What I currently have is a Cisco 891W Router as well as two ISP's (both with dynamic IP's) in. I'm currently just running one of my modems into the 891 through the FE8 port and then if for some reason I have an internet failure switching the ISP modems. What I'm wondering is if there is a fairly simple way to configure (and attach) both modems to this router and then set it up to handle this failover automatically?
View 1 RepliesI have a two fiber connection from our Central Office(6513) to Remote office (6509). I have a requirement that on the remote office if one of the fiber goes down, the second fiber should work as a failover. I am planning to use SUP720-3B SFP to connect to the CO.
Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G5/2? or Can I connet one fiber to Sup720-3b G5/1 & another fiber connection to G6/2? I am running EIGRP between sites. Any sample config.
sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"
Working with wired Cisco equipment for many years, but trying to configure an integrated wireless AP for the first time.
I have a Cisco 891w router with the following software (main and integrated AP801 wireless AP):
1. Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 12.4(22)YB
License Level: advipservices
2. Cisco IOS Software, AP801 Software (AP801-RCVK9W8-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)
Opening a connection to integrated AP801 wireless device for performing wireless configuration tasks, the connection is established OK, authentication is passed OK using credentials from main configuration file, gaining level 15 privileges with enable command, but after that... no way to enter "Global Configuration mode" because there are no "configure" family commands present!!! Simply can't say "Conf t" because there is no such command!
I run 2 RV042 V1 for home and office with Gateway to Gateway VPN connection with single WAN connection in use. Everything works like a charm!
I was even able to create VPN connection with 2 WAN connection on one Router and 1 WAN connection on another with Smart link failover and VPN Tunel Backup.
I got problem though when i tried more complex connection diagram. [URL]
So basically I now have 2 ISP connections on each point with Static IPs and I'd like VPN Connection to be alive for ALL 4 options automatically with failovers (smart links) And tunel backups but i'm not sure if that's ever possible with my equipment.
Below is the config has done on my 881g but the dual NAT failover is not working.I have a easy vpn over NAT (easy vpn firewall: 10.10.10.2 behind the router).
1. After completed the config, I shut down the FastEthernet4, cleared the nat translations, found that nat translations are happening on to Cellular0 with error ( Incomplete ESP translations: 0 esp_conn=0x85A91FF0, hanging off nat entry 0x85A7D1D0)But still the easy vpn is not up as I am not able to ping the remote devices.
2. If I reboot the router then the nat translations are happening with no above error and easy vpn is up and I am able to ping the remote servers. Below is the config, what needs to be done to achieve the NAT failover and easy VPN up.
interface FastEthernet4 bandwidth 2048 ip address 206.206.206.2 255.255.255.240 ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer string gsm dialer-group 1 async mode interactive ppp chap hostname. [code]
In my network we have 2 ISPs connections 2mbps from different service providers are terminated in two different routers (Cisco 3845).Now i want to achive if one router fails(ISP down) next router has to up and if both the links is up i need to achive load balance for both the routers(ISPS).i need 100% uptime.
How can I configure the routers, any examples to achieve the HW failover.
I'm trying to see if I can use both ethernet ports on a 2811 to run hsrp for non-stacked dual switch fail over. Then link the the NM-32A ports to L0, so the remote access server trying to use them can use the l0 ip and failover much faster (it's programming is limited). This is on IOS 12.4(25)f, though we are moving to 15 soon.
View 2 Replies View RelatedWe had an interesting situation after an electrical storm moved through where a few of our dual WAN clients didn't have any Internet connectivity. Generally speaking, they are on a wireless broadband and something like DSL/cable/T1. One customer in particular has a cisco 1941 router setup for dual WAN which tested fine during install (pull either connection, external IP changes dynamically and no difference is noticed by user). Well, this storm knocked the wireless broadband out enough that it wasn't usable, but would respond to pings randomly. Because the wireless is the fastest of the two connections it has a higher priority but because it was down but still responded to some pings, the traffic didn't go through the DSL that didn't go down. how to make the dual WAN more reliable in these partial-down situations? I thought about playing with the network service detection (we have a customer on an RV042 who experienced the same problem) but am not real sure what I could change that would make the connection more reliable, especially on the 1941 router.
