Dual WAN connections

fid500fid500 Member Posts: 71 ■■□□□□□□□□
I have two sites A and B. These sites are connected through MPLS and site to site vpn with one dynamic and one static IP. I am using static routes and IP SLA to track the default route. I have the MPLS link as the prefered route when both link are up. When the MPLS comes up first, the traffic is routed through the MPLS link. When the MPLS link fails, the traffic is routed through VPN, so far so good. However, when I bring the MPLS link up, the traffic stays on the VPN link. I checked the routing table and it s showing that the MPLS link is the prefered path. When I clear the SA association, the traffic switches to MPLS and stays on the MPLS.
I am trying to figure out why the traffic doesnt switch to the MPLS when the link comes up since the routing table shows the MPLS as the prefered route.

Thanks

Comments

  • keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
    what routing protocol are you using? how is your ip sla tuned, are tracking a route or pinging an ip address, etc?
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • fid500fid500 Member Posts: 71 ■■□□□□□□□□
    Keenon
    Thanks for your response

    I have OSPF running inside and static routes on both firewalls. As of IP SLA tracking, I am pinging two IP addresses. When I check the routing table, it's has the correct route, just the traffic stays on the vpn tunnel. I dont want to run a routing protocol and prefer to keep it to static routes. I could write a TCL script to terminate the SA association, but the ASAs dont support TCL I believe.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    clarify something - is the tracking and routing being done on the ASA's, or on an IOS router?
  • fid500fid500 Member Posts: 71 ■■□□□□□□□□
    here are the configs and diagram. The IP SLA tracking is done on the ASAs


    hostname Central
    domain-name Central

    names
    name 10.213.1.0 Remote
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 192.168.1.51 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.81.1.1 255.255.255.0
    !
    interface Ethernet2
    nameif mpls
    security-level 50
    ip address 172.16.1.1 255.255.255.0

    access-list inside_access_in extended permit ip 10.81.1.0 255.255.255.0 any
    access-list mpls_access_in extended permit ip Remote 255.255.255.0 10.81.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.81.1.0 255.255.255.0 Remote 255.255.255.0
    access-list outside_cryptomap_65535.1 extended permit ip 10.81.1.0 255.255.255.0 Remote 255.255.255.0

    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 Remote 255.255.255.0
    access-group inside_access_in in interface inside
    access-group mpls_access_in in interface mpls
    route mpls Remote 255.255.255.0 172.16.1.2 1 track 124
    route outside Remote 255.255.255.0 192.168.1.52 200 track 125
    route outside 0.0.0.0 0.0.0.0 192.168.1.52 1
    route mpls 172.17.1.0 255.255.255.0 172.16.1.2 1
    timeout xlate 3:00:00

    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy

    sla monitor 2
    type echo protocol ipIcmpEcho 172.17.1.1 interface mpls
    num-packets 3
    frequency 10
    sla monitor schedule 2 life forever start-time now
    sla monitor 3
    type echo protocol ipIcmpEcho 172.18.1.2 interface outside
    num-packets 3
    frequency 10
    sla monitor schedule 3 life forever start-time now
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
    crypto dynamic-map outside_dyn_map 1 set pfs
    crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    !
    track 124 rtr 2 reachability
    !
    track 125 rtr 3 reachability

    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *




    hostname Remote
    name 10.81.1.0 Central

    interface Ethernet0
    nameif outside
    security-level 0
    ip address 192.168.1.50 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.213.1.1 255.255.255.0
    !
    interface Ethernet2
    nameif mpls
    security-level 50
    ip address 172.17.1.1 255.255.255.0
    !
    interface Ethernet3
    nameif satelite
    security-level 30
    ip address 172.18.1.1 255.255.255.0

    access-list inside_access_in extended permit ip 10.213.1.0 255.255.255.0 any
    access-list mpls_access_in extended permit ip Central 255.255.255.0 10.213.1.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.213.1.0 255.255.255.0 Central 255.255.255.0
    access-list satelite_1_cryptomap extended permit ip 10.213.1.0 255.255.255.0 Central 255.255.255.0
    access-list satelite_access_in extended permit ip Central 255.255.255.0 10.213.1.0 255.255.255.0

    nat (inside) 0 access-list inside_nat0_outbound
    access-group inside_access_in in interface inside
    access-group mpls_access_in in interface mpls
    access-group satelite_access_in in interface satelite
    route mpls Central 255.255.255.0 172.17.1.2 1 track 124
    route satelite Central 255.255.255.0 172.18.1.2 200 track 125
    route outside 0.0.0.0 0.0.0.0 192.168.1.52 1
    route mpls 172.16.1.0 255.255.255.0 172.17.1.2 1
    route satelite 192.168.1.51 255.255.255.255 172.18.1.1 1
    timeout xlate 3:00:00

    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy

    sla monitor 2
    type echo protocol ipIcmpEcho 172.16.1.1 interface mpls
    num-packets 3
    frequency 10
    sla monitor schedule 2 life forever start-time now
    sla monitor 3
    type echo protocol ipIcmpEcho 172.18.1.2 interface satelite
    num-packets 3
    frequency 10
    sla monitor schedule 3 life forever start-time now
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map satelite_map 1 match address satelite_1_cryptomap
    crypto map satelite_map 1 set pfs
    crypto map satelite_map 1 set peer 192.168.1.51
    crypto map satelite_map 1 set transform-set ESP-3DES-SHA
    crypto map satelite_map interface satelite
    crypto isakmp enable satelite
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    !
    track 124 rtr 2 reachability
    !
    track 125 rtr 3 reachability
    telnet timeout 5

    tunnel-group 192.168.1.51 type ipsec-l2l
    tunnel-group 192.168.1.51 ipsec-attributes
    pre-shared-key *
  • Panzer919Panzer919 Member Posts: 462
    Found this link that might help. I did a quick read of it and it looks like you may only need to just track 1 route instead of both.
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
Sign In or Register to comment.