5 Replies Latest reply on Sep 16, 2013 3:46 PM by jayh

    setting up IP fail over.

    billflippen New Member

      Greetings from a Newb

      So far what I have works from  the router but fails from computer.

      Setup:

      3448 siting on my desk

      Eth 0/1 is plugged into comcast modem and using 1 of our static public IPs

      Eth 0/2 is plugged into our local network and using a static private and is routed out a DSL connection.

      I do a traceroute from router to 8.8.8.8 it routes out the comcast modem as expected

      I unplug eth 0/1

      I see the state go to fail

      I do a traceroute from router to 8.8.8.8 it routes out the DSL modem as expected.

      I plug eth 0/1 back in

      I do a traceroute from router to 8.8.8.8 it routes out the comcast modem as expected

       

      I do a traceroute from laptop to 8.8.8.8 it routes out the comcast modem as expected

      I unplug eth 0/1

      I see the state go to fail

      I do a traceroute from laptop to 8.8.8.8 it gets to the VLAN interface 192.168.1.1 then times out .

       

      I think it has something to do with the firewall or NAT but can't see it for the life of me

      .

      Here is some relevant info:

       

      ip local policy route-map LOCAL

      !

      ip firewall

      ip firewall fast-nat-failover

      !

      probe Charter icmp-echo

        destination 173.X.X.94

        source-address   173.X.X.91

        period 3

        tolerance consecutive fail 3 pass 3

        no shutdown

      !

      track Charter

        snmp trap state-change

        test if probe Charter

        no shutdown

      !

      interface eth 0/1

        description Charter Connection

        ip address  173.X.X.91  255.255.255.248

        ip access-policy Public

        ip flow egress

        media-gateway ip primary

        no awcp

        no shutdown

      !

      !

      interface eth 0/2

        description Backup

        ip address  192.168.99.99  255.255.255.0   (this is a test IP that is on my existing network would be change to a public in real world)

        ip mtu 1500

        ip access-policy Public_Backup

        no shutdown

      !

      !

      !

      interface vlan 1

        ip address  192.168.1.1  255.255.255.0

        ip access-policy Private

        ip flow egress

        no awcp

        no shutdown

      !

      !

      !

      route-map LOCAL permit 10

        match ip address Charter

        set ip next-hop 192.168.99.249

        set interface eth 0/2

      !

      !

      !

      !

      ip access-list standard Backup_ICS

        permit any

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended Audio_ACL

        permit udp any  any     log

      !

      ip access-list extended Charter

        permit icmp host 192.168.1.1  host X.X.X.X   

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended Signal_ACL

        permit udp any  any eq 5060    log

        permit tcp any  any eq 5061   log

      !

      ip access-list extended web-acl-10

        remark TCP_UDP_5060_5061

        permit tcp 208.X.X.0 0.0.0.255  any range 5060 5061   log

        permit udp 208.X.X.0 0.0.0.255  any range 5060 5061    log

      !

      ip access-list extended web-acl-11

        remark RTP fwd

        permit udp X.X.62.0 0.0.0.255  any range X X    log

      !

      ip access-list extended web-acl-12

        remark XXX

        permit tcp any  any eq XXXX   log

      !

      ip access-list extended web-acl-13

        remark XXX

        permit tcp any  any eq XXXX   log

      !

      ip access-list extended web-acl-14

        remark DIM

        permit tcp any  any eq XXXX   log

      !

      ip access-list extended web-acl-15

        remark Admin

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

        permit icmp any  any  echo   log

      !

      ip access-list extended web-acl-16

        remark To_NetVanta

        permit ip any  any     log

      !

      ip access-list extended web-acl-17

        remark NAT_Backup

        permit ip any  any   

      !

      ip access-list extended web-acl-3

        remark Admin Access

        permit tcp any  any eq https   log

        permit tcp any  any eq ssh   log

        permit icmp any  any  echo   log

      !

      !

      !

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

        nat source list Backup_ICS interface eth 0/2 overload

      !

      ip policy-class Public

        allow list web-acl-3 self

        nat destination list web-acl-12 address 192.168.1.250 port XX

        nat destination list web-acl-10 address 192.168.1.250

        nat destination list web-acl-11 address 192.168.1.251

        nat destination list web-acl-13 address 192.168.1.250

        nat destination list web-acl-14 address 192.168.1.250

      !

      ip policy-class Public_Backup

        allow list web-acl-15 self

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 173.X.X.94 track Charter

      ip route 0.0.0.0 0.0.0.0 192.168.99.1 10

      !

        • Re: setting up IP fail over.
          jayh Hall_of_Fame

          Your NAT is still trying to go out Charter.  Change your wizard-ics access list to:

           

          !

          ip access-list extended wizard-ics

            remark Internet Connection Sharing

            permit ip any any track Charter

          !


          Also, to avoid a lot of flapping and churn, I usually require the primary link to be stable for a while before cutting back over.  With 3-second pings the following requires the cable to be down for 15 seconds to trigger backup and up-stable for 2 minutes before cutting back.

           

          probe Charter icmp-echo

            destination 173.X.X.94

            source-address   173.X.X.91

            period 3

            tolerance consecutive fail 5 pass 40

            no shutdown

            • Re: setting up IP fail over.
              billflippen New Member

              @jayh I didn't get a chance to see your reply before I started over from scratch and went on sight.

