Support
Community

vmirinav · ‎08-15-2013

I am trying to implement fail-over on NV3120. Unfortunately fail-over does not work, I think I am doing everything correct here. Eth 0/1 Plugs in to ISP1 Sw0/1 plugs in to ISP2

! ADTRAN OS version 18.03.01.00.E

! Boot ROM version 14.04.00

! Platform: NetVanta 3120, part number 1700600L2

! Serial number LBADTN0639AC502

!

hostname "NetVanta3120"

enable password xxxxxxx

!

ip subnet-zero

ip classless

ip routing

domain-proxy

name-server 24.29.99.35 24.29.99.36

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "xxxxxxxxx"

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

probe "TimeWarner Failover" icmp-echo

destination 8.8.8.8

timeout 10000

tolerance consecutive fail 1 pass 1

no shutdown

!

track "WAN1"

snmp trap state-change

test if probe TimeWarner Failover

no shutdown

!

ip dhcp pool "Private"

network 10.10.10.0 255.255.255.0

dns-server 10.10.10.1

netbios-node-type h-node

default-router 10.10.10.1

!

ip crypto

!

crypto ike policy 100

initiate main

respond anymode

local-id fqdn AIP1

peer xx.212.173.10

attribute 1

encryption 3des

hash md5

authentication pre-share

!

crypto ike remote-id fqdn AIP2 preshared-key xxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address xx.212.173.10 preshared-key xxxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

mode tunnel

!

crypto map VPN 10 ipsec-ike

description AIP Site-to-Site VPN test

match address VPN-10-vpn-selectors

set peer xx.212.173.10

set transform-set esp-3des-esp-md5-hmac

ike-policy 100

!

vlan 1

name "Default"

!

vlan 301

name "WAN Failover"

!

interface eth 0/1

description Time Warner

ip address xx.74.62.200 255.255.255.224

ip access-policy Public

crypto map VPN

media-gateway ip primary

no shutdown

no lldp send-and-receive

!

interface switchport 0/1

no shutdown

switchport access vlan 301

!

interface switchport 0/2

no shutdown

!

interface switchport 0/3

no shutdown

!

interface switchport 0/4

no shutdown

!

interface vlan 1

ip address xx.10.10.1 255.255.255.0

ip access-policy Private

no shutdown

!

interface vlan 301

ip address xx.212.173.11 255.255.255.192

ip mtu 1500

media-gateway ip primary

no awcp

shutdown

!

interface modem 0/1

shutdown

!

ip access-list standard wizard-ics

remark Internet Connection Sharing

permit any

!

ip access-list extended self

remark Traffic to NetVanta

permit ip any any log

!

ip access-list extended VPN-10-vpn-selectors

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

!

ip access-list extended web-acl-3

remark Public Allow

permit ip any any

!

ip policy-class Private

allow list VPN-10-vpn-selectors

allow list self self

nat source list wizard-ics interface eth 0/1 overload

!

ip policy-class Public

allow reverse list VPN-10-vpn-selectors

allow list web-acl-3

!

ip route 0.0.0.0 0.0.0.0 xx.74.62.193

ip route 0.0.0.0 0.0.0.0 xx.212.173.1 track WAN1

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

ip sip udp 5060

ip sip tcp 5060

!

ip rtp quality-monitoring

ip rtp quality-monitoring udp

ip rtp quality-monitoring sip

!

line con 0

login

!

line telnet 0 4

login local-userlist

password xxxxx

shutdown

line ssh 0 4

login local-userlist

no shutdown

!

end

Anonymous · ‎08-15-2013

Here is the config as it should be (minus what goes in the xx) It might be easier to follow than my broken up notes:

!

! ADTRAN OS version 18.03.01.00.E

! Boot ROM version 14.04.00

! Platform: NetVanta 3120, part number 1700600L2

! Serial number LBADTN0639AC502

!

hostname "NetVanta3120"

enable password xxxxxxx

!

ip subnet-zero

ip classless

ip routing

domain-proxy

name-server 24.29.99.35 24.29.99.36

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "xxxxxxx"

!

ip firewall

ip firewall fast-nat-failover

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

probe TimeWarner icmp-echo

destination 8.8.8.8

timeout 10000

tolerance consecutive fail 1 pass 1

no shutdown

!

track "WAN1"

snmp trap state-change

test if probe TimeWarner

no shutdown

!

ip dhcp pool "Private"

network 10.10.10.0 255.255.255.0

dns-server 10.10.10.1

netbios-node-type h-node

default-router 10.10.10.1

!

ip crypto

!

crypto ike policy 100

initiate main

respond anymode

local-id fqdn AIP1

peer xx.212.173.10

attribute 1

encryption 3des

hash md5

authentication pre-share

!

crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

mode tunnel

!

crypto map VPN 10 ipsec-ike

description AIP Site-to-Site VPN test

match address VPN-10-vpn-selectors

set peer xx.212.173.10

set transform-set esp-3des-esp-md5-hmac

ike-policy 100

!

vlan 1

name "Default"

!

vlan 301

name "WAN Failover"

!

interface eth 0/1

description Time Warner

ip address xx.74.62.200 255.255.255.224

ip access-policy Public

crypto map VPN

media-gateway ip primary

no shutdown

no lldp send-and-receive

!

interface switchport 0/1

no shutdown

switchport access vlan 301

!

interface switchport 0/2

no shutdown

!

interface switchport 0/3

no shutdown

!

interface switchport 0/4

no shutdown

!

interface vlan 1

ip address 10.10.10.1 255.255.255.0

ip access-policy Private

no shutdown

!

interface vlan 301

ip address xx.212.173.11 255.255.255.192

ip mtu 1500

ip access-policy Public2

media-gateway ip primary

no awcp

no shutdown

!

interface modem 0/1

shutdown

!

ip access-list standard wizard-ics

remark Internet Connection Sharing

permit any

!

ip access-list extended self

remark Traffic to NetVanta

permit ip any any log

!

ip access-list extended VPN-10-vpn-selectors

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

!

ip access-list extended web-acl-3

remark Public Allow (this allows public access to anything. Should no use).

permit ip any any

!

ip policy-class Private

allow list VPN-10-vpn-selectors

allow list self self

nat source list wizard-ics interface eth 0/1 overload policy Public

nat source list wizard-ics interface vlan 301 overload policy Public2

!

ip policy-class Public

allow reverse list VPN-10-vpn-selectors

allow list web-acl-3

!

ip policy-class Public2

allow reverse list VPN-10-vpn-selectors

!

ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1

ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10

ip route 8.8.8.8 255.255.255.255 xx.74.62.193

ip route 8.8.8.8 255.255.255.255 null 0 10

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

ip sip udp 5060

ip sip tcp 5060

!

ip rtp quality-monitoring

ip rtp quality-monitoring udp

ip rtp quality-monitoring sip

!

line con 0

login

!

line telnet 0 4

login local-userlist

password xxxxxx

shutdown

line ssh 0 4

login local-userlist

no shutdown

!

end

View solution in original post

Anonymous · ‎08-15-2013

Have you tested the track? In my initial scan of the configuration, I notice the probe name has a space in it so it is identified between quotation marks ( "TimWarner Failover" ).

Your track is configured to test if the probe TimeWarner Failover is true. In the configuration text, it is not enclosed in quotation marks. It is possible that it is not testing that probe because of the space.

See below:

==================================

track "WAN1"

snmp trap state-change

test if probe TimeWarner Failover

no shutdown

==============================

Also, in the probe, you have a destination of 8.8.8.8. That is fine, I use google's DNS server address for my probes as well. You should add a static route to 8.8.8.8 using your default gateway, and add a secondary route to 8.8.8.8 using NULL. That forces the router to only use the primary WAN interface gateway to probe 8.8.8.8. If you do not do this, then the probe will eventually reach 8.8.8.8 via the secondary WAN interface and falsely bring the probe and track back to a PASS state. It will bounce back and forth between pass and fail. I've been there.

Try this (minus the notes in parenthesis of course):

ip route 8.8.8.8 255.255.255.255 xx.74.62.193

ip route 8.8.8.8 2255.255.255.255 null 0

ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1 (ETH 0/1 is the primary ISP WAN interface, but we don't want this route if the track fails)

ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10 (VLAN 301 is the secondary ISP WAN interface. With a cost of 10, it will only be considered when the probe/track is in a FAILED state.)

Also make sure you have the following in your config.

ip firewall fast-nat-failover (Clear NAT policy-sessions which would be reworked on route table change).

I hope this helps.

Anonymous · ‎08-15-2013

I also found this document very helpful:

vmirinav · ‎08-15-2013

Thank you very much for your reply, I did the following changes:

!

! ADTRAN OS version 18.03.01.00.E

! Boot ROM version 14.04.00

! Platform: NetVanta 3120, part number 1700600L2

! Serial number LBADTN0639AC502

!

hostname "NetVanta3120"

enable password xxxxxxx

!

ip subnet-zero

ip classless

ip routing

domain-proxy

name-server 24.29.99.35 24.29.99.36

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "xxxxxxx"

!

ip firewall

ip firewall fast-nat-failover

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

probe TimeWarner icmp-echo

destination 8.8.8.8

timeout 10000

tolerance consecutive fail 1 pass 1

no shutdown

!

track "WAN1"

snmp trap state-change

test if probe TimeWarner

no shutdown

!

ip dhcp pool "Private"

network 10.10.10.0 255.255.255.0

dns-server 10.10.10.1

netbios-node-type h-node

default-router 10.10.10.1

!

ip crypto

!

crypto ike policy 100

initiate main

respond anymode

local-id fqdn AIP1

peer xx.212.173.10

attribute 1

encryption 3des

hash md5

authentication pre-share

!

crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

mode tunnel

!

crypto map VPN 10 ipsec-ike

description AIP Site-to-Site VPN test

match address VPN-10-vpn-selectors

set peer xx.212.173.10

set transform-set esp-3des-esp-md5-hmac

ike-policy 100

!

vlan 1

name "Default"

!

vlan 301

name "WAN Failover"

!

interface eth 0/1

description Time Warner

ip address xx.74.62.200 255.255.255.224

ip access-policy Public

crypto map VPN

media-gateway ip primary

no shutdown

no lldp send-and-receive

!

interface switchport 0/1

no shutdown

switchport access vlan 301

!

interface switchport 0/2

no shutdown

!

interface switchport 0/3

no shutdown

!

interface switchport 0/4

no shutdown

!

interface vlan 1

ip address 10.10.10.1 255.255.255.0

ip access-policy Private

no shutdown

!

interface vlan 301

ip address xx.212.173.11 255.255.255.192

ip mtu 1500

ip access-policy Public

media-gateway ip primary

no awcp

no shutdown

!

interface modem 0/1

shutdown

!

ip access-list standard wizard-ics

remark Internet Connection Sharing

permit any

!

ip access-list extended self

remark Traffic to NetVanta

permit ip any any log

!

ip access-list extended VPN-10-vpn-selectors

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

!

ip access-list extended web-acl-3

remark Public Allow

permit ip any any

!

ip policy-class Private

allow list VPN-10-vpn-selectors

allow list self self

nat source list wizard-ics interface eth 0/1 overload

!

ip policy-class Public

allow reverse list VPN-10-vpn-selectors

allow list web-acl-3

!

ip route 0.0.0.0 0.0.0.0 xx.212.173.1 track WAN1

ip route 0.0.0.0 0.0.0.0 xx.74.62.193 10

ip route 8.8.8.8 255.255.255.255 xx.74.62.193

ip route 8.8.8.8 255.255.255.255 null 0

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

ip sip udp 5060

ip sip tcp 5060

!

ip rtp quality-monitoring

ip rtp quality-monitoring udp

ip rtp quality-monitoring sip

!

line con 0

login

!

line telnet 0 4

login local-userlist

password xxxxxx

shutdown

line ssh 0 4

login local-userlist

no shutdown

!

end

when I unplug the primary I see that the probe fails now however even from the router I cant ping the failover gateway (xx.212.173.1). Also I get this error

NETMON.TRACK WAN1 WAN1 changed from pass to fail.
2008.10.01 19:23:25 FIREWALL id=firewall time="2008-10-01 19:23:25" fw=NetVanta3120 pri=1 proto=https src=10.10.10.2 dst=xx.78.56.105 msg="Unable to determine route to destination, dropping packet Src 51066 Dst 443 from Private policy-class on interface vlan 1" agent=AdFirewall NetVanta3120#
NetVanta3120#

Maybe this has something to do with the firewall rules. Somehow the traffice seems does not want to reach xx.212.173.1 over that sw interface.

Thank you so much for your input I am making amazing progress.

Anonymous · ‎08-15-2013

My mistake. I thought xx.212.173.1 is the gateway for your primary WAN?

This is how your route table entries should be entered:

ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1

ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10

ip route 8.8.8.8 255.255.255.255 xx.74.62.193

ip route 8.8.8.8 255.255.255.255 null 0 10

ALSO:

I totally skipped over your policy classes.

You should have a a third policy-class similar to your Public policy class this:

============================================

ip policy-class Public2

allow reverse list VPN-10-vpn-selectors

allow list web-acl-3 ( <-- you should not have this in either public policy. only allow ports required for secure admin access. web-acl-3 allows any -> any.)

=======================================

You should then add a new statement in your Private policy class:

=======================================

ip policy-class Private

allow list VPN-10-vpn-selectors

allow list self self

nat source list wizard-ics interface eth 0/1 overload policy Public

nat source list wizard-ics interface vlan 301 overload policy Public2

=======================================

Assign interface VLAN 301 to access-policy Public2

Interface config should look like this:

interface vlan 301

ip address xx.212.173.11 255.255.255.192

ip mtu 1500

ip access-policy Public2

media-gateway ip primary

no awcp

no shutdown

!

Anonymous · ‎08-15-2013

Here is the config as it should be (minus what goes in the xx) It might be easier to follow than my broken up notes:

!

! ADTRAN OS version 18.03.01.00.E

! Boot ROM version 14.04.00

! Platform: NetVanta 3120, part number 1700600L2

! Serial number LBADTN0639AC502

!

hostname "NetVanta3120"

enable password xxxxxxx

!

ip subnet-zero

ip classless

ip routing

domain-proxy

name-server 24.29.99.35 24.29.99.36

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "xxxxxxx"

!

ip firewall

ip firewall fast-nat-failover

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

no dot11ap access-point-control

!

probe TimeWarner icmp-echo

destination 8.8.8.8

timeout 10000

tolerance consecutive fail 1 pass 1

no shutdown

!

track "WAN1"

snmp trap state-change

test if probe TimeWarner

no shutdown

!

ip dhcp pool "Private"

network 10.10.10.0 255.255.255.0

dns-server 10.10.10.1

netbios-node-type h-node

default-router 10.10.10.1

!

ip crypto

!

crypto ike policy 100

initiate main

respond anymode

local-id fqdn AIP1

peer xx.212.173.10

attribute 1

encryption 3des

hash md5

authentication pre-share

!

crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

mode tunnel

!

crypto map VPN 10 ipsec-ike

description AIP Site-to-Site VPN test

match address VPN-10-vpn-selectors

set peer xx.212.173.10

set transform-set esp-3des-esp-md5-hmac

ike-policy 100

!

vlan 1

name "Default"

!

vlan 301

name "WAN Failover"

!

interface eth 0/1

description Time Warner

ip address xx.74.62.200 255.255.255.224

ip access-policy Public

crypto map VPN

media-gateway ip primary

no shutdown

no lldp send-and-receive

!

interface switchport 0/1

no shutdown

switchport access vlan 301

!

interface switchport 0/2

no shutdown

!

interface switchport 0/3

no shutdown

!

interface switchport 0/4

no shutdown

!

interface vlan 1

ip address 10.10.10.1 255.255.255.0

ip access-policy Private

no shutdown

!

interface vlan 301

ip address xx.212.173.11 255.255.255.192

ip mtu 1500

ip access-policy Public2

media-gateway ip primary

no awcp

no shutdown

!

interface modem 0/1

shutdown

!

ip access-list standard wizard-ics

remark Internet Connection Sharing

permit any

!

ip access-list extended self

remark Traffic to NetVanta

permit ip any any log

!

ip access-list extended VPN-10-vpn-selectors

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

!

ip access-list extended web-acl-3

remark Public Allow (this allows public access to anything. Should no use).

permit ip any any

!

ip policy-class Private

allow list VPN-10-vpn-selectors

allow list self self

nat source list wizard-ics interface eth 0/1 overload policy Public

nat source list wizard-ics interface vlan 301 overload policy Public2

!

ip policy-class Public

allow reverse list VPN-10-vpn-selectors

allow list web-acl-3

!

ip policy-class Public2

allow reverse list VPN-10-vpn-selectors

!

ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1

ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10

ip route 8.8.8.8 255.255.255.255 xx.74.62.193

ip route 8.8.8.8 255.255.255.255 null 0 10

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

ip sip udp 5060

ip sip tcp 5060

!

ip rtp quality-monitoring

ip rtp quality-monitoring udp

ip rtp quality-monitoring sip

!

line con 0

login

!

line telnet 0 4

login local-userlist

password xxxxxx

shutdown

line ssh 0 4

login local-userlist

no shutdown

!

end

vmirinav · ‎08-15-2013

Thank you.

Failover seems to work but I think there is still some issue with nat. I am doing various tests now to see why the PC pinging google does not resume pinging it after I take out Eth0/1.

I can get in over wan (sw0/1) via failover interface to the router and I can ping various other IP's from the router.

Thank you for reminding me about that insecure firewall rule, I will connect that later after this setup done.

Anonymous · ‎08-15-2013

I can answer that. The route table entry dictates that the only way to get to 8.8.8.8 is through the primary WAN interface. If you are actually using google DNS for your LAN computers, then you may want to replace 8.8.8.8 with something different (I often use 4.2.2.2). The fact that users can’t ping 8.8.8.8 when the primary is down, proves that the programming is working correctly.

vmirinav · ‎08-16-2013

Yep it all works. Thank you very much for help. I hope other people find this useful as well when programming this router.

vmirinav · ‎08-27-2013

On more minor thing. When I call in from the cell and hang up before I pickup from the ports line, it rings at least twice until it acknowledges my hangup. Is there a way to fix that?

Anonymous · ‎09-06-2013

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

Support
Community

Failover on NV3120

Backup & Redundancy

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

SupportCommunity

Failover on NV3120

Backup & Redundancy

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Re: Failover on NV3120

Support
Community