 3des

                        hash md5

                        authentication pre-share

                    !

                    crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

                    crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

                    !

                    crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                      mode tunnel

                    !

                    crypto map VPN 10 ipsec-ike

                      description AIP Site-to-Site VPN test

                      match address VPN-10-vpn-selectors

                      set peer xx.212.173.10

                      set transform-set esp-3des-esp-md5-hmac

                      ike-policy 100

                    !

                    !

                    !

                    !

                    vlan 1

                      name "Default"

                    !

                    vlan 301

                      name "WAN Failover"

                    !

                    !

                    interface eth 0/1

                      description Time Warner

                      ip address  xx.74.62.200  255.255.255.224

                      ip access-policy Public

                      crypto map VPN

                      media-gateway ip primary

                      no shutdown

                      no lldp send-and-receive

                    !

                    !

                    interface switchport 0/1

                      no shutdown

                      switchport access vlan 301

                    !

                    interface switchport 0/2

                      no shutdown

                    !

                    interface switchport 0/3

                      no shutdown

                    !

                    interface switchport 0/4

                      no shutdown

                    !

                    !

                    !

                    interface vlan 1

                      ip address  10.10.10.1  255.255.255.0

                      ip access-policy Private

                      no shutdown

                    !

                    interface vlan 301

                      ip address  xx.212.173.11  255.255.255.192

                      ip mtu 1500

                      ip access-policy Public2

                      media-gateway ip primary

                      no awcp

                      no shutdown

                    !

                    interface modem 0/1

                      shutdown

                    !

                    !

                    !

                    !

                    ip access-list standard wizard-ics

                      remark Internet Connection Sharing

                      permit any

                    !

                    !

                    ip access-list extended self

                      remark Traffic to NetVanta

                      permit ip any  any     log

                    !

                    ip access-list extended VPN-10-vpn-selectors

                      permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255  

                    !

                    ip access-list extended web-acl-3

                      remark Public Allow (this allows public access to anything.  Should no use).

                      permit ip any  any  

                    !

                    !

                    !

                    ip policy-class Private

                      allow list VPN-10-vpn-selectors

                      allow list self self

                      nat source list wizard-ics interface eth 0/1 overload policy Public

                      nat source list wizard-ics interface vlan 301 overload policy Public2

                    !

                    ip policy-class Public

                      allow reverse list VPN-10-vpn-selectors

                      allow list web-acl-3

                    !

                    ip policy-class Public2

                      allow reverse list VPN-10-vpn-selectors

                    !

                    ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1

                    ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10

                    ip route 8.8.8.8 255.255.255.255 xx.74.62.193

                    ip route 8.8.8.8 255.255.255.255 null 0 10

                    !

                    no tftp server

                    no tftp server overwrite

                    http server

                    http secure-server

                    no snmp agent

                    no ip ftp server

                    ip ftp server default-filesystem flash

                    no ip scp server

                    no ip sntp server

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    ip sip udp 5060

                    ip sip tcp 5060

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    ip rtp quality-monitoring

                    ip rtp quality-monitoring udp

                    ip rtp quality-monitoring sip

                    !

                    line con 0

                      login

                    !

                    line telnet 0 4

                      login local-userlist

                      password xxxxxx

                      shutdown

                    line ssh 0 4

                      login local-userlist

                      no shutdown

                    !

                    !

                    !

                    !

                    !

                    !

                    !

                    end

                      • Re: Failover on NV3120
                        vmirinav New Member

                        Thank you.

                         

                        Failover seems to work but I think there is still some issue with nat. I am doing various tests now to see why the PC pinging google does not resume pinging it after I take out Eth0/1.

                         

                        I can get in over wan (sw0/1) via failover interface to the router and I can ping various other IP's from the router.

                         

                        Thank you for reminding me about that insecure firewall rule, I will connect that later after this setup done.

                          • Re: Failover on NV3120
                            vmaxdawg05 Past_Featured_Member

                            I can answer that.  The route table entry dictates that the only way to get to 8.8.8.8 is through the primary WAN interface.  If you are actually using google DNS for your LAN computers, then you may want to replace 8.8.8.8 with something different (I often use 4.2.2.2).  The fact that users can’t ping 8.8.8.8 when the primary is down, proves that the programming is working correctly.

                      • Re: Failover on NV3120
                        vmirinav New Member

                        On more minor thing. When I call in from the cell and hang up before I pickup from the ports line, it rings at least twice until it acknowledges my hangup. Is there a way to fix that?

                        • Re: Failover on NV3120
                          Employee

                          vmirinav -

                          I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                           

                          Thanks,

                          Noor