I am trying to implement fail-over on NV3120. Unfortunately fail-over does not work, I think I am doing everything correct here. Eth 0/1 Plugs in to ISP1 Sw0/1 plugs in to ISP2
! ADTRAN OS version 18.03.01.00.E
! Boot ROM version 14.04.00
! Platform: NetVanta 3120, part number 1700600L2
! Serial number LBADTN0639AC502
!
!
hostname "NetVanta3120"
enable password xxxxxxx
!
!
ip subnet-zero
ip classless
ip routing
domain-proxy
name-server 24.29.99.35 24.29.99.36
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "xxxxxxxxx"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
probe "TimeWarner Failover" icmp-echo
destination 8.8.8.8
timeout 10000
tolerance consecutive fail 1 pass 1
no shutdown
!
track "WAN1"
snmp trap state-change
test if probe TimeWarner Failover
no shutdown
!
!
!
!
ip dhcp pool "Private"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id fqdn AIP1
peer xx.212.173.10
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id fqdn AIP2 preshared-key xxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address xx.212.173.10 preshared-key xxxxxxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description AIP Site-to-Site VPN test
match address VPN-10-vpn-selectors
set peer xx.212.173.10
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 301
name "WAN Failover"
!
!
interface eth 0/1
description Time Warner
ip address xx.74.62.200 255.255.255.224
ip access-policy Public
crypto map VPN
media-gateway ip primary
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
switchport access vlan 301
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address xx.10.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 301
ip address xx.212.173.11 255.255.255.192
ip mtu 1500
media-gateway ip primary
no awcp
shutdown
!
interface modem 0/1
shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip access-list extended web-acl-3
remark Public Allow
permit ip any any
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors
allow list web-acl-3
!
!
ip route 0.0.0.0 0.0.0.0 xx.74.62.193
ip route 0.0.0.0 0.0.0.0 xx.212.173.1 track WAN1
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip rtp quality-monitoring
ip rtp quality-monitoring udp
ip rtp quality-monitoring sip
!
line con 0
login
!
line telnet 0 4
login local-userlist
password xxxxx
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
end
Here is the config as it should be (minus what goes in the xx) It might be easier to follow than my broken up notes:
!
!
! ADTRAN OS version 18.03.01.00.E
! Boot ROM version 14.04.00
! Platform: NetVanta 3120, part number 1700600L2
! Serial number LBADTN0639AC502
!
!
hostname "NetVanta3120"
enable password xxxxxxx
!
!
ip subnet-zero
ip classless
ip routing
domain-proxy
name-server 24.29.99.35 24.29.99.36
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "xxxxxxx"
!
!
ip firewall
ip firewall fast-nat-failover
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
probe TimeWarner icmp-echo
destination 8.8.8.8
timeout 10000
tolerance consecutive fail 1 pass 1
no shutdown
!
track "WAN1"
snmp trap state-change
test if probe TimeWarner
no shutdown
!
!
!
!
ip dhcp pool "Private"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id fqdn AIP1
peer xx.212.173.10
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description AIP Site-to-Site VPN test
match address VPN-10-vpn-selectors
set peer xx.212.173.10
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 301
name "WAN Failover"
!
!
interface eth 0/1
description Time Warner
ip address xx.74.62.200 255.255.255.224
ip access-policy Public
crypto map VPN
media-gateway ip primary
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
switchport access vlan 301
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 301
ip address xx.212.173.11 255.255.255.192
ip mtu 1500
ip access-policy Public2
media-gateway ip primary
no awcp
no shutdown
!
interface modem 0/1
shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip access-list extended web-acl-3
remark Public Allow (this allows public access to anything. Should no use).
permit ip any any
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload policy Public
nat source list wizard-ics interface vlan 301 overload policy Public2
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors
allow list web-acl-3
!
ip policy-class Public2
allow reverse list VPN-10-vpn-selectors
!
ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1
ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10
ip route 8.8.8.8 255.255.255.255 xx.74.62.193
ip route 8.8.8.8 255.255.255.255 null 0 10
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip rtp quality-monitoring
ip rtp quality-monitoring udp
ip rtp quality-monitoring sip
!
line con 0
login
!
line telnet 0 4
login local-userlist
password xxxxxx
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
end
Have you tested the track? In my initial scan of the configuration, I notice the probe name has a space in it so it is identified between quotation marks ( "TimWarner Failover" ).
Your track is configured to test if the probe TimeWarner Failover is true. In the configuration text, it is not enclosed in quotation marks. It is possible that it is not testing that probe because of the space.
See below:
==================================
track "WAN1"
snmp trap state-change
test if probe TimeWarner Failover
no shutdown
==============================
Also, in the probe, you have a destination of 8.8.8.8. That is fine, I use google's DNS server address for my probes as well. You should add a static route to 8.8.8.8 using your default gateway, and add a secondary route to 8.8.8.8 using NULL. That forces the router to only use the primary WAN interface gateway to probe 8.8.8.8. If you do not do this, then the probe will eventually reach 8.8.8.8 via the secondary WAN interface and falsely bring the probe and track back to a PASS state. It will bounce back and forth between pass and fail. I've been there.
Try this (minus the notes in parenthesis of course):
ip route 8.8.8.8 255.255.255.255 xx.74.62.193
ip route 8.8.8.8 2255.255.255.255 null 0
ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1 (ETH 0/1 is the primary ISP WAN interface, but we don't want this route if the track fails)
ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10 (VLAN 301 is the secondary ISP WAN interface. With a cost of 10, it will only be considered when the probe/track is in a FAILED state.)
Also make sure you have the following in your config.
ip firewall fast-nat-failover (Clear NAT policy-sessions which would be reworked on route table change).
I hope this helps.
Thank you very much for your reply, I did the following changes:
!
!
! ADTRAN OS version 18.03.01.00.E
! Boot ROM version 14.04.00
! Platform: NetVanta 3120, part number 1700600L2
! Serial number LBADTN0639AC502
!
!
hostname "NetVanta3120"
enable password xxxxxxx
!
!
ip subnet-zero
ip classless
ip routing
domain-proxy
name-server 24.29.99.35 24.29.99.36
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "xxxxxxx"
!
!
ip firewall
ip firewall fast-nat-failover
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
probe TimeWarner icmp-echo
destination 8.8.8.8
timeout 10000
tolerance consecutive fail 1 pass 1
no shutdown
!
track "WAN1"
snmp trap state-change
test if probe TimeWarner
no shutdown
!
!
!
!
ip dhcp pool "Private"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id fqdn AIP1
peer xx.212.173.10
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description AIP Site-to-Site VPN test
match address VPN-10-vpn-selectors
set peer xx.212.173.10
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 301
name "WAN Failover"
!
!
interface eth 0/1
description Time Warner
ip address xx.74.62.200 255.255.255.224
ip access-policy Public
crypto map VPN
media-gateway ip primary
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
switchport access vlan 301
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 301
ip address xx.212.173.11 255.255.255.192
ip mtu 1500
ip access-policy Public
media-gateway ip primary
no awcp
no shutdown
!
interface modem 0/1
shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip access-list extended web-acl-3
remark Public Allow
permit ip any any
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors
allow list web-acl-3
!
!
ip route 0.0.0.0 0.0.0.0 xx.212.173.1 track WAN1
ip route 0.0.0.0 0.0.0.0 xx.74.62.193 10
ip route 8.8.8.8 255.255.255.255 xx.74.62.193
ip route 8.8.8.8 255.255.255.255 null 0
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip rtp quality-monitoring
ip rtp quality-monitoring udp
ip rtp quality-monitoring sip
!
line con 0
login
!
line telnet 0 4
login local-userlist
password xxxxxx
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
end
when I unplug the primary I see that the probe fails now however even from the router I cant ping the failover gateway (xx.212.173.1). Also I get this error
Maybe this has something to do with the firewall rules. Somehow the traffice seems does not want to reach xx.212.173.1 over that sw interface.
Thank you so much for your input I am making amazing progress.
My mistake. I thought xx.212.173.1 is the gateway for your primary WAN?
This is how your route table entries should be entered:
ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1
ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10
ip route 8.8.8.8 255.255.255.255 xx.74.62.193
ip route 8.8.8.8 255.255.255.255 null 0 10
ALSO:
I totally skipped over your policy classes.
You should have a a third policy-class similar to your Public policy class this:
============================================
ip policy-class Public2
allow reverse list VPN-10-vpn-selectors
allow list web-acl-3 ( <-- you should not have this in either public policy. only allow ports required for secure admin access. web-acl-3 allows any -> any.)
=======================================
You should then add a new statement in your Private policy class:
=======================================
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload policy Public
nat source list wizard-ics interface vlan 301 overload policy Public2
=======================================
Assign interface VLAN 301 to access-policy Public2
Interface config should look like this:
interface vlan 301
ip address xx.212.173.11 255.255.255.192
ip mtu 1500
ip access-policy Public2
media-gateway ip primary
no awcp
no shutdown
!
Here is the config as it should be (minus what goes in the xx) It might be easier to follow than my broken up notes:
!
!
! ADTRAN OS version 18.03.01.00.E
! Boot ROM version 14.04.00
! Platform: NetVanta 3120, part number 1700600L2
! Serial number LBADTN0639AC502
!
!
hostname "NetVanta3120"
enable password xxxxxxx
!
!
ip subnet-zero
ip classless
ip routing
domain-proxy
name-server 24.29.99.35 24.29.99.36
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "admin" password "xxxxxxx"
!
!
ip firewall
ip firewall fast-nat-failover
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
probe TimeWarner icmp-echo
destination 8.8.8.8
timeout 10000
tolerance consecutive fail 1 pass 1
no shutdown
!
track "WAN1"
snmp trap state-change
test if probe TimeWarner
no shutdown
!
!
!
!
ip dhcp pool "Private"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id fqdn AIP1
peer xx.212.173.10
attribute 1
encryption 3des
hash md5
authentication pre-share
!
crypto ike remote-id fqdn AIP2 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
crypto ike remote-id address xx.212.173.10 preshared-key xxxxxx ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
description AIP Site-to-Site VPN test
match address VPN-10-vpn-selectors
set peer xx.212.173.10
set transform-set esp-3des-esp-md5-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 301
name "WAN Failover"
!
!
interface eth 0/1
description Time Warner
ip address xx.74.62.200 255.255.255.224
ip access-policy Public
crypto map VPN
media-gateway ip primary
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
no shutdown
switchport access vlan 301
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 301
ip address xx.212.173.11 255.255.255.192
ip mtu 1500
ip access-policy Public2
media-gateway ip primary
no awcp
no shutdown
!
interface modem 0/1
shutdown
!
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
ip access-list extended web-acl-3
remark Public Allow (this allows public access to anything. Should no use).
permit ip any any
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors
allow list self self
nat source list wizard-ics interface eth 0/1 overload policy Public
nat source list wizard-ics interface vlan 301 overload policy Public2
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors
allow list web-acl-3
!
ip policy-class Public2
allow reverse list VPN-10-vpn-selectors
!
ip route 0.0.0.0 0.0.0.0 xx.74.62.193 track WAN1
ip route 0.0.0.0 0.0.0.0 xx.212.173.1 10
ip route 8.8.8.8 255.255.255.255 xx.74.62.193
ip route 8.8.8.8 255.255.255.255 null 0 10
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip rtp quality-monitoring
ip rtp quality-monitoring udp
ip rtp quality-monitoring sip
!
line con 0
login
!
line telnet 0 4
login local-userlist
password xxxxxx
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
!
!
end
Thank you.
Failover seems to work but I think there is still some issue with nat. I am doing various tests now to see why the PC pinging google does not resume pinging it after I take out Eth0/1.
I can get in over wan (sw0/1) via failover interface to the router and I can ping various other IP's from the router.
Thank you for reminding me about that insecure firewall rule, I will connect that later after this setup done.
I can answer that. The route table entry dictates that the only way to get to 8.8.8.8 is through the primary WAN interface. If you are actually using google DNS for your LAN computers, then you may want to replace 8.8.8.8 with something different (I often use 4.2.2.2). The fact that users can’t ping 8.8.8.8 when the primary is down, proves that the programming is working correctly.
Yep it all works. Thank you very much for help. I hope other people find this useful as well when programming this router.
On more minor thing. When I call in from the cell and hang up before I pickup from the ports line, it rings at least twice until it acknowledges my hangup. Is there a way to fix that?
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor