Failover of a link

Similar Messages

• Failover ISDN backup link

  I have situation where half of my network is connected with one central location and other half with second central location. Every router is connected with primary frame-relay link and ISDN as backup link (floating static route conf).
  I need to configure that in case backup link can't manage to connect with one central location start connection with second central location. Failover ISDN backup link. Any sugestions? Thanks

  Configure the two numbers under dialer interface. These will be tried in sequence, and in fact if things are configured properly it will be no problem if some branches are connected to primary hub and some to secondary.
  Hope this helps, please rate post if it does!

• Exchange 2010 failover of 2 Links

  Good Afternoon, Evevryone
  I have the following scenario.
  TMG as edge.
  Exchange the internal network as
  CAS, HUB and MailboxServer.
  I do not use Exchange edge.
  I have 2 internet link.
  The external clients access Exchange
  via OWAPP, Activesync,
  Outlook Anywhere through webmail.dominio.com.br
  name that points to one of my internet
  IPs.
  Well I would like to create one
  failover. If the Link that
  p falls webmail be redirected
  to the IP of another internet link.
  Is this possible?
  I did a search and the only
  thing I found was that we put the
  TTL Host pointing (in my case)
  webmail with at most 5 minutes.
  If the link drop I change the
  IP of the host webmail
  for the other link is working.
  There is no way to automate this? Remembering that it is
  for OWAPP, Activesync,
  Outlook Anywhere services.
  To receive e-mail I use good old
  MXs.
  Fazzani - MCP, MCSA, MCTS-ISA,VISTA

  HI 
  YOu need to think of ISP failover in your case  if one line goes down second will  kick in. 
  Or you might need to think of Adding an additional public IP address to the External DNS and pointing it to a cas server but still the load will be distributed equally to 2 ip's
  You can try to accomplish this with TMG 
  Similar thread for your reference
  https://social.technet.microsoft.com/Forums/en-US/b0133ede-b198-4736-9edb-b7b9f82db5e2/how-to-publish-owa-anywhere-active-sync-in-case-of-dr
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
  (MVP)

• ASA redundant failover links

  Hi,
  We are setting up a new ASA which is in multi context mode.  I was wondering if it is possible to setup redundant failover and state links?  I know that it is possible to run failover on one link and state on another, or both over the same link, but is it possible to have both failover and state running on 2 links?  For example, failover and state on ten1/0 as well as failover and state on ten1/1.
  Hope I have explained my question well enough.  If not I will try to explain better.
  thanks

  I would suggest to make a redundant logical link and attach two physical links to it. Than during failover link configuration specify your redundant link as a failover link. Not sure if it works but dont see any obstacles for this solution to fail..

• Reroute some vrf traffic between 2 sites over redundant link

  hey guys,
  We have a single client (in vrf) with 2 sites in different states and running over our mpls core.. Our primary link in our core is experiencing degredation of service and want to route this client over our redundant link while keeping all other clients going over our primary link - is this possible?
  The client in question has its own vrf (L3VPN) at both sites and is running over mpls between both sites. We want to re-route this particular client to take our backup path, while keeping everyone else between both sites going over the primary. We are not using TE, instead LDP to build MPLS.
  I don't believe this is possible to only re-route one client, however I thought I would ask the question.
  We cannot failover to secondary link for everyone between both sites because the link doesn't have the capacity.
  Thanks in advance.

  Hi,
  Using MPLS TE would certainly be an option. You would need to setup an MPLS TE LSP over the backup. You would also need to configure a separate lookback interface on each PE and use this loopback interface address as the next hop for the specific VRF
  ip vrf X
  bgp next-hop loopback 999
  ip route 255.255.255.255 Tu1
  This way you would make sure that only the traffic for this specific VRF would travel over the TE tunnel.
  Regards

• IP Failover between nic cards, not servers

  This maybe a very simple question, I just haven't found the answer to it...
  Our Xserve's are running on a Cisco switch and a switch port for the primary NIC card of one AFP server recently failed.
  While the server had both cards connected to the switch and the second NIC card was live, the users lost connectivity to the internal server address (internal DNS) as is was pointing only to the primary IP address of that server.
  This makes sense as there was no mechanism to tell the server to start using the secondary IP address.
  We are now planning to connect all secondary NIC's to a second switch for both the LAN and the DMZ (VLANs) for better redundancy.
  The DMZ uses IP addresses only due to port forwarding.
  My question is now what is the best way to continue services on a secondary NIC if the first NIC fails.
  Add a new DNS entry for the LAN? If so, how? Just enter the secondary NIC IP with the same server name?
  Use FAILOVERBCASTIPS for the DMZ?
  IP Failover works great between machines, but can the server send heartbeat messages to itself (example: FAILOVERBCASTIPS="NIC1-IP NIC2-IP")?
  Is there any way to maintain the mount status of AFP volumes during the switch of IP's (since it's still the same machine)?
  Thanks in advance for your help!
  Xserve G5   Mac OS X (10.4.3)  

  Since you're using Cisco switches and are already familiar with VLANs, your simplest solution would be to use link aggregation to create a trunk between the Mac and the switch using both the NICs, then configure VLANs so that both subnets use the trunk interface rather than the physical interfaces.
  That way traffic for either IP address can traverse either NIC, and you get automatic failover (thanks to link aggregation) should either NIC fail.
  Note that this will only work if you're connecting to the same switch. If you have 'internal' and 'external' switches this won't work without some re-architecting of the network topology.

• Layer 3 redundancy; individual layer 3 links vs Portchannel

  Does anyone have evidence as to which technique is "better" (more reliable, faster)?
  Cat6500, dual SUP720, native IOS mode.
  Partial topology:
  Sw_1 (5/1)----Layer3 link----(5/1) Sw_2
  Sw_1 (5/2)----Layer3 link----(5/2) Sw_2
  In the above scenario, there will be 2 equal cost layer3 path from Sw_1 to Sw_2. So, on any link failure, we rely on IGP protocol (in our case, OSPF) for redundancy.
  If we have something like,
  Sw_1 (5/1)---L3 port-ch----(5/1) Sw_2
  Sw_1 (5/2)---L3 port-ch----(5/2) Sw_2
  Then, we have to rely on channel hashing algorithm for redundancy.

  Hi
  I did something like this this week - we found that both worked well, although the failover between the links wasn't great with port-channels.
  We have two 100Mb Ethernet presented circuits between two sites - we configured as an L3 port-channel (using 3750s at either end in this case). If you hard code them as on (channel-group 1 mode on) and the link went down beyond the NTEs the ethernet link to the switch never dropped, so the Etherchannel never failed the unavailable link.
  If we used PAgP/LACP the switches either end did detect the failure, however it took 2 minutes (presumably 4x the hello time) - this didn't seem to be tunable (at least on that platform).
  We ended up using OSPF to control the links - which failed over in a few seconds and also performs even-cost load balancing.
  With regard to load balancing FEC bases it's choice of path on source MAC, dest IP or some other factor - although this is configurable on some platforms you need to think it through and trial it for your traffic platforms to get near-even load balancing.
  Same applies to routing protocols really - you can per-packet load balance which should be pretty even but it's best avoided if using latency sensitive stuff like voice...
  Regards
  Aaron
  p.s. please rate helpful posts :-)

• Failover option(s) for remote site VPN

  Currently, I have several remote VPN locations, in which most of them of ISDN dial backup in case the primary connection goes down. Can I use DSL/T1 circuit as a failover/dial backup link? If so, please point me to the right direction in finding documentations. Thank you.

  As per your config, I guess you are referring to the VPN connectivity with Peer IP 166.149.125.81.
  If yes than you have missed the other subnets of main site in the ACL outside_cryptomap_1
  which have been mapped in the VPN with this Peer.
  object-group network DM_INLINE_NETWORK_2
  under this statement match the network-object with the subnets at main site that needs communication with the subnet 192.168.90.x/24 at remote site (same as you have done for 192.168.0.0/24 subnet)and vice versa.
  BR
  Please rate if this solve your problem.

• Pix Failover Configuration with 1 Public

  Have 1 PIX 515e (6.3(3)) in production that is currently assigned ip 1.1.1.2 w/ a 255.255.255.248 mask.  All of my remaining publically assigned ips are being used so I don't have a free ip for the standby ip on the outside interface.  Can I just do the standbys on the inside, failover and stateful link and not worry about having the standby for the outside?  I'll be using lan-based failover w/ a few ports vlan'd out on my 3560 for the failover and stateful links.

  Hello David,
  The Pix firewall is getting to end of life this month, on version 6.3 I don't think this is supported or what will be the behavior on this scenario, on version 7.0 and higher you can use the command:
  no monitor-interface if_name
  http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1582411
  And just monitor the other interfaces.
  I hope this helps.
  Regards,
  Felipe.

• Round robin DNS for load balancing between multiple network adapters (Xserve)

  I'm attempting to use 'round robin' DNS to load balance between the two ethernet adapters of an Xserve.
  Both ethernet adapters are connected to the same LAN and have static IP addresses of 192.168.2.250 and 192.168.2.251.
  The DNS zone for the server's local domain/host (macserver.private) has a machine record with both IP addresses (set up in the Lion Server UI).
  Having read up on round robin DNS, I would have expected DNS requests for 'macserver.private' to be answered with the two IP addresses ordered at random, achiving my aim of requests being served at random via each ethernet adapter.
  However this doesn't seem to be the case. Doing a 'nslookup' from any of the network clients results in the two IP addresses being listed in the same order everytime. And pinging 'macserver.private' only ever results in a response from the same address.
  Does anyone know why this is the case? Does Lion Server use a non-standard DNS configuration? Are there any additional settings I need to configure in Lion's DNS server to make adopt a round robin approach to responding to requests?
  Thanks in advance for any help!

  Be careful what you wish for
  Round Robin DNS is rarely the best option for 'load balancing'. At the very least it's subject to caching at various point on the network - even at the client side, once the client looks up the address it will cache that response - this means that subsequent lookups may be served from the client's cache and not refer back to the server. Therfore any given client will always see the same address until the cache expires.
  I suspect this is what you're seeing.
  You can minimize this by setting a lower TTL on the records. This should result in the response being cached for a shorter period, meaning the client will make more requests to the server, with a higher change of using the 'other' address.
  However, you're also going to run into issues with the server having two interfaces/addresses in the same LAN. This isn't recommended.
  As Jonathon mentioned, you may be better off just bonding the two interfaces. This will provide an automatic level of dynamic load balancing without the latency of DNS caches, as well as automatic failover should one link fail (as opposed to round robin DNS which will cause 50% of requests to fail until the client cache expires and a new lookup is performed (and, even then, there's still a chance the client will try to use the failed link).

• ASA 5520: Configuring Active/Standby High Availability

  Hi,
  I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.
  I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).
  I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
  I tried this using a crossover cable to connect the interfaces directly with the same result.
  Any ideas?
  Thanks.
  Dan

  The command Varun is right.
  Since you want to know a little bit more about this stuff, here goes a bit. Every interface will have a secondary IP and a Primary IP where the Active/Standby pair will exchange hello packes. If the hellos are not heard from mate, the the unit is delcare failed.
  In case the primary is the one that gets an interface down, it will failover to the other unit, if it is the standby that has the problem, the active unit will declare the other Unit "standby failed). You will know that everything is alright when you do a show failover and the standby pair shows "Standby Ready".
  For configuring it, just put a secondary IP on every interface to be monitored (If by any chance you dont have an available secondary IP for one of the interfaces you can avoid monitoring the given interface using the command no "monitor-interface nameif" where the nameif is the name of the interface without the secondary IP.
  Then put the commands for failover and stateful link, the stateful link will copy the connections table (among other things) to avoid downtime while passing from One unit to another, This link should have at least the same speed as the regular data interfaces.
  You can configure the failover link and the stateful link in just one interface, by just using the same name for the link, remember that this link will have a totally sepparate subnet from the ones already used in firewall.
  This is the configuration
  failover lan unit primary
  failover lan interface failover gig0/3
  failover link failover gig0/3
  failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
  failover lan unit secondary
  failover lan interface failover gig0/3
  failover link failover gig0/3
  failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
  Make sure that you can ping each other secondary/primary IP and then put the command
  failover first on the primary and then on the secondary.
  That would fine.
  Let me know if you have further doubts.
  Link for reference
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Mike

