Redundant Routes in IPSec VPNs, ISDN Backup

Discussion in 'Cisco' started by Manfred, Apr 29, 2004.

  1. Manfred

    Manfred Guest

    Hi all,
    I looked for a solution to backup my IPSec VPN with ISDN-Backup like
    „Floating Static" and hit on the document "Redundant Routes in IPSec
    VPNs" from Vincent C. Jones. I arranged two pix and two wan router to
    a real enviroment for testing like in the white paper. After
    installing router and pix, BGP runs well and distributed necessary
    routing information, routing is o.k. and I can reach all resources in
    both networks. If I break the VPN connection, the ISDN dialup comes up
    without problems. Single problem is, that no packet will be routed
    over active ISDN backup. I compared my configuration with the
    configuration of Vincent, I made some debugs, but I can´t find any
    failure and I have no idea where could be the misconfig. I attached
    the "running configurations" and "show version" of both routers.

    So long
    Manfred

    Remote System

    REMOTE#sh run
    version 11.2
    hostname REMOTE
    !
    username CENTRAL password 0 test1
    no ip domain-lookup
    isdn switch-type basic-net3
    !
    interface Ethernet0
    ip address 10.22.1.2 255.255.0.0
    no ip redirects
    ip route-cache same-interface
    !
    interface BRI0
    description ISDN-Einwahl Centrallocation
    no ip address
    no ip directed-broadcast
    encapsulation ppp
    no keepalive
    dialer rotary-group 0
    dialer-group 1
    !
    interface Dialer0
    description Dialer fuer Centrallocation
    ip address 192.168.50.22 255.255.255.0
    no ip mroute-cache
    encapsulation ppp
    no ip route-cache
    dialer in-band
    dialer map ip 192.168.50.50 name CENTRAL 12345678
    dialer-group 1
    ppp authentication chap
    !
    router bgp 65500
    no synchronization
    network 10.22.0.0 mask 255.255.0.0
    timers bgp 5 16
    neighbor 10.13.1.8 remote-as 65500
    neighbor 10.13.1.8 update-source Ethernet0
    neighbor 10.13.1.8 route-map vpn_central in
    !
    no ip classless
    ip route 0.0.0.0 0.0.0.0 10.22.1.1
    ip route 10.13.0.0 255.255.0.0 192.168.50.50 210
    ip route 10.13.1.8 255.255.255.255 10.22.1.1 3
    ip route 192.168.50.50 255.255.255.255 Dialer0
    route-map vpn_central permit 10
    set ip next-hop 10.22.1.1
    !
    dialer-list 1 protocol ip permit
    !
    end

    REMOTE#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) 2500 Software (C2500-IS-L), Version 11.2(9), RELEASE SOFTWARE
    (fc1)
    Copyright (c) 1986-1997 by cisco Systems, Inc.
    Compiled Mon 22-Sep-97 21:31 by ckralik
    Image text-base: 0x0302EB70, data-base: 0x00001000

    ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
    BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c),
    RELEASE SOFT
    WARE (fc1)

    REMOTE uptime is 3 weeks, 1 day, 51 minutes
    System restarted by power-on
    System image file is "flash:c2500-is-l.112-9", booted via flash

    cisco 2500 (68030) processor (revision N) with 2048K/2048K bytes of
    memory.
    Processor board ID 06929956, with hardware revision 00000001
    Bridging software.
    X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
    Basic Rate ISDN software, Version 1.0.
    1 Ethernet/IEEE 802.3 interface(s)
    2 Serial network interface(s)
    1 ISDN Basic Rate interface(s)
    32K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash (Read ONLY)

    Configuration register is 0x2102

    Central System

    CENTRAL#sh run
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname CENTRAL
    !
    username REMOTE password 0 test1
    !
    ip subnet-zero
    !
    isdn switch-type basic-net3
    !
    interface TokenRing0
    ip address 10.13.1.8 255.255.0.0
    no ip redirects
    ip route-cache same-interface
    ring-speed 16
    multiring all
    !
    interface BRI0
    description ISDN-Einwahl Remotelocation
    no ip address
    encapsulation ppp
    dialer rotary-group 0
    dialer-group 1
    isdn switch-type basic-net3
    no cdp enable
    !
    interface Dialer0
    description Dialer fuer Remotelocation
    ip address 192.168.50.50 255.255.255.0
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    dialer in-band
    dialer map ip 192.168.50.22 name REMOTE
    dialer-group 1
    no cdp enable
    ppp authentication chap
    !
    router bgp 65500
    no synchronization
    no bgp log-neighbor-changes
    network 10.13.0.0 mask 255.255.0.0
    timers bgp 5 16
    neighbor 10.22.1.2 remote-as 65500
    neighbor 10.22.1.2 update-source TokenRing0
    neighbor 10.22.1.2 route-map vpn_location in
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.13.25.200
    ip route 10.22.0.0 255.255.0.0 192.168.50.22 210
    ip route 10.22.1.2 255.255.255.255 10.13.25.200 3
    ip route 192.168.50.22 255.255.255.255 Dialer0
    no ip http server
    !
    dialer-list 1 protocol ip permit
    route-map vpn_location permit 10
    set ip next-hop 10.13.25.200
    !
    end

    CENTRAL#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) 4000 Software (C4000-IS-M), Version 12.1(17), RELEASE
    SOFTWARE (fc1)
    Copyright (c) 1986-2002 by cisco Systems, Inc.
    Compiled Tue 03-Sep-02 16:32 by kellythw
    Image text-base: 0x00012000, data-base: 0x0097C7F8

    ROM: System Bootstrap, Version 4.14(7), SOFTWARE

    CENTRAL uptime is 3 weeks, 1 day, 2 hours, 57 minutes
    System returned to ROM by power-on
    System image file is "flash:c4000-is-mz.121-17.bin"

    cisco 4000 (68030) processor (revision 0xC0) with 32768K/4096K bytes
    of memory.
    Processor board ID 5054057
    G.703/E1 software, Version 1.0.
    Bridging software.
    X.25 software, Version 3.0.0.
    Basic Rate ISDN software, Version 1.1.
    2 Ethernet/IEEE 802.3 interface(s)
    1 Token Ring/IEEE 802.5 interface(s)
    4 ISDN Basic Rate interface(s)
    128K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash (Read/Write)

    Configuration register is 0x2102
     
    Manfred, Apr 29, 2004
    #1
    1. Advertising

  2. In article <>,
    Manfred <> wrote:
    >Hi all,
    >I looked for a solution to backup my IPSec VPN with ISDN-Backup like
    >„Floating Static" and hit on the document "Redundant Routes in IPSec
    >VPNs" from Vincent C. Jones. I arranged two pix and two wan router to
    >a real enviroment for testing like in the white paper. After
    >installing router and pix, BGP runs well and distributed necessary
    >routing information, routing is o.k. and I can reach all resources in
    >both networks. If I break the VPN connection, the ISDN dialup comes up
    >without problems. Single problem is, that no packet will be routed
    >over active ISDN backup. I compared my configuration with the
    >configuration of Vincent, I made some debugs, but I can´t find any
    >failure and I have no idea where could be the misconfig. I attached
    >the "running configurations" and "show version" of both routers.
    >
    >So long
    >Manfred
    >
    >Remote System
    >
    >REMOTE#sh run
    >version 11.2
    >hostname REMOTE
    >!
    >username CENTRAL password 0 test1
    >no ip domain-lookup
    >isdn switch-type basic-net3
    >!
    >interface Ethernet0
    > ip address 10.22.1.2 255.255.0.0
    > no ip redirects
    > ip route-cache same-interface
    >!
    >interface BRI0
    > description ISDN-Einwahl Centrallocation
    > no ip address
    > no ip directed-broadcast
    > encapsulation ppp
    > no keepalive
    > dialer rotary-group 0
    > dialer-group 1
    >!
    >interface Dialer0
    > description Dialer fuer Centrallocation
    > ip address 192.168.50.22 255.255.255.0
    > no ip mroute-cache
    > encapsulation ppp
    > no ip route-cache
    > dialer in-band
    > dialer map ip 192.168.50.50 name CENTRAL 12345678
    > dialer-group 1
    > ppp authentication chap
    >!
    >router bgp 65500
    > no synchronization
    > network 10.22.0.0 mask 255.255.0.0
    > timers bgp 5 16
    > neighbor 10.13.1.8 remote-as 65500
    > neighbor 10.13.1.8 update-source Ethernet0
    > neighbor 10.13.1.8 route-map vpn_central in
    >!
    >no ip classless
    >ip route 0.0.0.0 0.0.0.0 10.22.1.1
    >ip route 10.13.0.0 255.255.0.0 192.168.50.50 210
    >ip route 10.13.1.8 255.255.255.255 10.22.1.1 3
    >ip route 192.168.50.50 255.255.255.255 Dialer0
    >route-map vpn_central permit 10
    > set ip next-hop 10.22.1.1
    >!
    >dialer-list 1 protocol ip permit
    >!
    >end
    >
    >REMOTE#sh ver
    >Cisco Internetwork Operating System Software
    >IOS (tm) 2500 Software (C2500-IS-L), Version 11.2(9), RELEASE SOFTWARE
    >(fc1)
    >Copyright (c) 1986-1997 by cisco Systems, Inc.
    >Compiled Mon 22-Sep-97 21:31 by ckralik
    >Image text-base: 0x0302EB70, data-base: 0x00001000
    >
    >ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
    >BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c),
    >RELEASE SOFT
    >WARE (fc1)
    >
    >REMOTE uptime is 3 weeks, 1 day, 51 minutes
    >System restarted by power-on
    >System image file is "flash:c2500-is-l.112-9", booted via flash
    >
    >cisco 2500 (68030) processor (revision N) with 2048K/2048K bytes of
    >memory.
    >Processor board ID 06929956, with hardware revision 00000001
    >Bridging software.
    >X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
    >Basic Rate ISDN software, Version 1.0.
    >1 Ethernet/IEEE 802.3 interface(s)
    >2 Serial network interface(s)
    >1 ISDN Basic Rate interface(s)
    >32K bytes of non-volatile configuration memory.
    >8192K bytes of processor board System flash (Read ONLY)
    >
    >Configuration register is 0x2102
    >
    >Central System
    >
    >CENTRAL#sh run
    >version 12.1
    >no service single-slot-reload-enable
    >service timestamps debug uptime
    >service timestamps log uptime
    >no service password-encryption
    >!
    >hostname CENTRAL
    >!
    >username REMOTE password 0 test1
    >!
    >ip subnet-zero
    >!
    >isdn switch-type basic-net3
    >!
    >interface TokenRing0
    > ip address 10.13.1.8 255.255.0.0
    > no ip redirects
    > ip route-cache same-interface
    > ring-speed 16
    > multiring all
    >!
    >interface BRI0
    > description ISDN-Einwahl Remotelocation
    > no ip address
    > encapsulation ppp
    > dialer rotary-group 0
    > dialer-group 1
    > isdn switch-type basic-net3
    > no cdp enable
    >!
    >interface Dialer0
    > description Dialer fuer Remotelocation
    > ip address 192.168.50.50 255.255.255.0
    > encapsulation ppp
    > no ip route-cache
    > no ip mroute-cache
    > dialer in-band
    > dialer map ip 192.168.50.22 name REMOTE
    > dialer-group 1
    > no cdp enable
    > ppp authentication chap
    >!
    >router bgp 65500
    > no synchronization
    > no bgp log-neighbor-changes
    > network 10.13.0.0 mask 255.255.0.0
    > timers bgp 5 16
    > neighbor 10.22.1.2 remote-as 65500
    > neighbor 10.22.1.2 update-source TokenRing0
    > neighbor 10.22.1.2 route-map vpn_location in
    >!
    >ip classless
    >ip route 0.0.0.0 0.0.0.0 10.13.25.200
    >ip route 10.22.0.0 255.255.0.0 192.168.50.22 210
    >ip route 10.22.1.2 255.255.255.255 10.13.25.200 3
    >ip route 192.168.50.22 255.255.255.255 Dialer0
    >no ip http server
    >!
    >dialer-list 1 protocol ip permit
    >route-map vpn_location permit 10
    > set ip next-hop 10.13.25.200
    >!
    >end
    >
    >CENTRAL#sh ver
    >Cisco Internetwork Operating System Software
    >IOS (tm) 4000 Software (C4000-IS-M), Version 12.1(17), RELEASE
    >SOFTWARE (fc1)
    >Copyright (c) 1986-2002 by cisco Systems, Inc.
    >Compiled Tue 03-Sep-02 16:32 by kellythw
    >Image text-base: 0x00012000, data-base: 0x0097C7F8
    >
    >ROM: System Bootstrap, Version 4.14(7), SOFTWARE
    >
    >CENTRAL uptime is 3 weeks, 1 day, 2 hours, 57 minutes
    >System returned to ROM by power-on
    >System image file is "flash:c4000-is-mz.121-17.bin"
    >
    >cisco 4000 (68030) processor (revision 0xC0) with 32768K/4096K bytes
    >of memory.
    >Processor board ID 5054057
    >G.703/E1 software, Version 1.0.
    >Bridging software.
    >X.25 software, Version 3.0.0.
    >Basic Rate ISDN software, Version 1.1.
    >2 Ethernet/IEEE 802.3 interface(s)
    >1 Token Ring/IEEE 802.5 interface(s)
    >4 ISDN Basic Rate interface(s)
    >128K bytes of non-volatile configuration memory.
    >8192K bytes of processor board System flash (Read/Write)
    >
    >Configuration register is 0x2102


    As you can tell from the lack of responses, nothing obvious is wrong
    with your configuration.

    Are you allowing time for the floating static route to float into
    action (floating static routes are only updated during per minute
    processing unless there is a hardware status change).

    What does "show ip route" say on both routers when the VPN is down
    and ISDN is up?

    Good luck and good hunting!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, May 4, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joerg  Woste
    Replies:
    0
    Views:
    1,061
    Joerg Woste
    Jul 21, 2003
  2. Garry

    ICMP through PIX IPSEC VPNs

    Garry, Apr 22, 2004, in forum: Cisco
    Replies:
    2
    Views:
    680
    Rik Bain
    Apr 22, 2004
  3. Stuart Kendrick

    redundant switches / redundant server NICs

    Stuart Kendrick, Aug 9, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,536
    Stuart Kendrick
    Aug 10, 2004
  4. Al
    Replies:
    7
    Views:
    621
  5. sync
    Replies:
    0
    Views:
    623
Loading...

Share This Page