View 1 Replies View RelatedI am having a hard time getting tunnel fail over working. My setup is illustrated below:
I derive my default route on the border routers. The 6513 peers with the 7206's using BGP to get the default route from each ISP into the core. On the core I use BGP weighting to get my primary default to point to ISP1. So far so good. When I look at my core I see to defaults with ISP1 preferred.
Each ASA has an IP Sec tunnel to the head end site configured (Not shown). The head end site has a crypto map entry with ISP1 and ISP2 defined (in that order) using the "set peer" command.
Fail over works great if an ISP drops the connection or my 7206 or ASA fails, but... While testing fail over I had an issue where both tunnels would be active and there were issues with traffic between sites. I could not determine the root cause. I can only guess that some traffic was going out one tunnel and when trying to come back across the other tunnel was dropped from the firewall because there was no connection built for it. After reading I found that in order to use multiple peers in the "set peer" statement, I needed to configure my head end as "originate-only". I have not done this yet as I have concerns. If the head end site is "originate-only" and the tunnel, for whatever reason drops, I cannot wait for interesting traffic at the head end site bound for this site to bring up the tunnel as most of the traffic originates at this site.
I have been reading about IKE keep alives and DPD but that doesn't sound like it will re-initiate the tunnel. Is this correct? If so I'm looking for a way to make this work.
I have a 1921 router with two wan interface configured, one is primary and the other is standby or backup in case the primary goes down, I was able to configure links to failover from primary to backup once there primary is down, but how do I configure to make sure when primary is up it failbak to to it. [code]
View 3 Replies View RelatedI am putting together a solution for a client. The client has an MPLS circuit and internet as a backup circuit. I understand that we can do WAN failover using ASA5510 appliance.Now, if i am adding dual ASA5510 active/standby mode, How do i automatically failover WAN circuits to standby firewall if both MPLS and Internet circuits are connecting to primary ASA5510. Should i connect MPLS circuit to ASA1 and Internet circuit to ASA2? Ideally, i want both circuits to connect to primary ASA5510 for automatic WAN failover. My concern is , if the primary ASA5510 fails which has WAN and Internet circuits connected , do i need to manually switch connection from primary to standy? The goal is to fully automate wan failover and asa failover .
View 5 Replies View RelatedWe have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
!! Last configuration change at 13:18:34 UTC Tue Mar 29 2011!version 15.0service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname xxxxxx
[Code]......
I have a Cisco 2851 (c2800nm-advipservicesk9-mz.124-25d.bin) Router configured with one site-to-site vpn. Is it possible to configure a failover vpn tunnel on this router?
View 8 Replies View RelatedI have 2 PIX 525, which one of them, step and active failover mode the other PIX 525, leaving this off, do not know what happened may have been a power outage, but in any case I can turn it back on? And the other question I have is if I can import a configuration that I have saved on my computer. i have the PIX device manager.
View 11 Replies View RelatedI have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection. We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A Would route tracking provide the desired result? Is there a better option?
View 1 Replies View RelatedI discover an issue with my CISCO ASA 5550 because I'm looking at the vlans that I have configured and some vlans on the Stand by device had not an IP address configured, checking the configuration of the failover
View 2 Replies View Relateddoes cisco 2811 support?if no, can i make it work for BGP?also, i want to know the configuration of bGP for twoo ISPs for link failover.it will be google if u tell me step by step approach for configuring it
View 1 Replies View Relatedsample configuration for internet failover . i have 2 ISPs with one coming in thought a serial cable and another through internet and would wish one take over after the other has failed .The router is Cisco 1921 .
View 4 Replies View RelatedClient has an ASA5505 anchoring an MPLS network. One of their branch offices is experiencing frequent circuit outages due to theft of copper lines. I am looking at an 881G with wireless aircard as a backup solution and creating a VPN tunnel to the ASA but am unsure about how to handle routing on the ASA. There will already be a route for the branch subnet for the MPLS network.
View 2 Replies View RelatedWe have ASA running code 8.0.4 with Active/Standby for quite long time. Today when we gave the command wri standby it started sync the config to standby ASA but waited forever.when we checked the show failover, we got the following result.
This host: Secondary - Active
Active time: 1928633 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface PERIMETER-MGMT (10.12.8.1): Normal (Not-Monitored)
Interface OUTSIDE (86.36.xx.xx): Normal (Waiting)
[code].....
When we console to Standby ASA and tried to save (wri mem), we got the following error and also please note the hostname has become default...?
ciscoasa(config)# wri memory
Building configuration...
Command Ignored, Configuration in progress...
[FAILED]
and when we tried to give following command we got this error:
ciscoasa(config)# copy running-config startup-config
Source filename [running-config]?
%Error reading system:/running-config (Configuration temporarily locked)
ciscoasa(config)#
I see here the standby ASA IPS module is down, but can that issue cause not sync the config backup and writing to nvram (save config)..?
I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups. Doing so obviously has a major impact on the current primary configuration. My goal would be to minimize or eliminate network downtime during the interface changes.
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit. Is there a set length of time the secondary unit can remain active without a failover peer?
see issues with operating the secondary unit in this manner while making changes to the primary unit?
Our servers are hosted at the Main site, site office A access to the Main site for Internet and servers. We are thinking NextG to take over when the link between sites goes down.
To start with, what is the configuration for 3750 at Site A and the Main site:
1) Trunking for both switches
2) Routing
3) the automatic failover configuration for the switch at Site A.
We have 2 ASA 5510's setup in an active, standby failover configuration. When the primary fails over to standby, the 3rd party cert does not failover to the standby ASA. The users then receive the CERT missing, invalid message and have to select yes, no to move on. This does not occur when the primary is not in failover mode. It is my understanding that failover fails over certs but in our case it does not apper to be working correctly.
View 1 Replies View RelatedI am trying to establish EIGRP neighborships with my inside switches (3750s) over the "Internal" interface, shown in green. The outside interface is g0/0 and don't worry, I've ensured EIGRP is not running there.The problem I'm having is that I need to monitor the "Internal" link so that if it goes down, the ASA triggers the failover to the secondary firewall connected to the other switch. I was told that the "secondary" keyword was what enabled this:
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.2.2 255.255.255.0 standby 10.10.2.3
This is fine since I am able to compare this config to the firewalls that are currently in production elsewhere in the environment and this is what's in use there. However, in order to run EIGRP all the way to the firewall and not rely on something else like HSRP for the inbound traffic, I'd like to run the corresponding links (Gi1/0/22) on the inside switches as routed ports (no switchport) so that I don't have to establish neighborships with SVIs or something like that. I want the routing to be done directly to the port, leaving the interfaces for failover and our DMZ set up as switchports, since those can be layer 2.It's saying the Internal interface has failed now, probably because it cannot send hellos through this, since it's a routed port on the switch side. I'm wondering if this simply is an impossible design, unless there's a way to track this interface and trigger a failover if it goes down using another method.a method that allows me to track that internal interface (Gi0/1) and trigger a failover if it goes down.
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
The basic setup Newly installed redundant ISP, thus setting up the 891 with dual WAN Using PFR to load balance between the two. Did initial config through CCP (not express), but I am familiar with the basics of IOS CLI (not used to the new zone based firewall yet, managed aour old Pix for too long, but that is a different subject)
I cannot seem to get anything but Gi0 to be accepted as a WAN interface. I go through the entire setup in CCP, test each connection, etc, and it all looks good until I exit out of CCP and go back in. At that point, I get squat out of Fa8. CCP won't let me test the connection, won't let me edit the connection, wont let me delete the connection. The wizard for a new WAN connection becomes available again (Wanting to set up a "second" WAN on Fa7...)
Again, I have verified connections to each ISP line independently, either one works just fine on Gi0, neither ever works on Fa8. This is my first real foray into PfR.
Building configuration...
Current configuration : 21486 bytes
Last configuration change at 18:59:43 UTC Mon Mar 26 2012 by admin
[URL]....
I have existing Sonic FW in my company we are moving from sonic FW to ASA 5510 Security plus lice. I have two ISP currently connected to sonic Firewall I am planning to implement Dual ISP configuration on ASA5510.
View 12 Replies View RelatedI've a RV082 with 2 internet connections.The idea is to permit external connections to my server and if one Internet line falls, automatically switch to the other.
We have configured the router in Smart Link backup.We try to connect with WAN1 and WAN2 enabled and all works fine.
We try to connect with WAN1 disabled and automatically WAN2 is activated.The problem start here...if WAN1 is activated while there are connections using WAN2, these connections falls!
How I must configure the router to permit that active connections are not disconnected from WAN2 even when WAN1 connection come back?
RV082 configured for Dual WAN [Code]....
(2) identical DSL connections, configured as Static IP (not PPPoE) with modems in bridged mode. Static IP's are /25 subnet and same gateway ** this may be a problem? Dual WAN set for Load Balance, network service detection is OFF
We have a 2003 terminal server running and successfully receiving connections through both WAN connections. Depending on location, half the users are connecting to WAN1 IP and the other half to WAN2 IP. We are getting sporadic disconnects of the remote users when they are idle for a couple minutes and automatic reconnection of the session takes over a minute. If they close the (locked up) session and reconnect manually it will let them in right away.
Could the handling of the Dual-WAN be the culprit? Could the same gateway for both WAN's create this issue upstream (out of my control)?I am going to move everyone to connecting through WAN1 and then change to Smart Link Backup and see if the issues persist.
Another thought is to use a secondary IP on the terminal server and use Protocol Binding to match "All traffic" for IP1 to WAN1 and IP2 to WAN2, which theoretically would stabilize the situation?
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies View RelatedI have recently implimented an RV016 device into our network. We have a bonded T1 service with Paetec/Windstream (5 static IPs) and also a cable connection with Comcast (no static IP). The T1 has been our primary connection, and our MX and A records all use this IP address. I have the rules set and using a one-to-one NAT setup with our 5 IPs. Everything is working great with the T1 in place and email is flowing with no problems, however when I connect the cable into the WAN2 port and try to send email, its using that outbound connection, rather then the T1 and our spam filter is blocking it. So the email is rejected and we get this message below.
---------------------------------------------------------------------------
Delivery has failed to these recipients or groups:
xxxx@gmail.com (xxxx@gmail.com)Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.
The following organization rejected your message: (our smtp spam relay)
-------------------------------------------------------------------------
The reason for being rejected is just because it doesn't recongnize the IP address/gateway it is coming from.
My question is, how do I define that all email is sent out through our T1 connections IP address in the router?I see options for Advanced Routing or Bandwidth Management, but not sure what one I need to configure as I am not too familiar with these settings. I have Intelligent Balancer(Auto Mode) enabled as well by default.
The reason for adding the second internet connection is strictly for load balencing and getting some more bandwidth in our location.
I'm trying to configure cisco 1811 with dual isp internet connections. Everything is working fine till i get to setting up port forwards.The port forwards for 2nd ISP do not work while connection to 1st isp is active. If if shutdown the connection to isp1 the port forwards work fine.
here's relevant section of the config
Code:
track 123 ip sla 1 reachability
delay down 15 up 10
!
track 456 ip sla 2 reachability
delay down 15 up 10
[code]....
I can access the 192.168.2.131 web server using the ISP1 ip but not ISP2 ip If i shutdown ISP1 interface the server becomes accessible through ISP2.Also while ISP1 is active I can't remote desktop to 192.168.1.210There are no acls, firewall zones or anything else.
Will 2811 Router with 4 switch port module, How to do dual ISP configuration on this router.
View 10 Replies View Related