• VFM (Virtual File Manager): End of life and replacement products

  In our organization, we are heavy users of VFM (Virtual File Manager) for DFS management and file replication.  Unfortunately VFM is going end of life in Nov 2012 and we have not been able to find suitable product(s) to replace its functionality.We have looked at many alternate products, including Autovirt and ScriptLogic SecureCopy for DFS management and file migration/replication and have not found a suitable replacement so-far.  The products we have seen so-far do not scale well for larger environments and do not provide the ability to import or batch create tasks.  For the DFS management functionality, it looks like Netapp may be able to create a custom tool for us, but we have not found anything suitable from the replication/migration side of things.  Either way, off the shelf products would be preferable to a custom made tool if available.Here is a breakdown of the VFM features that we use and their importance to our teams:Feature UsedFeature TypeFeature DescriptionImportanceAvailability PoliciesAdmin View, Namespace PoliciesDFS Link replicationHigh, used to replicate DFS namespace between serversBackup PoliciesAdmin View, Namespace PoliciesBackup DFS namespaceHigh, used for contingencyClient Recovery PoliciesAdmin View, Business Continuity PolicyAlllows failover of DFS links from PROD to DRHigh, used for BCP / DRCreation PoliciesAdmin View, Namespace PoliciesFiler recovery policies Admin View, Business Continuity PolicyDFS link managementVery, currently used for contingencyMigration PoliciesAdmin View, Data Movement PolicyData copy/ migrationHigh, many migrationsReplication PoliciesAdmin View, Data Movement PolicyServer recovery policiesAdmin View, Business Continuity PolicyDFS link managementVery, currently used for contingencyVFM GUILogical View, add linksDFS link addition / update / deleteVery, used to manage all links
  We are looking for suggestions for replacement products for the functionality of VFM.  Has anyone identified a successor for VFM that would still work within larger environments?  Any suggestions would be appreciated.

  You can get the same functionality that was provided by this product if you take a slightly different approach by using symlinks or CIFS widelinks.  I've been using a script I wrote which effectively replaced what we were doing in Netapp VFM. I create symlinks in the main share that I consider to be the primary tier of storage. The symlinks are to the folders residing on secondary SATA tiers of storage. This script parses through the secondary tier, then adds said symlink into the main tier. To enable this you basically change the options in your share to allow external shares to be traversed (though, it's on the same storage system itself). Create a hidden clone share for the primary tier and change the option on that share to not follow external links/only allow internal. That share will then show the secondary tier folders as 0 byte files that are the shortcuts, you can literally manage those by deleting those files, or using the remove-nafile command in the PowerShell toolkit. This is 7-mode still, but you could do this approach all the same w/ cifs widelinks. This script itself only parses and creates the symlinks that point to secondary tiers of storage, it isn't doing any data migration. You could very easily integrate it into a data migration workflow where you scanned your main tier for folders that have files that haven't been modified in say a year, then auto move those to the SATA tier, then run this script. You could go one step further and auto move them back to primary if you detect your SATA share were in use again, just delete the symlink shortcut and migrate back to primary by doing a standard copy from the one share to other. In addition, this in my opinion is better than using a DFS shortcut for reach folder on each tier of storage whereever it was (like NetApp/Brocade VFM did). Essentially the client was handling linking the shortcuts. This moves the responsibility to the server building and presenting the share and the client knows no different. On a Mac system, this makes a HUGE difference as it is only seeing one DFS pointer in this approach. You can download it here: https://gallery.technet.microsoft.com/scriptcenter/NetApp-symlink-generator-e1de2185

• Cisco VPN in Cluster

  how to route traffic for Remote end LAN from inside L3 switch to the firewalls in cluster. as firewalls in cluster will have cluster ip only for outside interface & not to inside interface.

  If by firewall in cluster you mean firewalls in failover then following link may help you for configuration
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml

• Througput towards 5555x from 68k for Firewall contexts

  If you were connecting a 5555x to a 6500, would you use a single port channel with 8 uplinks, or two 4 port etherchannels, with one representing the "out" and one representing the "in"
  I intend to use ten or more contexts, and in the past have done this with a FWSM, which had a 6 gig etherchannel on the chassis backplane.  I imagine that using one etherchannel would be similar to the FWSM approach.
  Would there be any benefits in using 2 ether channels with a concept of in and out? If so why.  Any design insight at the physical layer would be appreciated.
  Or further to this - would you use 6 ports and keep 1 or 2 ports dedicated for the failover and state interfaces, rather than run these interfaces as sub-interfaces that traverse the switching infrastructure. - Update - have to use 6 links, not 8:
  •If you use an EtherChannel interface for a failover or state link, then to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover link. To alter the configuration, you need to either shut down the EtherChannel while you make changes, or temporarily disable failover; either action prevents failover from occurring for the duration.
  •Although you can configure failover and failover state links on a port channel link, this port channel cannot be shared with other firewall traffic.
  I have attached a small diagram to explain the physical / logical differences. (6 interfaces total - as this would be dedicated failover link scenario)

  Hi Nick
  The Cisco recommendation was always to use an even number of ports in the etherchannel because this worked better with their load balancing algorithm but I'm not sure how relevant this is nowadays.
  So leaving that aside personally I would use just one etherchannel between the firewall and the switch.
  The issues with using two that I see are firstly unless your traffic patterns are 50/50 in terms of traffic going to and coming from the firewall you are not going to utilise the links evenly. For example an FTP request is small but the resulting download could be very large and a fair number of applications work like this.
  Which would mean one etherchannel could be very heavily utilised, if not oversubscribed, while the other one could be just ticking along.
  Secondly if you use two etherchannels a single port failure could have a much more pronounced effect on throughput especially if the etherchannel is the one being utilised more because of traffic direction.
  You don't gain any extra redundancy from having two separate etherchannels so I personally can't see any advantages to it but that doesn't mean there aren't any so happy to discuss if you feel there are.
  Obviously whichever you use spread the ports across modules for maximum redundancy.
  I should say though that I have never done this where I needed that much throughput to a firewall other than using an FWSM which as you say does not have these concerns.
  Edit - I assumed when you referred to in and out you were referring to traffic direction and it was not related to contexts. if I have misunderstood please clarify.
  Jon

• Leased Line Redundancy

  Hi
  I'm just wondering what would be the best way to implement leased line redundancy using serial connections.
  I have Site A (Main) and Site B (Branch). I have two links between both but am currently only using one of these links. If link one failed I want link two to kick in.
  I am currently using static routes on the routers.
  I will attach a network diagram showing the current setup.
  Thanks in advance!

  Hi
  I'm just wondering what would be the best way to implement leased line redundancy using serial connections.
  I
  have Site A (Main) and Site B (Branch). I have two links between both
  but am currently only using one of these links. If link one failed I
  want link two to kick in.
  I am currently using static routes on the routers.
  I will attach a network diagram showing the current setup.
  Thanks in advance!
  Hi,
  If you want to achive only active/standby configuration then configure one router as active and other one as stanby for lan traffic going out using HSRP implementation in lan side of both the routers making gateway as virtual ip of the group for lan subnet and also configure tracking along with IP SLA so in case of failover of the link automatically the standby router will be become active for lan user as tracking will decrement the pirporty of active router.
  http://cisco.biz/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swhsrp.pdf
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post