ip ospf demand-circuit vs. ISDN dialers

Discussion in 'Cisco' started by Andre Beck, Oct 16, 2003.

  1. Andre Beck

    Andre Beck Guest

    Hi,

    when I first discovered the "ip ospf demand-circuit" feature, it seemed like
    it would solve all my problems in a lab test I'm doing. This includes ISDN
    dial backup for a mesh of four tunnels between HSRP-paired routers, two
    on each side. As long as there is only one dial backup, it works like
    a charm. The problem is, I've got two of them, so the setup would have
    to detect not only the failure of all the lower-cost tunnels (which works),
    but also the failure of the primary dial backup (which doesn't work).

    As demand-circuit only exchanges LSAs when the topology changes, it keeps
    the dial link pretty silent. The problem is that a failure of the link is
    not detected in any way. If a dialer connection breaks (due to me unplugging
    the BRI for instance) or fails to establish a connection to the peer, the
    dialer pool in the background is trying to connect repeatedly, but the
    failure doesn't reflect in any way into the dialer and thus doesn't trigger
    a topology change. After some dense reading I hoped that something like

    dialer redial interval 5 attempts 3 re-enable 30

    could help here. It will cause the dialer interface to go Down/Down after
    three unsuccessful dial attempts and stay down for the next 30 seconds.
    But hell, even *that* (an interface that runs OSPF and has an active
    ajacency) doesn't in any way reflect in OSPF (I would expect it to
    trigger an SPF) or even the routing table (there are now dead routes
    there, pointing to a Down/Down Dialer0 - I understand they stay there
    when Dialer0 is Up/Up (Spoofing), but not how this could happen if the
    interface is actually going down due to a redial disable).

    And BTW, after some time without traffic, the boxes in question stop
    to even dial when a packet has to be routed to a dialer which is
    operative. Ping running, route to Dialer0 is in table, dialer would
    work if ever triggered, but it simply stays idle. Debug is endlessly
    repeating

    Oct 16 16:22:53.173: BR1/0 DDR: rotor dialout [best]
    Oct 16 16:22:53.173: BR1/0 DDR: Dialing cause ip (s=172.31.31.31, d=192.168.234.5)
    Oct 16 16:22:54.175: BR1/0 DDR: rotor dialout [best] least recent failure is also most recent failure
    Oct 16 16:22:54.175: BR1/0 DDR: rotor dialout [best] also has most recent failure

    but "sh dialer int d0" just says that the dialer is idle. Neither the
    successful nor the unsuccessful calls counter increment. This bad behavior
    started only after I introduced the "dialer redial stuff", so that seems
    to be broken, too.

    Hell, I'm feeling air getting thinner slowly. That's 12.3(3)...

    --
    Frankie say: Follow the voice that says "Follow Me"!
    -----
    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
    Andre Beck, Oct 16, 2003
    #1
    1. Advertising

  2. In article <>, Andre Beck <> wrote:
    >Hi,
    >
    >when I first discovered the "ip ospf demand-circuit" feature, it seemed like
    >it would solve all my problems in a lab test I'm doing. This includes ISDN
    >dial backup for a mesh of four tunnels between HSRP-paired routers, two
    >on each side. As long as there is only one dial backup, it works like
    >a charm. The problem is, I've got two of them, so the setup would have
    >to detect not only the failure of all the lower-cost tunnels (which works),
    >but also the failure of the primary dial backup (which doesn't work).

    .. . .
    > -----
    >-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-


    You might find the white paper "Using BGP to Trigger Multiple Levels of
    Dial Backup on Cisco Routers" on my web site of interest...

    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Oct 17, 2003
    #2
    1. Advertising

  3. Andre Beck

    osbjmg Guest

    I don't know if this will help but I assume you have tried snapshot routing
    and floating static routes?

    "Vincent C Jones" <> wrote in message
    news:bmnljs$5to$...
    > In article <>, Andre Beck <> wrote:
    > >Hi,
    > >
    > >when I first discovered the "ip ospf demand-circuit" feature, it seemed

    like
    > >it would solve all my problems in a lab test I'm doing. This includes

    ISDN
    > >dial backup for a mesh of four tunnels between HSRP-paired routers, two
    > >on each side. As long as there is only one dial backup, it works like
    > >a charm. The problem is, I've got two of them, so the setup would have
    > >to detect not only the failure of all the lower-cost tunnels (which

    works),
    > >but also the failure of the primary dial backup (which doesn't work).

    > . . .
    > > -----
    > >-> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-

    >
    > You might find the white paper "Using BGP to Trigger Multiple Levels of
    > Dial Backup on Cisco Routers" on my web site of interest...
    >
    > --
    > Vincent C Jones, Consultant Expert advice and a helping hand
    > Networking Unlimited, Inc. for those who want to manage and
    > Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    > http://www.networkingunlimited.com
    osbjmg, Oct 17, 2003
    #3
  4. Andre Beck

    Andre Beck Guest

    l (Vincent C Jones) writes:
    > In article <>, Andre Beck <> wrote:
    > >
    > >when I first discovered the "ip ospf demand-circuit" feature, it seemed like
    > >it would solve all my problems in a lab test I'm doing. This includes ISDN
    > >dial backup for a mesh of four tunnels between HSRP-paired routers, two
    > >on each side. As long as there is only one dial backup, it works like
    > >a charm. The problem is, I've got two of them, so the setup would have
    > >to detect not only the failure of all the lower-cost tunnels (which works),
    > >but also the failure of the primary dial backup (which doesn't work).

    >
    > You might find the white paper "Using BGP to Trigger Multiple Levels of
    > Dial Backup on Cisco Routers" on my web site of interest...


    It's interesting, however it requires some deeper groking to see whether
    I could use that approach. The boxes in question probably don't have BGP
    capable loads and I'm not yet aware of the little deficiencies this setup
    will have (you usually find out about them after hours of lab testing).

    Another white paper of yours "Redundant Routes in IPSec VPNs" is also
    close to my actual problem: I'm trying to provide dial backup for a
    VPN solution that is provided by a pair of firewalls (which should
    be considered an opaque routed path between the two internal LANs).
    That's why I'm establishing an IGP on top of a mesh of GRE/IP tunnels
    with keepalive, and that part is working almost spectaculary well
    (read: as expected).

    The "ip ospf demand-circuit" solution appears to provide all the
    remaining glue to get a dial backup operational only when actually
    needed. All what is missing is a decent way to detect that a dial
    link is failing and the mechanism for that even is there - dialer
    redial indeed puts the interface Down/Down when dial attempts fail.
    So all I'd need is that this Down/Down condition reflects into OSPF
    as one would expect, the fact that it doesn't is a bug IMO. If that
    would cause an SPF, all the other pair of routers would establish
    their dial link, both the established and the failed link would
    try to exchange LSAs and the failed one would drop the adjacency
    due to that failing. I'm actually sure it's thought that way...

    That redial seems to kill the DDR entirely after some time is likely
    another bug. I'm contemplating about opening TAC cases for this, the
    only problem beeing that this is pre-sales lab testing and I'm not
    aware of how to get support for that...

    --
    Frankie say: Follow the voice that says "Follow Me"!
    -----
    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
    Andre Beck, Oct 17, 2003
    #4
  5. Andre Beck

    Andre Beck Guest

    "osbjmg" <> writes:
    >
    > I don't know if this will help but I assume you have tried snapshot routing
    > and floating static routes?


    Floating statics are insufficient as this is involving four routers,
    a HSRP-pair at each location. I don't see a way to get that fully
    dynamic with just floating statics. As long as it is just two routers
    and one dial link, I have a much cleaner solution anyway, that uses
    the tunnel just to suppress the more specific static route to the
    dialer. As long as the tunnel is alive, it will suppress that route
    and packets bounce forth to the firewall where they are IPseced. Only
    when the tunnel drops, the dialer route appears and sends the packets
    to the remote side directly. This is pure tunnel keepalive + backup
    interface and rock solid (there is never anything routed over the tunnel
    so it even is MTU-clean).

    If, however, you wnt to provide backup for the case of one of the routers
    failing, you have to go HSRP pair on each side. This will require both
    routers on both sides to know the best path, which is IMO only cleanly
    established by an IGP. Snapshot IGP has probably the same deficiencies
    that OSPF demand-circuit has: It will likely not detect a certain case
    of failure that should trigger a recomputation of the IGP.

    IMO there's two solutions remaining: drop the second backup alltogether,
    it is insufficient anyway. The dialers are not fully meshed, so if one
    router on each side fails there's a 50% chance that no dialer is available
    to back this up. Or, if you can stand the cost, run the primary dial
    backup without demand-circuit (probably with increased hello/dead timers),
    and run the second one with demand-circuit. That would make sure the SPF
    is going to get recomputed whenever the primary dial fails. It's just damn
    silly to dial constantly in the bormal case, when the VPN is operative...

    --
    Frankie say: Follow the voice that says "Follow Me"!
    -----
    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
    Andre Beck, Oct 17, 2003
    #5
  6. Andre Beck

    Andre Beck Guest

    Andre Beck <> writes:
    >
    > IMO there's two solutions remaining: drop the second backup alltogether,
    > it is insufficient anyway. The dialers are not fully meshed, so if one
    > router on each side fails there's a 50% chance that no dialer is available
    > to back this up. Or, if you can stand the cost, run the primary dial
    > backup without demand-circuit (probably with increased hello/dead timers),
    > and run the second one with demand-circuit. That would make sure the SPF
    > is going to get recomputed whenever the primary dial fails. It's just damn
    > silly to dial constantly in the bormal case, when the VPN is operative...


    Ha, thanks for pushing me into the right direction. I've got it solved
    sufficiently by making the first backup dialer a straight OSPF interface
    (no demand-circuit, no increased timers), but making it also a backup
    interface of one of the tunnels. The tunnel used is the one leading to
    the same router the dialer is going to, so if just that router fails, the
    tunnel will drop and release the dialer, but that dialer will not establish
    a connection and will thus not increase the cost. If, however, the tunnel
    disappears due to the VPN failing, the dialer will be needed anyway. The
    only drawback is that it will be up even when there is no traffic - but
    that seems to be the price here until Cisco fixes that other strange
    behavior.

    --
    The _S_anta _C_laus _O_peration
    or "how to turn a complete illusion into a neverending money source"

    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
    Andre Beck, Oct 19, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fischer Karsten

    OSPF Demand Circuit

    Fischer Karsten, Apr 28, 2004, in forum: Cisco
    Replies:
    0
    Views:
    2,737
    Fischer Karsten
    Apr 28, 2004
  2. E.Finlayson
    Replies:
    0
    Views:
    1,577
    E.Finlayson
    Sep 10, 2004
  3. Query on ISDN dialers

    , Mar 7, 2005, in forum: Cisco
    Replies:
    0
    Views:
    462
  4. Joseph Ladovic
    Replies:
    3
    Views:
    504
    Winged
    May 26, 2005
  5. sync
    Replies:
    0
    Views:
    555
Loading...

Share This Page