Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ip ospf demand-circuit vs. ISDN dialers

Reply
Thread Tools

ip ospf demand-circuit vs. ISDN dialers

 
 
Andre Beck
Guest
Posts: n/a
 
      10-16-2003
Hi,

when I first discovered the "ip ospf demand-circuit" feature, it seemed like
it would solve all my problems in a lab test I'm doing. This includes ISDN
dial backup for a mesh of four tunnels between HSRP-paired routers, two
on each side. As long as there is only one dial backup, it works like
a charm. The problem is, I've got two of them, so the setup would have
to detect not only the failure of all the lower-cost tunnels (which works),
but also the failure of the primary dial backup (which doesn't work).

As demand-circuit only exchanges LSAs when the topology changes, it keeps
the dial link pretty silent. The problem is that a failure of the link is
not detected in any way. If a dialer connection breaks (due to me unplugging
the BRI for instance) or fails to establish a connection to the peer, the
dialer pool in the background is trying to connect repeatedly, but the
failure doesn't reflect in any way into the dialer and thus doesn't trigger
a topology change. After some dense reading I hoped that something like

dialer redial interval 5 attempts 3 re-enable 30

could help here. It will cause the dialer interface to go Down/Down after
three unsuccessful dial attempts and stay down for the next 30 seconds.
But hell, even *that* (an interface that runs OSPF and has an active
ajacency) doesn't in any way reflect in OSPF (I would expect it to
trigger an SPF) or even the routing table (there are now dead routes
there, pointing to a Down/Down Dialer0 - I understand they stay there
when Dialer0 is Up/Up (Spoofing), but not how this could happen if the
interface is actually going down due to a redial disable).

And BTW, after some time without traffic, the boxes in question stop
to even dial when a packet has to be routed to a dialer which is
operative. Ping running, route to Dialer0 is in table, dialer would
work if ever triggered, but it simply stays idle. Debug is endlessly
repeating

Oct 16 16:22:53.173: BR1/0 DDR: rotor dialout [best]
Oct 16 16:22:53.173: BR1/0 DDR: Dialing cause ip (s=172.31.31.31, d=192.168.234.5)
Oct 16 16:22:54.175: BR1/0 DDR: rotor dialout [best] least recent failure is also most recent failure
Oct 16 16:22:54.175: BR1/0 DDR: rotor dialout [best] also has most recent failure

but "sh dialer int d0" just says that the dialer is idle. Neither the
successful nor the unsuccessful calls counter increment. This bad behavior
started only after I introduced the "dialer redial stuff", so that seems
to be broken, too.

Hell, I'm feeling air getting thinner slowly. That's 12.3(3)...

--
Frankie say: Follow the voice that says "Follow Me"!
-----
-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
 
Reply With Quote
 
 
 
 
Vincent C Jones
Guest
Posts: n/a
 
      10-17-2003
In article <(E-Mail Removed)>, Andre Beck <(E-Mail Removed)> wrote:
>Hi,
>
>when I first discovered the "ip ospf demand-circuit" feature, it seemed like
>it would solve all my problems in a lab test I'm doing. This includes ISDN
>dial backup for a mesh of four tunnels between HSRP-paired routers, two
>on each side. As long as there is only one dial backup, it works like
>a charm. The problem is, I've got two of them, so the setup would have
>to detect not only the failure of all the lower-cost tunnels (which works),
>but also the failure of the primary dial backup (which doesn't work).

.. . .
> -----
>-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-


You might find the white paper "Using BGP to Trigger Multiple Levels of
Dial Backup on Cisco Routers" on my web site of interest...

--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
 
 
 
osbjmg
Guest
Posts: n/a
 
      10-17-2003
I don't know if this will help but I assume you have tried snapshot routing
and floating static routes?

"Vincent C Jones" <(E-Mail Removed)> wrote in message
news:bmnljs$5to$(E-Mail Removed)...
> In article <(E-Mail Removed)>, Andre Beck <(E-Mail Removed)> wrote:
> >Hi,
> >
> >when I first discovered the "ip ospf demand-circuit" feature, it seemed

like
> >it would solve all my problems in a lab test I'm doing. This includes

ISDN
> >dial backup for a mesh of four tunnels between HSRP-paired routers, two
> >on each side. As long as there is only one dial backup, it works like
> >a charm. The problem is, I've got two of them, so the setup would have
> >to detect not only the failure of all the lower-cost tunnels (which

works),
> >but also the failure of the primary dial backup (which doesn't work).

> . . .
> > -----
> >-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-

>
> You might find the white paper "Using BGP to Trigger Multiple Levels of
> Dial Backup on Cisco Routers" on my web site of interest...
>
> --
> Vincent C Jones, Consultant Expert advice and a helping hand
> Networking Unlimited, Inc. for those who want to manage and
> Tenafly, NJ Phone: 201 568-7810 control their networking destiny
> http://www.networkingunlimited.com



 
Reply With Quote
 
Andre Beck
Guest
Posts: n/a
 
      10-17-2003
http://www.velocityreviews.com/forums/(E-Mail Removed)l (Vincent C Jones) writes:
> In article <(E-Mail Removed)>, Andre Beck <(E-Mail Removed)> wrote:
> >
> >when I first discovered the "ip ospf demand-circuit" feature, it seemed like
> >it would solve all my problems in a lab test I'm doing. This includes ISDN
> >dial backup for a mesh of four tunnels between HSRP-paired routers, two
> >on each side. As long as there is only one dial backup, it works like
> >a charm. The problem is, I've got two of them, so the setup would have
> >to detect not only the failure of all the lower-cost tunnels (which works),
> >but also the failure of the primary dial backup (which doesn't work).

