6 Replies Latest reply on Jan 7, 2014 10:00 AM by noor

    WAN failover setup

    telarin New Member

      I have setup my NetVanta 1335P in a WAN Fail-Over configuration using the AdTran "Configuring WAN Fail-Over in AOS" white paper. However, something is not working quite right.

      When I disconnect my primary WAN connection for testing, both probes I have configured correctly change to a FAIL status.

      The track connected to the probes also correctly changes to a fail status.

      When viewing the Route Table in the web interface, the primary route for WAN1 which is configured with an Admin Distance of 1 drops from the first position to the second position, below the WAN2 route with Admin Distance 10. I assume this means that the WAN2 route should then take precedence.

      However, no traffic is routed.

      In the Private security zone, I have 2 separate NAT policies setup. One using the WAN1 VLAN interface, and one using the WAN2 VLAN interface.

      I did use the AOS interface to put the NetVanta in fast NAT failover mode, but my AOS skills are not particularly complete, so it is possible I missed a step in there somewhere.

       

      Just to be sure I'm doing it right:

      telnet to netvanta

      password: <enter access password>

      NetVanta>enable

      Password: <enter admin password>

      NetVanta#config

      Configure from terminal

      NetVanta(config)#ip firewall

      NetVanta(config)#ip firewall fast-nat-failover

      NetVanta(config)#exit

      NetVanta#write

      NetVanta#exit

       

      Am I missing a step in the use of AOS to commit the configuration, or is there something else I should look at? Like I said, I RARELY use AOS, so please be specific in answers involving AOS rather than the web interface.

        • Re: WAN failover setup
          telarin New Member

          One addition, I did check the WAN2 connection using another router just to make sure there were no configuration issues on the ISPs side and that the connection actually worked as expected.

            • Re: WAN failover setup
              Employee

              telarin - Thanks for posting your question on the forum!

               

              You mentioned you had two probes configured. What are those probes testing and is the track setup for both probes to fail for the track to change state? Everything else you specified sounds correct, including your AOS CLI implementation. Could you post your configuration to this thread? Please remember to remove any information that may be sensitive to your network. It may help in determining what may be going wrong.

               

              Thanks,

              Noor

            • Re: WAN failover setup
              telarin New Member

              The two probes are hitting the 2 DNS servers for the WAN1 ISP (68.94.156.1, 68.94.157.1). The reason being that we have had the first hop to the gateway stay up and the connection on their side go down in the past, so this gets us a little deeper into their network to ensure that there is really connectivity. As I said, when I unplug WAN1, these both go into a FAIL state, and the configured track, which uses logical OR, also changes state to FAIL as expected.

               

              Note that you can ignore all the VLAN 6 configuration. I was trying to setup a separate network that only used the secondary WAN, but found that it was going to be more complicated than expected. Since the only purpose was to make sure I had connectivity on WAN2, I just verified connectivity using a little home router to make sure everything was configured correctly on the ISP side.

               

              The unit configuration is below. I BELIEVE I have removed everything overly sensitive, but if you notice anything that I missed, let me know and I'll edit it out.

              !

              !

              ! ADTRAN, Inc. OS version 18.02.01.00.E

              ! Boot ROM version 15.01.B1

              ! Platform: NetVanta 1335 PoE, part number 1700525E2

              ! Serial number LBADTN1042AM374

              !

              !

              hostname "NetVanta"

              enable password [removed]

              !

              clock timezone -6-Central-Time

              !

              ip subnet-zero

              ip classless

              ip routing

              !

              !

              ip name-server 192.168.100.1 192.168.100.2

              !

              !

              no ip route-cache express

              !

              no auto-config

              !

              event-history on

              event-history priority notice

              no logging forwarding

              no logging email

              !

              no service password-encryption

              !

              username "admin" password [removed]

              !

               

               

              #

              !

              !

              ip firewall

              ip firewall fast-nat-failover

              no ip firewall alg msn

              no ip firewall alg mszone

              no ip firewall alg h323

              !

              !

              !

              !

              !

              !

              !

              !

              no dot11ap access-point-control

              !

              !

