I have setup my NetVanta 1335P in a WAN Fail-Over configuration using the AdTran "Configuring WAN Fail-Over in AOS" white paper. However, something is not working quite right.
When I disconnect my primary WAN connection for testing, both probes I have configured correctly change to a FAIL status.
The track connected to the probes also correctly changes to a fail status.
When viewing the Route Table in the web interface, the primary route for WAN1 which is configured with an Admin Distance of 1 drops from the first position to the second position, below the WAN2 route with Admin Distance 10. I assume this means that the WAN2 route should then take precedence.
However, no traffic is routed.
In the Private security zone, I have 2 separate NAT policies setup. One using the WAN1 VLAN interface, and one using the WAN2 VLAN interface.
I did use the AOS interface to put the NetVanta in fast NAT failover mode, but my AOS skills are not particularly complete, so it is possible I missed a step in there somewhere.
Just to be sure I'm doing it right:
telnet to netvanta
password: <enter access password>
NetVanta>enable
Password: <enter admin password>
NetVanta#config
Configure from terminal
NetVanta(config)#ip firewall
NetVanta(config)#ip firewall fast-nat-failover
NetVanta(config)#exit
NetVanta#write
NetVanta#exit
Am I missing a step in the use of AOS to commit the configuration, or is there something else I should look at? Like I said, I RARELY use AOS, so please be specific in answers involving AOS rather than the web interface.
I would recommend a couple of things.
I believe the biggest issue is that the private policy match statements are out of order. The allow list "web-acl-15" is a permit any any statement and it is likely matching the traffic before it can hit the second NAT policy.
Try it in this order.
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
nat source list wizard-ics interface vlan 2 overload policy AT&T WAN
nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN
Add the WAN policy to the respective NAT Statements as well. This helps match the destination policy call with the packet's egress interface (says so right in the command help ). It looks like you used this on the statement to get to the NCCER Lab network.
If the purpose of the web-acl-15 is to allow traffic to the NCCER Lab interface, I would tune that list to be a more specific match of destination network traffic so it doesn't try to forward just any traffic there. I think this is the way you should do it, matching the traffic to a list before it hits the NAT statement.
ip access-list extended web-acl-15
remark NCCER Lab
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.0.255
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
allow list web-acl-15 policy "NCCER Lab"
nat source list wizard-ics interface vlan 2 overload policy AT&T WAN
nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN
One addition, I did check the WAN2 connection using another router just to make sure there were no configuration issues on the ISPs side and that the connection actually worked as expected.
- Thanks for posting your question on the forum!
You mentioned you had two probes configured. What are those probes testing and is the track setup for both probes to fail for the track to change state? Everything else you specified sounds correct, including your AOS CLI implementation. Could you post your configuration to this thread? Please remember to remove any information that may be sensitive to your network. It may help in determining what may be going wrong.
Thanks,
Noor
The two probes are hitting the 2 DNS servers for the WAN1 ISP (68.94.156.1, 68.94.157.1). The reason being that we have had the first hop to the gateway stay up and the connection on their side go down in the past, so this gets us a little deeper into their network to ensure that there is really connectivity. As I said, when I unplug WAN1, these both go into a FAIL state, and the configured track, which uses logical OR, also changes state to FAIL as expected.
Note that you can ignore all the VLAN 6 configuration. I was trying to setup a separate network that only used the secondary WAN, but found that it was going to be more complicated than expected. Since the only purpose was to make sure I had connectivity on WAN2, I just verified connectivity using a little home router to make sure everything was configured correctly on the ISP side.
The unit configuration is below. I BELIEVE I have removed everything overly sensitive, but if you notice anything that I missed, let me know and I'll edit it out.
!
!
! ADTRAN, Inc. OS version 18.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
! Serial number LBADTN1042AM374
!
!
hostname "NetVanta"
enable password [removed]
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
!
!
ip name-server 192.168.100.1 192.168.100.2
!
!
no ip route-cache express
!
no auto-config
!
event-history on
event-history priority notice
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password [removed]
!
#
!
!
ip firewall
ip firewall fast-nat-failover
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
probe "ATT WAN" icmp-echo
destination 68.94.156.1
source-address 1.2.51.130
period 5
tolerance consecutive fail 1 pass 1
no shutdown
!
probe "ATT DNS2" icmp-echo
destination 68.94.157.1
source-address 1.2.157.1
period 5
tolerance consecutive fail 1 pass 1
no shutdown
!
track "ATT Track"
snmp trap state-change
test list or
if probe ATT WAN
if probe ATT DNS2
no shutdown
!
!
!
ip dhcp-server excluded-address 172.16.0.0 172.16.0.100
ip dhcp-server excluded-address 172.16.1.0 172.16.1.100
ip dhcp-server excluded-address 172.16.2.0 172.16.2.100
!
ip dhcp-server pool "NCCER Lab"
network 172.16.0.0 255.255.255.0
dns-server 192.168.100.1 192.168.100.2
default-router 172.16.0.1
!
ip dhcp-server pool "Public Wireless"
network 172.16.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 172.16.1.1
!
ip dhcp-server pool "Comcast LAN"
network 172.16.2.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
default-router 172.16.2.1
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address 1.2.51.130
peer 72.15.231.244
attribute 3
encryption 3des
hash md5
authentication pre-share
group 5
!
crypto ike remote-id any preshared-key [removed] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address 72.15.231.244 preshared-key [removed] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description Peak-10
match address VPN-10-vpn-selectors1
set peer 72.15.231.244
set transform-set esp-3des-esp-md5-hmac
set pfs group5
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "AT&T WAN"
!
vlan 3
name "NCCER Lab"
!
vlan 4
name "Public Wireless"
!
vlan 5
name "Comcast WAN"
!
vlan 6
name "Comcast LAN"
!
!
interface switchport 0/1
speed 100
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
switchport access vlan 3
!
interface switchport 0/4
no shutdown
switchport access vlan 3
!
interface switchport 0/5
no shutdown
switchport access vlan 3
!
interface switchport 0/6
no shutdown
switchport access vlan 3
!
interface switchport 0/7
no shutdown
switchport access vlan 3
!
interface switchport 0/8
no shutdown
switchport access vlan 4
!
interface switchport 0/9
no shutdown
switchport access vlan 4
!
interface switchport 0/10
no shutdown
switchport access vlan 5
!
interface switchport 0/11
no shutdown
switchport access vlan 6
!
interface switchport 0/12
no shutdown
switchport access vlan 4
!
interface switchport 0/13
no shutdown
switchport access vlan 4
!
interface switchport 0/14
no shutdown
!
interface switchport 0/15
no shutdown
!
interface switchport 0/16
no shutdown
!
interface switchport 0/17
no shutdown
!
interface switchport 0/18
no shutdown
!
interface switchport 0/19
no shutdown
!
interface switchport 0/20
no shutdown
!
interface switchport 0/21
no shutdown
!
interface switchport 0/22
no shutdown
!
interface switchport 0/23
no shutdown
!
interface switchport 0/24
no shutdown
!
!
interface gigabit-switchport 0/1
no shutdown
!
interface gigabit-switchport 0/2
no shutdown
!
!
!
interface vlan 1
ip address 192.168.150.2 255.255.0.0
ip access-policy Private
no ip route-cache express
no shutdown
!
interface vlan 2
ip address 1.2.51.130 255.255.255.192
ip address 1.2.51.132 255.255.255.192 secondary
ip address 1.2.51.135 255.255.255.192 secondary
ip address range 1.2.51.161 1.2.51.162 255.255.255.192 secondary
ip address range 1.2.51.189 1.2.51.190 255.255.255.192 secondary
ip access-policy "AT&T WAN"
crypto map VPN
no awcp
no ip route-cache express
no shutdown
!
interface vlan 3
description NCCER Lab
ip address 172.16.0.1 255.255.255.0
ip mtu 1500
ip access-policy "NCCER Lab"
no ip route-cache express
no shutdown
!
interface vlan 4
description Public Wireless
ip address 172.16.1.1 255.255.255.0
ip mtu 1500
ip access-policy "Public Wireless"
no rtp quality-monitoring
no awcp
no ip route-cache express
no shutdown
!
interface vlan 5
description Comcast WAN
ip address 3.4.200.73 255.255.255.248
ip mtu 1500
ip access-policy "Comcast WAN"
no rtp quality-monitoring
no awcp
no ip route-cache express
no shutdown
!
interface vlan 6
description Comcast LAN
ip address 172.16.2.1 255.255.255.0
ip mtu 1500
ip access-policy "Comcast LAN"
no rtp quality-monitoring
no awcp
no ip route-cache express
no shutdown
!
!
!
!
!
!
