Skip to main content
SmokeyMountian_Tech
SmokeyMountian_Tech
New Member
July 17, 2020
Question

OSPF VS Static Routes (When IPsec tunnel is active we lose internet access)

  • July 17, 2020
  • 1 reply
  • 3856 views

60D 6.0.9

The primary internet connection is on a dedicated private fiber line using OSPF, and also has a 0.0.0.0 static route.

A backup internet connection with an IPsec tunnel back to the main office is also configured.

 

What happens is when the IPsec tunnel is active on the backup internet connection, we lose our internet access.

IPsec tunnel has a Static route with higher value Distance and Priority settings than the Static Route for the primary fiber connection.

 

They still have access to the private network, but lose internet access.

 

Sorry, I haven't done much with OSPF so lots of questions:

How do I have OSPF as a primary connection with IPsec backup? (I know you can set a monitor on the IPsec tunnel, but our primary connection to our main office is over Wan port and not another IPsec tunnel)

 

Would I add the IPsec to the interface list under OSPF and set it to a higher cost?

If that's the case, do I still need the static route entry for the IPsec tunnel? 

The IPsec tunnel is linking 192.168.7.x to 10.4.1.x and 10.1.1.x subnets. 

OSPF is currently set up on 10.255.255.x network. 

So if I add the IPsec interface into OSPF, would I need to add the 10.4.1.x and 10.1.1.x into the Networks box on OSPF?

If I add 10.4.1.x and 10.1.1.x to OSPF on my remote side, our main office firewall would also need to have those subnets configured too right?

    1 reply

    live89
    live89
    Explorer III
    July 19, 2020

    hey

     

    could you post the output of the active routing table ?

    get router info routing-table all

    If I understood you correctly , you ospf neighbor is advertising to you 0.0.0.0/0 default route

    If that so, the distance for the OSPF should be lower than the IPSEC Static route

    By default:

    Static routes distance is 10, and OSPF is 110

    So , you should configure the IPSEC static let say 120 for example

     

    And you may need to execute the "exec router restart” to new distance conf to be effective.

    SmokeyMountian_Tech
    SmokeyMountian_TechAuthor
    New Member
    July 20, 2020

    That's probably what's needed. 

    I wonder why OSPF routes default to 110, when a default on Static Route is 10?

     

    If you have your networks defined in OSPF, do you need to program Static Routes to reach the same networks?

     

    Routing table for VRF=0
    S* 0.0.0.0/0 [20/0] via 10.255.255.1, wan2
     [20/0] via xxx.xxx.xxx.xxx, dmz, [10/0]
    O E2 10.0.0.0/9 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O 10.1.85.0/24 [110/2] via 10.255.255.3, wan2, 5d19h54m
    O 10.2.85.0/24 [110/2] via 10.255.255.2, wan2, 5d19h54m
    O 10.4.1.0/24 [110/2] via 10.255.255.1, wan2, 4d17h22m
    O E2 10.212.130.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
    C 10.255.255.0/24 is directly connected, wan2
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    --More-- O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/32 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/28 [110/10] via 10.255.255.1, wan2, 4d17h22m
    C xxx.xxx.xxx.xxx/30 is directly connected, dmz
    O E2 xxx.xxx.xxx.xxx/27 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 xxx.xxx.xxx.xxx/29 [110/10] via 10.255.255.1, wan2, 2d02h24m
    C xxx.xxx.xxx.xxx/24 is directly connected, wan1
    O E2 172.16.16.0/24 [110/10] via 10.255.255.1, wan2, 4d17h23m
    O E2 172.16.51.69/32 [110/10] via 10.255.255.1, wan2, 00:18:17
    O E2 172.30.254.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 192.168.0.0/16 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O 192.168.1.0/24 [110/2] via 10.255.255.12, wan2, 5d19h54m
    O 192.168.2.0/24 [110/11] via 10.255.255.6, wan2, 5d19h54m
    O 192.168.4.0/24 [110/2] via 10.255.255.4, wan2, 5d19h54m
    O 192.168.5.0/24 [110/2] via 10.255.255.5, wan2, 5d19h54m
    O E2 192.168.6.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
    C 192.168.7.0/24 is directly connected, internal
    O 192.168.8.0/24 [110/2] via 10.255.255.8, wan2, 5d19h54m
    O 192.168.9.0/24 [110/2] via 10.255.255.9, wan2, 5d19h54m
    O E2 192.168.10.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O E2 192.168.11.0/24 [110/10] via 10.255.255.1, wan2, 03:10:22
    O E2 192.168.12.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
    O 192.168.13.0/24 [110/2] via 10.255.255.13, wan2, 4d02h43m
    --More-- O 192.168.14.0/24 [110/2] via 10.255.255.11, wan2, 5d19h54m
    O 192.168.15.0/24 [110/2] via 10.255.255.14, wan2, 5d19h54m
    O E2 192.168.16.0/24 [110/10] via 10.255.255.1, wan2, 3d09h38m
    O 192.168.17.0/24 [110/2] via 10.255.255.10, wan2, 5d19h54m
    O E2 192.168.18.0/24 [110/10] via 10.255.255.1, wan2, 4d17h22m
    S xxx.xxx.xxx.xxx/27 [20/0] is directly connected, VPN2Wallingford
    O E2 xxx.xxx.xxx.xxx/30 [110/10] via 10.255.255.1, wan2, 4d17h22m

    Terms & ConditionsAccessibility statement