              !

              probe "ATT WAN" icmp-echo

                destination 68.94.156.1

                source-address 1.2.51.130

                period 5

                tolerance consecutive fail 1 pass 1

                no shutdown

              !

              probe "ATT DNS2" icmp-echo

                destination 68.94.157.1

                source-address 1.2.157.1

                period 5

                tolerance consecutive fail 1 pass 1

                no shutdown

              !

              track "ATT Track"

                snmp trap state-change

                test list or

                  if probe ATT WAN

                  if probe ATT DNS2

                no shutdown

              !

              !

              !

              ip dhcp-server excluded-address 172.16.0.0 172.16.0.100

              ip dhcp-server excluded-address 172.16.1.0 172.16.1.100

              ip dhcp-server excluded-address 172.16.2.0 172.16.2.100

              !

              ip dhcp-server pool "NCCER Lab"

                network 172.16.0.0 255.255.255.0

                dns-server 192.168.100.1 192.168.100.2

                default-router 172.16.0.1

              !

              ip dhcp-server pool "Public Wireless"

                network 172.16.1.0 255.255.255.0

                dns-server 8.8.8.8 8.8.4.4

                default-router 172.16.1.1

              !

              ip dhcp-server pool "Comcast LAN"

                network 172.16.2.0 255.255.255.0

                dns-server 75.75.75.75 75.75.76.76

                default-router 172.16.2.1

              !

              !

              !

              ip crypto

              !

              crypto ike policy 100

                initiate main

                respond anymode

                local-id address 1.2.51.130

                peer 72.15.231.244

                attribute 3

                  encryption 3des

                  hash md5

                  authentication pre-share

                  group 5

              !

              crypto ike remote-id any preshared-key [removed] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

              crypto ike remote-id address 72.15.231.244 preshared-key [removed] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

              !

              crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

                mode tunnel

              !

              crypto map VPN 10 ipsec-ike

                description Peak-10

                match address VPN-10-vpn-selectors1

                set peer 72.15.231.244

                set transform-set esp-3des-esp-md5-hmac

                set pfs group5

                ike-policy 100

              !

              !

              !

              !

              vlan 1

                name "Default"

              !

              vlan 2

                name "AT&T WAN"

              !

              vlan 3

                name "NCCER Lab"

              !

              vlan 4

                name "Public Wireless"

              !

              vlan 5

                name "Comcast WAN"

              !

              vlan 6

                name "Comcast LAN"

              !

              !

              interface switchport 0/1

                speed 100

                spanning-tree edgeport

                no shutdown

                switchport access vlan 2

              !

              interface switchport 0/2

                no shutdown

              !

              interface switchport 0/3

                no shutdown

                switchport access vlan 3

              !

              interface switchport 0/4

                no shutdown

                switchport access vlan 3

              !

              interface switchport 0/5

                no shutdown

                switchport access vlan 3

              !

              interface switchport 0/6

                no shutdown

                switchport access vlan 3

              !

              interface switchport 0/7

                no shutdown

                switchport access vlan 3

              !

              interface switchport 0/8

                no shutdown

                switchport access vlan 4

              !

              interface switchport 0/9

                no shutdown

                switchport access vlan 4

              !

              interface switchport 0/10

                no shutdown

                switchport access vlan 5

              !

              interface switchport 0/11

                no shutdown

                switchport access vlan 6

              !

              interface switchport 0/12

                no shutdown

                switchport access vlan 4

              !

              interface switchport 0/13

                no shutdown

                switchport access vlan 4

              !

              interface switchport 0/14

                no shutdown

              !

              interface switchport 0/15

                no shutdown

              !

              interface switchport 0/16

                no shutdown

              !

              interface switchport 0/17

                no shutdown

              !

              interface switchport 0/18

                no shutdown

              !

              interface switchport 0/19

                no shutdown

              !

              interface switchport 0/20

                no shutdown

              !

              interface switchport 0/21

                no shutdown

              !

              interface switchport 0/22

                no shutdown

              !

              interface switchport 0/23

                no shutdown

              !

              interface switchport 0/24

                no shutdown

              !

              !

              interface gigabit-switchport 0/1

                no shutdown

              !

              interface gigabit-switchport 0/2

                no shutdown

              !

              !

              !

              interface vlan 1

                ip address  192.168.150.2  255.255.0.0

                ip access-policy Private

                no ip route-cache express

                no shutdown

              !

              interface vlan 2

                ip address  1.2.51.130  255.255.255.192

                ip address  1.2.51.132  255.255.255.192  secondary

                ip address  1.2.51.135  255.255.255.192  secondary

                ip address range  1.2.51.161  1.2.51.162  255.255.255.192  secondary

                ip address range  1.2.51.189  1.2.51.190  255.255.255.192  secondary

                ip access-policy "AT&T WAN"

                crypto map VPN

                no awcp

                no ip route-cache express

                no shutdown

              !

              interface vlan 3

                description NCCER Lab

                ip address  172.16.0.1  255.255.255.0

                ip mtu 1500

                ip access-policy "NCCER Lab"

                no ip route-cache express

                no shutdown

              !

              interface vlan 4

                description Public Wireless

                ip address  172.16.1.1  255.255.255.0

                ip mtu 1500

                ip access-policy "Public Wireless"

                no rtp quality-monitoring

                no awcp

                no ip route-cache express

                no shutdown

              !

              interface vlan 5

                description Comcast WAN

                ip address  3.4.200.73  255.255.255.248

                ip mtu 1500

                ip access-policy "Comcast WAN"

                no rtp quality-monitoring

                no awcp

                no ip route-cache express

                no shutdown

              !

              interface vlan 6

                description Comcast LAN

                ip address  172.16.2.1  255.255.255.0

                ip mtu 1500

                ip access-policy "Comcast LAN"

                no rtp quality-monitoring

                no awcp

                no ip route-cache express

                no shutdown

              !

              !

              !

              !

              !

              !

              !

              ip access-list standard wizard-ics

                remark AT&T NAT

                permit any

              !

              !

              ip access-list extended self

                remark Traffic to NetVanta

                permit ip any  any     log

              !

              ip access-list extended VPN-10-vpn-selectors1

                permit ip 192.168.0.0 0.0.255.255  10.20.30.0 0.0.0.255   

              !

              ip access-list extended web-acl-11

                remark SCTC-SQL RDP

                permit tcp any  host 1.2.51.135 eq 3390   log

              !

              ip access-list extended web-acl-12

                remark SCTC-SQL RDP

                permit tcp any  host 1.2.51.135 eq 3390   log

              !

              ip access-list extended web-acl-13

                remark NAT

                permit ip any  any   

              !

              ip access-list extended web-acl-14

                permit ip any  any   

              !

              ip access-list extended web-acl-15

                remark NCCER Lab

                permit ip any  any   

              !

              ip access-list extended web-acl-17

                remark Wireless NAT

                permit ip any  any   

              !

              ip access-list extended web-acl-22

                remark Traffic to Netvanta

                permit ip any  any     log

              !

              ip access-list extended web-acl-23

                remark Comcast NAT

                permit ip any  any     log

              !

              ip access-list extended web-acl-24

                remark Comcast NAT

                permit ip any  any     log

              !

              ip access-list extended web-acl-4

                remark CSCTCWEB

                permit tcp any  host 1.2.51.130 eq www   log

                permit tcp any  host 1.2.51.130 eq https   log

              !

              ip access-list extended web-acl-5

                remark Voicemail

                permit tcp any  host 1.2.51.162 eq https   log

                permit tcp any  host 1.2.51.162 eq 8080   log

              !

              ip access-list extended web-acl-7

                remark Phone System

                permit tcp any  host 1.2.51.161 eq www   log

              !

              ip access-list extended web-acl-8

                remark SCTC-VSC

                permit tcp any  host 1.2.51.135 eq www   log

                permit tcp any  host 1.2.51.135 eq https   log

              !

              ip access-list extended web-acl-9

                remark DVR

                permit tcp any  host 1.2.51.189 eq 85   log

                permit tcp any  host 1.2.51.189 eq 9000   log

                permit tcp any  host 1.2.51.189 eq 37777   log

                permit tcp any  host 1.2.51.189 eq www   log

              !

              ip access-list extended wizard-pfwd-1

                remark CSCTC-SRVS

                permit tcp any  host 1.2.51.132 eq www   log

              !

              !

              !

              ip policy-class "AT&T WAN"

                allow reverse list VPN-10-vpn-selectors1 stateless

                nat destination list wizard-pfwd-1 address 192.168.100.30

                nat destination list web-acl-4 address 192.168.150.20

                nat destination list web-acl-5 address 192.168.150.9

                nat destination list web-acl-7 address 192.168.150.12

                nat destination list web-acl-8 address 192.168.100.40

                nat destination list web-acl-9 address 192.168.100.70

                nat destination list web-acl-12 address 192.168.100.20 port 3389

              !

              ip policy-class "Comcast LAN"

                allow list web-acl-22 self

                nat source list web-acl-23 interface vlan 5 overload

              !

              ip policy-class "Comcast WAN"

                ! Implicit discard

              !

              ip policy-class "NCCER Lab"

                nat source list web-acl-13 interface vlan 2 overload

                allow list web-acl-14 policy Private

              !

              ip policy-class Private

                allow list VPN-10-vpn-selectors1 stateless

                allow list self self

                nat source list wizard-ics interface vlan 2 overload

                allow list web-acl-15 policy "NCCER Lab"

                nat source list web-acl-24 interface vlan 5 overload

              !

              ip policy-class "Public Wireless"

                nat source list web-acl-17 interface vlan 2 overload

              !

              !

              ip route 0.0.0.0 0.0.0.0 1.2.51.129 track ATT Track

              ip route 0.0.0.0 0.0.0.0 3.4.200.78 10

              ip route 68.94.156.1 255.255.255.255 1.2.51.129

              ip route 68.94.156.1 255.255.255.255 null 0 10

              ip route 68.94.157.1 255.255.255.255 1.2.51.129

              ip route 68.94.157.1 255.255.255.255 null 0 10

              !

              no tftp server

              no tftp server overwrite

              ip http server

              no ip http secure-server

              no snmp agent

              no ip ftp server

              ip ftp server default-filesystem flash

              no ip scp server

              no ip sntp server

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              ip sip udp 5060

              ip sip tcp 5060

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              !

              line con 0

                no login

              !

              line telnet 0 4

                login

                password password

                no shutdown

              line ssh 0 4

                login local-userlist

                no shutdown

              !

              !

              !

              !

              !

              !

              !

              end

                • Re: WAN failover setup
                  telarin New Member

                  And just as a side-note, if you see any gaping security holes in my configuration, please feel FREE to suggest changes, I promise it won't hurt my feelings.

                    • Re: WAN failover setup
                      petersjncv Visitor

                      I would recommend a couple of things.

                       

                      I believe the biggest issue is that the private policy match statements are out of order.  The allow list "web-acl-15" is a permit any any statement and it is likely matching the traffic before it can hit the second NAT policy. 

                      Try it in this order.

                       

                      ip policy-class Private

                        allow list VPN-10-vpn-selectors1 stateless

                        allow list self self

                        nat source list wizard-ics interface vlan 2 overload policy AT&T WAN

                        nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN

                       

                      Add the WAN policy to the respective NAT Statements as well.  This helps match the destination policy call with the packet's egress interface (says so right in the command help ).  It looks like you used this on the statement to get to the NCCER Lab network.

                       

                      If the purpose of the web-acl-15 is to allow traffic to the NCCER Lab interface, I would tune that list to be a more specific match of destination network traffic so it doesn't try to forward just any traffic there.  I think this is the way you should do it, matching the traffic to a list before it hits the NAT statement.

                       

                      ip access-list extended web-acl-15

                        remark NCCER Lab

                        permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.0.255

                       

                      ip policy-class Private

                        allow list VPN-10-vpn-selectors1 stateless

                        allow list self self

                        allow list web-acl-15 policy "NCCER Lab"

                        nat source list wizard-ics interface vlan 2 overload policy AT&T WAN

                        nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN

                        • Re: WAN failover setup
                          Employee

                          telarin -

                          I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                           

                          Thanks,

                          Noor