!
ip access-list standard wizard-ics
remark AT&T NAT
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors1
permit ip 192.168.0.0 0.0.255.255 10.20.30.0 0.0.0.255
!
ip access-list extended web-acl-11
remark SCTC-SQL RDP
permit tcp any host 1.2.51.135 eq 3390 log
!
ip access-list extended web-acl-12
remark SCTC-SQL RDP
permit tcp any host 1.2.51.135 eq 3390 log
!
ip access-list extended web-acl-13
remark NAT
permit ip any any
!
ip access-list extended web-acl-14
permit ip any any
!
ip access-list extended web-acl-15
remark NCCER Lab
permit ip any any
!
ip access-list extended web-acl-17
remark Wireless NAT
permit ip any any
!
ip access-list extended web-acl-22
remark Traffic to Netvanta
permit ip any any log
!
ip access-list extended web-acl-23
remark Comcast NAT
permit ip any any log
!
ip access-list extended web-acl-24
remark Comcast NAT
permit ip any any log
!
ip access-list extended web-acl-4
remark CSCTCWEB
permit tcp any host 1.2.51.130 eq www log
permit tcp any host 1.2.51.130 eq https log
!
ip access-list extended web-acl-5
remark Voicemail
permit tcp any host 1.2.51.162 eq https log
permit tcp any host 1.2.51.162 eq 8080 log
!
ip access-list extended web-acl-7
remark Phone System
permit tcp any host 1.2.51.161 eq www log
!
ip access-list extended web-acl-8
remark SCTC-VSC
permit tcp any host 1.2.51.135 eq www log
permit tcp any host 1.2.51.135 eq https log
!
ip access-list extended web-acl-9
remark DVR
permit tcp any host 1.2.51.189 eq 85 log
permit tcp any host 1.2.51.189 eq 9000 log
permit tcp any host 1.2.51.189 eq 37777 log
permit tcp any host 1.2.51.189 eq www log
!
ip access-list extended wizard-pfwd-1
remark CSCTC-SRVS
permit tcp any host 1.2.51.132 eq www log
!
!
!
ip policy-class "AT&T WAN"
allow reverse list VPN-10-vpn-selectors1 stateless
nat destination list wizard-pfwd-1 address 192.168.100.30
nat destination list web-acl-4 address 192.168.150.20
nat destination list web-acl-5 address 192.168.150.9
nat destination list web-acl-7 address 192.168.150.12
nat destination list web-acl-8 address 192.168.100.40
nat destination list web-acl-9 address 192.168.100.70
nat destination list web-acl-12 address 192.168.100.20 port 3389
!
ip policy-class "Comcast LAN"
allow list web-acl-22 self
nat source list web-acl-23 interface vlan 5 overload
!
ip policy-class "Comcast WAN"
! Implicit discard
!
ip policy-class "NCCER Lab"
nat source list web-acl-13 interface vlan 2 overload
allow list web-acl-14 policy Private
!
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
nat source list wizard-ics interface vlan 2 overload
allow list web-acl-15 policy "NCCER Lab"
nat source list web-acl-24 interface vlan 5 overload
!
ip policy-class "Public Wireless"
nat source list web-acl-17 interface vlan 2 overload
!
!
ip route 0.0.0.0 0.0.0.0 1.2.51.129 track ATT Track
ip route 0.0.0.0 0.0.0.0 3.4.200.78 10
ip route 68.94.156.1 255.255.255.255 1.2.51.129
ip route 68.94.156.1 255.255.255.255 null 0 10
ip route 68.94.157.1 255.255.255.255 1.2.51.129
ip route 68.94.157.1 255.255.255.255 null 0 10
!
no tftp server
no tftp server overwrite
ip http server
no ip http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
no login
!
line telnet 0 4
login
password password
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
end
And just as a side-note, if you see any gaping security holes in my configuration, please feel FREE to suggest changes, I promise it won't hurt my feelings.
I would recommend a couple of things.
I believe the biggest issue is that the private policy match statements are out of order. The allow list "web-acl-15" is a permit any any statement and it is likely matching the traffic before it can hit the second NAT policy.
Try it in this order.
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
nat source list wizard-ics interface vlan 2 overload policy AT&T WAN
nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN
Add the WAN policy to the respective NAT Statements as well. This helps match the destination policy call with the packet's egress interface (says so right in the command help ). It looks like you used this on the statement to get to the NCCER Lab network.
If the purpose of the web-acl-15 is to allow traffic to the NCCER Lab interface, I would tune that list to be a more specific match of destination network traffic so it doesn't try to forward just any traffic there. I think this is the way you should do it, matching the traffic to a list before it hits the NAT statement.
ip access-list extended web-acl-15
remark NCCER Lab
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.0.255
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
allow list web-acl-15 policy "NCCER Lab"
nat source list wizard-ics interface vlan 2 overload policy AT&T WAN
nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor