Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
telarin
New Contributor
‎12-17-2013 08:19 AM

WAN failover setup

Jump to solution

I have setup my NetVanta 1335P in a WAN Fail-Over configuration using the AdTran "Configuring WAN Fail-Over in AOS" white paper. However, something is not working quite right.

When I disconnect my primary WAN connection for testing, both probes I have configured correctly change to a FAIL status.

The track connected to the probes also correctly changes to a fail status.

When viewing the Route Table in the web interface, the primary route for WAN1 which is configured with an Admin Distance of 1 drops from the first position to the second position, below the WAN2 route with Admin Distance 10. I assume this means that the WAN2 route should then take precedence.

However, no traffic is routed.

In the Private security zone, I have 2 separate NAT policies setup. One using the WAN1 VLAN interface, and one using the WAN2 VLAN interface.

I did use the AOS interface to put the NetVanta in fast NAT failover mode, but my AOS skills are not particularly complete, so it is possible I missed a step in there somewhere.

Just to be sure I'm doing it right:

telnet to netvanta

password: <enter access password>

NetVanta>enable

Password: <enter admin password>

NetVanta#config

Configure from terminal

NetVanta(config)#ip firewall

NetVanta(config)#ip firewall fast-nat-failover

NetVanta(config)#exit

NetVanta#write

NetVanta#exit

Am I missing a step in the use of AOS to commit the configuration, or is there something else I should look at? Like I said, I RARELY use AOS, so please be specific in answers involving AOS rather than the web interface.

Labels (3)
Tags (2)
0 Kudos
Reply
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎12-19-2013 09:44 AM

Re: WAN failover setup

Jump to solution

I would recommend a couple of things.

I believe the biggest issue is that the private policy match statements are out of order.  The allow list "web-acl-15" is a permit any any statement and it is likely matching the traffic before it can hit the second NAT policy. 

Try it in this order.

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  nat source list wizard-ics interface vlan 2 overload policy AT&T WAN

  nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN

Add the WAN policy to the respective NAT Statements as well.  This helps match the destination policy call with the packet's egress interface (says so right in the command help ).  It looks like you used this on the statement to get to the NCCER Lab network.

If the purpose of the web-acl-15 is to allow traffic to the NCCER Lab interface, I would tune that list to be a more specific match of destination network traffic so it doesn't try to forward just any traffic there.  I think this is the way you should do it, matching the traffic to a list before it hits the NAT statement.

ip access-list extended web-acl-15

  remark NCCER Lab

  permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.0.255

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  allow list web-acl-15 policy "NCCER Lab"

  nat source list wizard-ics interface vlan 2 overload policy AT&T WAN

  nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN

View solution in original post

0 Kudos
Reply
6 Replies
telarin
New Contributor
‎12-17-2013 08:22 AM

Re: WAN failover setup

Jump to solution

One addition, I did check the WAN2 connection using another router just to make sure there were no configuration issues on the ISPs side and that the connection actually worked as expected.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎12-18-2013 03:16 PM

Re: WAN failover setup

Jump to solution

- Thanks for posting your question on the forum!

You mentioned you had two probes configured. What are those probes testing and is the track setup for both probes to fail for the track to change state? Everything else you specified sounds correct, including your AOS CLI implementation. Could you post your configuration to this thread? Please remember to remove any information that may be sensitive to your network. It may help in determining what may be going wrong.

Thanks,

Noor

0 Kudos
Accept as Solution Reply
telarin
New Contributor
‎12-18-2013 03:29 PM

Re: WAN failover setup

Jump to solution

The two probes are hitting the 2 DNS servers for the WAN1 ISP (68.94.156.1, 68.94.157.1). The reason being that we have had the first hop to the gateway stay up and the connection on their side go down in the past, so this gets us a little deeper into their network to ensure that there is really connectivity. As I said, when I unplug WAN1, these both go into a FAIL state, and the configured track, which uses logical OR, also changes state to FAIL as expected.

Note that you can ignore all the VLAN 6 configuration. I was trying to setup a separate network that only used the secondary WAN, but found that it was going to be more complicated than expected. Since the only purpose was to make sure I had connectivity on WAN2, I just verified connectivity using a little home router to make sure everything was configured correctly on the ISP side.

The unit configuration is below. I BELIEVE I have removed everything overly sensitive, but if you notice anything that I missed, let me know and I'll edit it out.

!

!

! ADTRAN, Inc. OS version 18.02.01.00.E

! Boot ROM version 15.01.B1

! Platform: NetVanta 1335 PoE, part number 1700525E2

! Serial number LBADTN1042AM374

!

!

hostname "NetVanta"

enable password [removed]

!

clock timezone -6-Central-Time

!

ip subnet-zero

ip classless

ip routing

!

!

ip name-server 192.168.100.1 192.168.100.2

!

!

no ip route-cache express

!

no auto-config

!

event-history on

event-history priority notice

no logging forwarding

no logging email

!

no service password-encryption

!

username "admin" password [removed]

!

#

!

!

ip firewall

ip firewall fast-nat-failover

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

probe "ATT WAN" icmp-echo

  destination 68.94.156.1

  source-address 1.2.51.130

  period 5

  tolerance consecutive fail 1 pass 1

  no shutdown

!

probe "ATT DNS2" icmp-echo

  destination 68.94.157.1

  source-address 1.2.157.1

  period 5

  tolerance consecutive fail 1 pass 1

  no shutdown

!

track "ATT Track"

  snmp trap state-change

  test list or

    if probe ATT WAN

    if probe ATT DNS2

  no shutdown

!

!

!

ip dhcp-server excluded-address 172.16.0.0 172.16.0.100

ip dhcp-server excluded-address 172.16.1.0 172.16.1.100

ip dhcp-server excluded-address 172.16.2.0 172.16.2.100

!

ip dhcp-server pool "NCCER Lab"

  network 172.16.0.0 255.255.255.0

  dns-server 192.168.100.1 192.168.100.2

  default-router 172.16.0.1

!

ip dhcp-server pool "Public Wireless"

  network 172.16.1.0 255.255.255.0

  dns-server 8.8.8.8 8.8.4.4

  default-router 172.16.1.1

!

ip dhcp-server pool "Comcast LAN"

  network 172.16.2.0 255.255.255.0

  dns-server 75.75.75.75 75.75.76.76

  default-router 172.16.2.1

!

!

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address 1.2.51.130

  peer 72.15.231.244

  attribute 3

    encryption 3des

    hash md5

    authentication pre-share

    group 5

!

crypto ike remote-id any preshared-key [removed] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address 72.15.231.244 preshared-key [removed] ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  description Peak-10

  match address VPN-10-vpn-selectors1

  set peer 72.15.231.244

  set transform-set esp-3des-esp-md5-hmac

  set pfs group5

  ike-policy 100

!

!

!

!

vlan 1

  name "Default"

!

vlan 2

  name "AT&T WAN"

!

vlan 3

  name "NCCER Lab"

!

vlan 4

  name "Public Wireless"

!

vlan 5

  name "Comcast WAN"

!

vlan 6

  name "Comcast LAN"

!

!

interface switchport 0/1

  speed 100

  spanning-tree edgeport

  no shutdown

  switchport access vlan 2

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

  switchport access vlan 3

!

interface switchport 0/4

  no shutdown

  switchport access vlan 3

!

interface switchport 0/5

  no shutdown

  switchport access vlan 3

!

interface switchport 0/6

  no shutdown

  switchport access vlan 3

!

interface switchport 0/7

  no shutdown

  switchport access vlan 3

!

interface switchport 0/8

  no shutdown

  switchport access vlan 4

!

interface switchport 0/9

  no shutdown

  switchport access vlan 4

!

interface switchport 0/10

  no shutdown

  switchport access vlan 5

!

