1. Home
  2. Cisco Systems
  3. Object tracking - What am i doing wrong?

Object tracking - What am i doing wrong?

Hi all,

I have been trying to get an ISDN circuit to dial up and connect 2x 1841 Cisco routers together if the primary adsl interface fails.

Backgroud: Main site: 192.168.1.x Remote Site: 192.168.2.x VPN to each end over aDSL appears to work fine, no reported issues (not sure its 100% correct, but it works).

Due to an issue with the DSL connection at the remote site, it has been decided to introduce an ISDN circuit at each end, so if the dsl fails, then the sites can connect via ISDN.

ISDN calls must be made from the MAIN site to the remote site.

After asking on this group the other day, it was suggested that the backup-interface doesnt work that well, and some sort of route object tracking was needed to perform the fuction correctly.

This is what i have tried to do however its not working I'm sure its only an access list that is stopping the ISDN dialing up, but I'm not seeing my mistake at the moment! Can you?

------------------------------------------------------------------------------------------------------

Configuration from Main site (any boring stuff edited out) aaa new-model aaa authentication login default local aaa authentication ppp default local ! ip sla monitor 1 type echo protocol ipIcmpEcho (ADSL outside interface at remote site) ip sla monitor schedule 1 life forever start-time now ! isdn switch-type basic-net3 ! crypto pki trustpoint TP-self-signed-30453xxxxxx ! ! crypto pki certificate chain TP-self-signed-30453xxxxxx ! username admin privilege 15 secret username backup password 7 ! ! track 123 rtr 1 reachability ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxxx address (ADSL outside interface at remote site) ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer (ADSL outside interface at remote site) set transform-set ESP-3DES-SHA match address 100 ! ! ! interface FastEthernet0/0 ip address 192.168.1.242 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface ATM0/0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0/0.1 point-to-point pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface BRI0/1/0 no ip address encapsulation ppp dialer pool-member 2 isdn switch-type basic-net3 isdn point-to-point-setup ppp authentication chap ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname snipped-for-privacy@isp.com ppp chap password 7 crypto map SDM_CMAP_1 ! interface Dialer2 ip address 172.16.200.2 255.255.255.0 encapsulation ppp dialer pool 2 dialer idle-timeout 180 dialer string (remote site number) dialer-group 2 ppp chap hostname backup ppp chap password 7 (same as password defined above) ! ip local policy route-map MY_Backup_Policy ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 track 123 ip route 0.0.0.0 0.0.0.0 Dialer2 100 ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 105 permit icmp any host 80.229.86.228 echo dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit route-map MY_Backup_Policy permit 10 match ip address 105 set interface Null0 set ip next-hop (outside interface of this router when connected to adsl) ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! end

------------------------------------------------------------------------------------------------------

Remote site (remember this just needs to answer the isdn calls from main site)

aaa new-model aaa authentication login default local aaa authentication ppp default local ! isdn switch-type basic-net3 ! crypto pki trustpoint TP-self-signed-214962xxxx enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-214962xxxx revocation-check none rsakeypair TP-self-signed-214962xxxx ! ! crypto pki certificate chain TP-self-signed-214962xxxx certificate self-signed 01 ! username admin privilege 15 xxxxxxxxxxxx username backup password 7 xxxxxxxxxx !

crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxxxxxx address (main site outside interface) ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to80.229.44.16 set peer (main site outside interface) set transform-set ESP-3DES-SHA match address 100 ! interface FastEthernet0/0 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface ATM0/0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0/0.1 point-to-point pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface BRI0/1/0 no ip address isdn switch-type basic-net3 isdn point-to-point-setup ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname snipped-for-privacy@isp.com ppp chap password 7 crypto map SDM_CMAP_1 ! interface Dialer2 ip address 172.16.200.2 255.255.255.0 encapsulation ppp dialer pool 2 dialer-group 2 ppp chap hostname backup ppp chap password 7 (same as password defined above) ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 0.0.0.0 0.0.0.0 Dialer2 100 ! ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 permit ip 192.168.2.0 0.0.0.255 any dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit route-map SDM_RMAP_1 permit 1 match ip address 101 ! end

------------------------------------------------------------------------------------------------------

To show that tracking is working correctly on the MAIN unit, you can see the following:

#sho track Track 123 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 00:00:26 Latest operation return code: OK Latest RTT (millisecs) 52 Tracked by: STATIC-IP-ROUTING 0

#sho ip rout Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

80.0.0.0/32 is subnetted, 1 subnets C (outside interface of this router) is directly connected, Dialer0 172.16.0.0/24 is subnetted, 1 subnets C 172.16.200.0 is directly connected, Dialer2 195.166.128.0/32 is subnetted, 1 subnets
Reply to
Bob Smith
Loading thread data ...

snip

Bob,

Hi,

I have done somehting very similar in the past. following a colleagues example. I have included out tracking statements, just for comparison to yours.

The above is the far end of a GRE Tunnel we wanted to track, 172.30.11.1 end being this router

ip sla 1 icmp-echo 172.30.11.2 ip sla schedule 1 life forever start-time now

track 1 rtr 1 reachability

route-map Critical-Data permit 1 match ip address Critical-Traffic set ip precedence flash-override set ip next-hop verify-availability 172.30.11.2 1 track 1

In addition to this we had a crypto map that matched GRE source and destingation WAN IP's. The above access-list reference 'Critical Traffic' was the tunnelled information for the private IP's within the tunnel.

We ran dynamic routing to prefer the route via another router, however the Policy on ths router forced the traffic over the GRE tunnel assuming there was a match on the Route Map. It's different from what you have as there is no ISDN in our design. I have included it so that you have could see how we did our object tracking.

Regards

Darren

Reply to
Darren Green

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.