Greetings from a Newb
So far what I have works from the router but fails from computer.
Setup:
3448 siting on my desk
Eth 0/1 is plugged into comcast modem and using 1 of our static public IPs
Eth 0/2 is plugged into our local network and using a static private and is routed out a DSL connection.
I do a traceroute from router to 8.8.8.8 it routes out the comcast modem as expected
I unplug eth 0/1
I see the state go to fail
I do a traceroute from router to 8.8.8.8 it routes out the DSL modem as expected.
I plug eth 0/1 back in
I do a traceroute from router to 8.8.8.8 it routes out the comcast modem as expected
I do a traceroute from laptop to 8.8.8.8 it routes out the comcast modem as expected
I unplug eth 0/1
I see the state go to fail
I do a traceroute from laptop to 8.8.8.8 it gets to the VLAN interface 192.168.1.1 then times out .
I think it has something to do with the firewall or NAT but can't see it for the life of me
.
Here is some relevant info:
ip local policy route-map LOCAL
!
ip firewall
ip firewall fast-nat-failover
!
probe Charter icmp-echo
destination 173.X.X.94
source-address 173.X.X.91
period 3
tolerance consecutive fail 3 pass 3
no shutdown
!
track Charter
snmp trap state-change
test if probe Charter
no shutdown
!
interface eth 0/1
description Charter Connection
ip address 173.X.X.91 255.255.255.248
ip access-policy Public
ip flow egress
media-gateway ip primary
no awcp
no shutdown
!
!
interface eth 0/2
description Backup
ip address 192.168.99.99 255.255.255.0 (this is a test IP that is on my existing network would be change to a public in real world)
ip mtu 1500
ip access-policy Public_Backup
no shutdown
!
!
!
interface vlan 1
ip address 192.168.1.1 255.255.255.0
ip access-policy Private
ip flow egress
no awcp
no shutdown
!
!
!
route-map LOCAL permit 10
match ip address Charter
set ip next-hop 192.168.99.249
set interface eth 0/2
!
!
!
!
ip access-list standard Backup_ICS
permit any
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended Audio_ACL
permit udp any any log
!
ip access-list extended Charter
permit icmp host 192.168.1.1 host X.X.X.X
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended Signal_ACL
permit udp any any eq 5060 log
permit tcp any any eq 5061 log
!
ip access-list extended web-acl-10
remark TCP_UDP_5060_5061
permit tcp 208.X.X.0 0.0.0.255 any range 5060 5061 log
permit udp 208.X.X.0 0.0.0.255 any range 5060 5061 log
!
ip access-list extended web-acl-11
remark RTP fwd
permit udp X.X.62.0 0.0.0.255 any range X X log
!
ip access-list extended web-acl-12
remark XXX
permit tcp any any eq XXXX log
!
ip access-list extended web-acl-13
remark XXX
permit tcp any any eq XXXX log
!
ip access-list extended web-acl-14
remark DIM
permit tcp any any eq XXXX log
!
ip access-list extended web-acl-15
remark Admin
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended web-acl-16
remark To_NetVanta
permit ip any any log
!
ip access-list extended web-acl-17
remark NAT_Backup
permit ip any any
!
ip access-list extended web-acl-3
remark Admin Access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface eth 0/1 overload
nat source list Backup_ICS interface eth 0/2 overload
!
ip policy-class Public
allow list web-acl-3 self
nat destination list web-acl-12 address 192.168.1.250 port XX
nat destination list web-acl-10 address 192.168.1.250
nat destination list web-acl-11 address 192.168.1.251
nat destination list web-acl-13 address 192.168.1.250
nat destination list web-acl-14 address 192.168.1.250
!
ip policy-class Public_Backup
allow list web-acl-15 self
!
!
!
ip route 0.0.0.0 0.0.0.0 173.X.X.94 track Charter
ip route 0.0.0.0 0.0.0.0 192.168.99.1 10
!
Your NAT is still trying to go out Charter. Change your wizard-ics access list to:
!
ip access-list extended wizard-ics
remark Internet Connection Sharing
permit ip any any track Charter
!
Also, to avoid a lot of flapping and churn, I usually require the primary link to be stable for a while before cutting back over. With 3-second pings the following requires the cable to be down for 15 seconds to trigger backup and up-stable for 2 minutes before cutting back.
probe Charter icmp-echo
destination 173.X.X.94
source-address 173.X.X.91
period 3
tolerance consecutive fail 5 pass 40
no shutdown
Your NAT is still trying to go out Charter. Change your wizard-ics access list to:
!
ip access-list extended wizard-ics
remark Internet Connection Sharing
permit ip any any track Charter
!
Also, to avoid a lot of flapping and churn, I usually require the primary link to be stable for a while before cutting back over. With 3-second pings the following requires the cable to be down for 15 seconds to trigger backup and up-stable for 2 minutes before cutting back.
probe Charter icmp-echo
destination 173.X.X.94
source-address 173.X.X.91
period 3
tolerance consecutive fail 5 pass 40
no shutdown
@jayh I didn't get a chance to see your reply before I started over from scratch and went on sight.
I like the idea of the higher threshhold for the cutover. WIll have to implement.
Below is most of the config I ended up with (copied from a Adtran white paper I found)
It seems to work very nice. 1 problem though....
when it switches from one to another and we do a remote in a few things work and a few things don't
1) we port forward 8001 to a device port 80. (Webro)that fails to connect when on backup, works fine when on primary
2) HTTPS to the 3448 works fine on both interfaces
3) SSH to the 3448 fails when on Back up
4)Telnet to the device on port 8002 works fie in primary and backup mode.
I tried setting up a 2nd ACL just for WebPro back up ACL 14 just to test to see if that was needed. did not fix.
interface eth 0/1
description Charter Connection
ip address 97.X.X.78 255.255.255.252
ip access-policy WAN1
no awcp
no shutdown
interface eth 0/2
description Backup
ip address 199.1X.X.22 255.255.255.252
ip access-policy WAN2
no shutdown
interface vlan 1
ip address 192.168.1.1 255.255.255.0
ip access-policy Private
ip flow egress
no awcp
no shutdown
route-map LOCAL permit 10
match ip address WAN1
set ip next-hop 97.X.X.77
set interface null 0
ip access-list extended AdminAccess
remark Admin Access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended AFP
remark AFP Backup
permit tcp any any eq 548 log
!
ip access-list extended DIM
remark DIM Backup
permit tcp any any eq 8002 log
!
ip access-list extended FTP
remark FTP Backup
permit tcp any any eq ftp log
!
ip access-list extended NAT-Backup
permit ip any any
!
ip access-list extended NAT-Primary
permit ip any any
!
ip access-list extended PCPro
remark PC Pro Backup
permit tcp any any eq 8000 log
!
ip access-list extended self
permit ip any any
!
ip access-list extended SIP_RTP
permit udp 208.X.X.0 0.0.0.255 any range 20000 20031 log
!
ip access-list extended SIP_Signal
remark NAT list SIP_Signal
permit tcp 208.X.X.0 0.0.0.255 any range 5060 5061 log
permit udp 208.X.X.0 0.0.0.255 any range 5060 5061 log
!
ip access-list extended TIMBUKTU
remark Timbuktu Backup
permit tcp any any eq 407 log
permit udp any any eq 407 log
!
ip access-list extended WAN1
permit icmp host 97.X.X9.78 host 97.X.X.77
!
ip access-list extended web-acl-14
remark WebProBackup
permit tcp any any eq 8001 log
!
ip access-list extended WebPro
permit tcp any any eq 8001 log
ip policy-class Private
nat source list NAT-Primary interface eth 0/1 overload policy WAN1
nat source list NAT-Backup interface eth 0/2 overload policy WAN2
allow list self self
!
ip policy-class WAN1
allow list AdminAccess self
nat destination list SIP_RTP address 192.168.1.251
nat destination list SIP_Signal address 192.168.1.250
nat destination list AFP address 192.168.1.10
nat destination list TIMBUKTU address 192.168.1.10
nat destination list WebPro address 192.168.1.250 port 80
nat destination list PCPro address 192.168.1.250
nat destination list DIM address 192.168.1.250
nat destination list FTP address 192.168.1.10
!
ip policy-class WAN2
allow list AdminAccess self
nat destination list SIP_RTP address 192.168.1.251
nat destination list SIP_Signal address 192.168.1.250
nat destination list TIMBUKTU address 192.168.1.10
nat destination list AFP address 192.168.1.10
nat destination list web-acl-14 address 192.168.1.250 port 80
nat destination list PCPro address 192.168.1.250
nat destination list DIM address 192.168.1.250
nat destination list FTP address 192.168.1.10
ip route 0.0.0.0 0.0.0.0 97.X.X.77 track Charter
ip route 0.0.0.0 0.0.0.0 199.X.X.21 10
I was trying to test with the main connection physically disconnected form Eth0/1 and the back up connection still connected to Eth 0/2.
I have not had a chance to go back out on site to trouble shoot.
My main concern was that the SIP trunks would encounter the same scenario, but I was able to confirm that they do indeed work in failover. I can live with not being abl to connect to the phone system for admin purposes when in failover. I can't for see but a very small chance that I would need to access it in that condition. My other concern was that their remote applications (timbuktu and apple file share) wouldn;t work...this I have not had a chance to confirm.
Change your NAT-Primary to a tracked ACL.
!
ip access-list extended NAT-Primary
permit ip any any track Charter
!