>
> You might find the white paper "Using BGP to Trigger Multiple Levels of
> Dial Backup on Cisco Routers" on my web site of interest...


It's interesting, however it requires some deeper groking to see whether
I could use that approach. The boxes in question probably don't have BGP
capable loads and I'm not yet aware of the little deficiencies this setup
will have (you usually find out about them after hours of lab testing).

Another white paper of yours "Redundant Routes in IPSec VPNs" is also
close to my actual problem: I'm trying to provide dial backup for a
VPN solution that is provided by a pair of firewalls (which should
be considered an opaque routed path between the two internal LANs).
That's why I'm establishing an IGP on top of a mesh of GRE/IP tunnels
with keepalive, and that part is working almost spectaculary well
(read: as expected).

The "ip ospf demand-circuit" solution appears to provide all the
remaining glue to get a dial backup operational only when actually
needed. All what is missing is a decent way to detect that a dial
link is failing and the mechanism for that even is there - dialer
redial indeed puts the interface Down/Down when dial attempts fail.
So all I'd need is that this Down/Down condition reflects into OSPF
as one would expect, the fact that it doesn't is a bug IMO. If that
would cause an SPF, all the other pair of routers would establish
their dial link, both the established and the failed link would
try to exchange LSAs and the failed one would drop the adjacency
due to that failing. I'm actually sure it's thought that way...

That redial seems to kill the DDR entirely after some time is likely
another bug. I'm contemplating about opening TAC cases for this, the
only problem beeing that this is pre-sales lab testing and I'm not
aware of how to get support for that...

--
Frankie say: Follow the voice that says "Follow Me"!
-----
-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
 
Reply With Quote
 
Andre Beck
Guest
Posts: n/a
 
      10-17-2003
"osbjmg" <(E-Mail Removed)> writes:
>
> I don't know if this will help but I assume you have tried snapshot routing
> and floating static routes?


Floating statics are insufficient as this is involving four routers,
a HSRP-pair at each location. I don't see a way to get that fully
dynamic with just floating statics. As long as it is just two routers
and one dial link, I have a much cleaner solution anyway, that uses
the tunnel just to suppress the more specific static route to the
dialer. As long as the tunnel is alive, it will suppress that route
and packets bounce forth to the firewall where they are IPseced. Only
when the tunnel drops, the dialer route appears and sends the packets
to the remote side directly. This is pure tunnel keepalive + backup
interface and rock solid (there is never anything routed over the tunnel
so it even is MTU-clean).

If, however, you wnt to provide backup for the case of one of the routers
failing, you have to go HSRP pair on each side. This will require both
routers on both sides to know the best path, which is IMO only cleanly
established by an IGP. Snapshot IGP has probably the same deficiencies
that OSPF demand-circuit has: It will likely not detect a certain case
of failure that should trigger a recomputation of the IGP.

IMO there's two solutions remaining: drop the second backup alltogether,
it is insufficient anyway. The dialers are not fully meshed, so if one
router on each side fails there's a 50% chance that no dialer is available
to back this up. Or, if you can stand the cost, run the primary dial
backup without demand-circuit (probably with increased hello/dead timers),
and run the second one with demand-circuit. That would make sure the SPF
is going to get recomputed whenever the primary dial fails. It's just damn
silly to dial constantly in the bormal case, when the VPN is operative...

--
Frankie say: Follow the voice that says "Follow Me"!
-----
-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
 
Reply With Quote
 
Andre Beck
Guest
Posts: n/a
 
      10-19-2003
Andre Beck <(E-Mail Removed)> writes:
>
> IMO there's two solutions remaining: drop the second backup alltogether,
> it is insufficient anyway. The dialers are not fully meshed, so if one
> router on each side fails there's a 50% chance that no dialer is available
> to back this up. Or, if you can stand the cost, run the primary dial
> backup without demand-circuit (probably with increased hello/dead timers),
> and run the second one with demand-circuit. That would make sure the SPF
> is going to get recomputed whenever the primary dial fails. It's just damn
> silly to dial constantly in the bormal case, when the VPN is operative...


Ha, thanks for pushing me into the right direction. I've got it solved
sufficiently by making the first backup dialer a straight OSPF interface
(no demand-circuit, no increased timers), but making it also a backup
interface of one of the tunnels. The tunnel used is the one leading to
the same router the dialer is going to, so if just that router fails, the
tunnel will drop and release the dialer, but that dialer will not establish
a connection and will thus not increase the cost. If, however, the tunnel
disappears due to the VPN failing, the dialer will be needed anyway. The
only drawback is that it will be up even when there is no traffic - but
that seems to be the price here until Cisco fixes that other strange
behavior.

--
The _S_anta _C_laus _O_peration
or "how to turn a complete illusion into a neverending money source"

-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pc with isdn modem not connecte isdn 1841 router with isdn module sync Cisco 0 06-05-2007 10:10 AM
Re: Why I can not remove all dialers after "remove"-I have two anti-dialers programs Joseph Ladovic Computer Security 3 05-26-2005 03:00 AM
Query on ISDN dialers rajesh.premachandran@gmail.com Cisco 0 03-07-2005 10:43 AM
Redistribute static to OSPF, overriding the slower OSPF-native route? E.Finlayson Cisco 0 09-10-2004 02:13 PM



Advertisments