interface switchport 0/11

  no shutdown

  switchport access vlan 6

!

interface switchport 0/12

  no shutdown

  switchport access vlan 4

!

interface switchport 0/13

  no shutdown

  switchport access vlan 4

!

interface switchport 0/14

  no shutdown

!

interface switchport 0/15

  no shutdown

!

interface switchport 0/16

  no shutdown

!

interface switchport 0/17

  no shutdown

!

interface switchport 0/18

  no shutdown

!

interface switchport 0/19

  no shutdown

!

interface switchport 0/20

  no shutdown

!

interface switchport 0/21

  no shutdown

!

interface switchport 0/22

  no shutdown

!

interface switchport 0/23

  no shutdown

!

interface switchport 0/24

  no shutdown

!

!

interface gigabit-switchport 0/1

  no shutdown

!

interface gigabit-switchport 0/2

  no shutdown

!

!

!

interface vlan 1

  ip address  192.168.150.2  255.255.0.0

  ip access-policy Private

  no ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  1.2.51.130  255.255.255.192

  ip address  1.2.51.132  255.255.255.192  secondary

  ip address  1.2.51.135  255.255.255.192  secondary

  ip address range  1.2.51.161  1.2.51.162  255.255.255.192  secondary

  ip address range  1.2.51.189  1.2.51.190  255.255.255.192  secondary

  ip access-policy "AT&T WAN"

  crypto map VPN

  no awcp

  no ip route-cache express

  no shutdown

!

interface vlan 3

  description NCCER Lab

  ip address  172.16.0.1  255.255.255.0

  ip mtu 1500

  ip access-policy "NCCER Lab"

  no ip route-cache express

  no shutdown

!

interface vlan 4

  description Public Wireless

  ip address  172.16.1.1  255.255.255.0

  ip mtu 1500

  ip access-policy "Public Wireless"

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

!

interface vlan 5

  description Comcast WAN

  ip address  3.4.200.73  255.255.255.248

  ip mtu 1500

  ip access-policy "Comcast WAN"

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

!

interface vlan 6

  description Comcast LAN

  ip address  172.16.2.1  255.255.255.0

  ip mtu 1500

  ip access-policy "Comcast LAN"

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

!

!

!

!

!

!

!

ip access-list standard wizard-ics

  remark AT&T NAT

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended VPN-10-vpn-selectors1

  permit ip 192.168.0.0 0.0.255.255  10.20.30.0 0.0.0.255   

!

ip access-list extended web-acl-11

  remark SCTC-SQL RDP

  permit tcp any  host 1.2.51.135 eq 3390   log

!

ip access-list extended web-acl-12

  remark SCTC-SQL RDP

  permit tcp any  host 1.2.51.135 eq 3390   log

!

ip access-list extended web-acl-13

  remark NAT

  permit ip any  any   

!

ip access-list extended web-acl-14

  permit ip any  any   

!

ip access-list extended web-acl-15

  remark NCCER Lab

  permit ip any  any   

!

ip access-list extended web-acl-17

  remark Wireless NAT

  permit ip any  any   

!

ip access-list extended web-acl-22

  remark Traffic to Netvanta

  permit ip any  any     log

!

ip access-list extended web-acl-23

  remark Comcast NAT

  permit ip any  any     log

!

ip access-list extended web-acl-24

  remark Comcast NAT

  permit ip any  any     log

!

ip access-list extended web-acl-4

  remark CSCTCWEB

  permit tcp any  host 1.2.51.130 eq www   log

  permit tcp any  host 1.2.51.130 eq https   log

!

ip access-list extended web-acl-5

  remark Voicemail

  permit tcp any  host 1.2.51.162 eq https   log

  permit tcp any  host 1.2.51.162 eq 8080   log

!

ip access-list extended web-acl-7

  remark Phone System

  permit tcp any  host 1.2.51.161 eq www   log

!

ip access-list extended web-acl-8

  remark SCTC-VSC

  permit tcp any  host 1.2.51.135 eq www   log

  permit tcp any  host 1.2.51.135 eq https   log

!

ip access-list extended web-acl-9

  remark DVR

  permit tcp any  host 1.2.51.189 eq 85   log

  permit tcp any  host 1.2.51.189 eq 9000   log

  permit tcp any  host 1.2.51.189 eq 37777   log

  permit tcp any  host 1.2.51.189 eq www   log

!

ip access-list extended wizard-pfwd-1

  remark CSCTC-SRVS

  permit tcp any  host 1.2.51.132 eq www   log

!

!

!

ip policy-class "AT&T WAN"

  allow reverse list VPN-10-vpn-selectors1 stateless

  nat destination list wizard-pfwd-1 address 192.168.100.30

  nat destination list web-acl-4 address 192.168.150.20

  nat destination list web-acl-5 address 192.168.150.9

  nat destination list web-acl-7 address 192.168.150.12

  nat destination list web-acl-8 address 192.168.100.40

  nat destination list web-acl-9 address 192.168.100.70

  nat destination list web-acl-12 address 192.168.100.20 port 3389

!

ip policy-class "Comcast LAN"

  allow list web-acl-22 self

  nat source list web-acl-23 interface vlan 5 overload

!

ip policy-class "Comcast WAN"

  ! Implicit discard

!

ip policy-class "NCCER Lab"

  nat source list web-acl-13 interface vlan 2 overload

  allow list web-acl-14 policy Private

!

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  nat source list wizard-ics interface vlan 2 overload

  allow list web-acl-15 policy "NCCER Lab"

  nat source list web-acl-24 interface vlan 5 overload

!

ip policy-class "Public Wireless"

  nat source list web-acl-17 interface vlan 2 overload

!

!

ip route 0.0.0.0 0.0.0.0 1.2.51.129 track ATT Track

ip route 0.0.0.0 0.0.0.0 3.4.200.78 10

ip route 68.94.156.1 255.255.255.255 1.2.51.129

ip route 68.94.156.1 255.255.255.255 null 0 10

ip route 68.94.157.1 255.255.255.255 1.2.51.129

ip route 68.94.157.1 255.255.255.255 null 0 10

!

no tftp server

no tftp server overwrite

ip http server

no ip http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

line con 0

  no login

!

line telnet 0 4

  login

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

!

!

!

!

!

!

end

0 Kudos
Accept as Solution Reply
telarin
New Contributor
‎12-18-2013 03:31 PM

Re: WAN failover setup

Jump to solution

And just as a side-note, if you see any gaping security holes in my configuration, please feel FREE to suggest changes, I promise it won't hurt my feelings.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎12-19-2013 09:44 AM

Re: WAN failover setup

Jump to solution

I would recommend a couple of things.

I believe the biggest issue is that the private policy match statements are out of order.  The allow list "web-acl-15" is a permit any any statement and it is likely matching the traffic before it can hit the second NAT policy. 

Try it in this order.

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  nat source list wizard-ics interface vlan 2 overload policy AT&T WAN

  nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN

Add the WAN policy to the respective NAT Statements as well.  This helps match the destination policy call with the packet's egress interface (says so right in the command help ).  It looks like you used this on the statement to get to the NCCER Lab network.

If the purpose of the web-acl-15 is to allow traffic to the NCCER Lab interface, I would tune that list to be a more specific match of destination network traffic so it doesn't try to forward just any traffic there.  I think this is the way you should do it, matching the traffic to a list before it hits the NAT statement.

ip access-list extended web-acl-15

  remark NCCER Lab

  permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.0.255

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  allow list web-acl-15 policy "NCCER Lab"

  nat source list wizard-ics interface vlan 2 overload policy AT&T WAN

  nat source list web-acl-24 interface vlan 5 overload policy Comcast WAN

0 Kudos
Reply
Anonymous
Not applicable
‎01-07-2014 12:00 PM

Re: WAN failover setup

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

0 Kudos
Accept as Solution Reply