               

              I like the idea of the higher threshhold for the cutover. WIll have to implement.

               

               

              Below is most of the config I ended up with (copied from a Adtran white paper I found)

               

              It seems to work very nice. 1 problem though....

               

              when it switches from one to another and we do a remote in a few things work and a few things don't

               

              1) we port forward 8001 to a device port 80. (Webro)that fails to connect when on backup, works fine when on primary

              2) HTTPS to the 3448 works fine on both interfaces

              3) SSH to the 3448 fails when on Back up

              4)Telnet to the device on port 8002 works fie in primary and backup mode.

               

              I tried setting up a 2nd ACL just for WebPro back up  ACL 14 just to test to see if that was needed. did not fix.

               

               

              interface eth 0/1

                description Charter Connection

                ip address  97.X.X.78  255.255.255.252

                ip access-policy WAN1

                no awcp

                no shutdown

               

              interface eth 0/2

                description Backup

                ip address  199.1X.X.22  255.255.255.252

                ip access-policy WAN2

                no shutdown

               

              interface vlan 1

                ip address  192.168.1.1  255.255.255.0

                ip access-policy Private

                ip flow egress

                no awcp

                no shutdown

               

              route-map LOCAL permit 10

                match ip address WAN1

                set ip next-hop 97.X.X.77

                set interface null 0

               

              ip access-list extended AdminAccess

                remark Admin Access

                permit tcp any  any eq https   log

                permit tcp any  any eq ssh   log

                permit icmp any  any  echo   log

              !

              ip access-list extended AFP

                remark AFP Backup

                permit tcp any  any eq 548   log

              !

              ip access-list extended DIM

                remark DIM Backup

                permit tcp any  any eq 8002   log

              !

              ip access-list extended FTP

                remark FTP Backup

                permit tcp any  any eq ftp   log

              !

              ip access-list extended NAT-Backup

                permit ip any  any   

              !

              ip access-list extended NAT-Primary

                permit ip any  any   

              !

              ip access-list extended PCPro

                remark PC Pro Backup

                permit tcp any  any eq 8000   log

              !

              ip access-list extended self

                permit ip any  any   

              !

              ip access-list extended SIP_RTP

                permit udp 208.X.X.0 0.0.0.255  any range 20000 20031    log

              !

              ip access-list extended SIP_Signal

                remark NAT list SIP_Signal

                permit tcp 208.X.X.0 0.0.0.255  any range 5060 5061   log

                permit udp 208.X.X.0 0.0.0.255  any range 5060 5061    log

              !

              ip access-list extended TIMBUKTU

                remark Timbuktu Backup

                permit tcp any  any eq 407   log

                permit udp any  any eq 407    log

              !

              ip access-list extended WAN1

                permit icmp host 97.X.X9.78  host 97.X.X.77   

              !

              ip access-list extended web-acl-14

                remark WebProBackup

                permit tcp any  any eq 8001   log

              !

              ip access-list extended WebPro

                permit tcp any  any eq 8001   log

               

              ip policy-class Private

                nat source list NAT-Primary interface eth 0/1 overload policy WAN1

                nat source list NAT-Backup interface eth 0/2 overload policy WAN2

                allow list self self

              !

              ip policy-class WAN1

                allow list AdminAccess self

                nat destination list SIP_RTP address 192.168.1.251

                nat destination list SIP_Signal address 192.168.1.250

                nat destination list AFP address 192.168.1.10

                nat destination list TIMBUKTU address 192.168.1.10

                nat destination list WebPro address 192.168.1.250 port 80

                nat destination list PCPro address 192.168.1.250

                nat destination list DIM address 192.168.1.250

                nat destination list FTP address 192.168.1.10

              !

              ip policy-class WAN2

                allow list AdminAccess self

                nat destination list SIP_RTP address 192.168.1.251

                nat destination list SIP_Signal address 192.168.1.250

                nat destination list TIMBUKTU address 192.168.1.10

                nat destination list AFP address 192.168.1.10

                nat destination list web-acl-14 address 192.168.1.250 port 80

                nat destination list PCPro address 192.168.1.250

                nat destination list DIM address 192.168.1.250

                nat destination list FTP address 192.168.1.10

               

               

              ip route 0.0.0.0 0.0.0.0 97.X.X.77 track Charter

              ip route 0.0.0.0 0.0.0.0 199.X.X.21 10

                • Re: setting up IP fail over.
                  Employee

                  billflippen - Are you attempting to test these connections while the primary circuit is up? Or are you attempting the backup connections when the backup route is active?

                   

                  Thanks,

                  Noor

                    • Re: setting up IP fail over.
                      billflippen New Member

                      I was trying to test with the main connection physically disconnected form Eth0/1 and the back up connection still connected to Eth 0/2.

                       

                      I have not had a chance to go back out on site to trouble shoot.

                       

                      My main concern was that the SIP trunks would encounter the same scenario, but I was able to confirm that they do indeed work in failover. I can live with not being abl to connect to the phone system for admin purposes when in failover. I can't for see but a very small chance that I would need to access it in that condition. My other concern was that their remote applications (timbuktu and apple file share) wouldn;t work...this I have not had a chance to confirm.

                • Re: setting up IP fail over.
                  jayh Hall_of_Fame

                  Change your NAT-Primary to a tracked ACL.

                   

                  !

                  ip access-list extended NAT-Primary

                    permit ip any any track Charter

                  !