OER ingress traffic load-balancing issue

Unanswered Question
Jun 3rd, 2008
User Badges:

Configuration:


Cisco 1841 Advance Security Image - OER Border router connected to business-class DSL


Cisco 2811 Enterprice Image - OER Master/Border connected to T1


Cisco 3750 Layer 3 IP Base image - Default Gateway to clients


Issue: OER is functioning well and the prefixes appear to be working correctly for traffic initated by the clinet (generic web browsing). However, traffic such as VPN and SMTP that is initiated from the Internet is sometimes load balanced to the other border router, which kills the connection to the remote client. The remote clients are dynamic IP from users working from home, so there is no way that I can find to do a static prefix map. I have looked for weeks for a way to force traffic flows to go through the router it was initiated through for SMTP and VPN, but no luck. Anybody have an idea?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bmg4357 Wed, 06/04/2008 - 04:42
User Badges:

If I'm reading that correctly, it looks like it is speaking of a single border router connecting to two different ISP's. In my design, I actually have two border routers, each connecting to an ISP. NAT is being performed on each border router.


Also, I have noticed that the packet drops actually occur right after a prefix learning cycle. For example, I can ping router A and not router B. After prefix learning occurs, I can ping router B but not router A. This cycle repeats every time prefix learning occurs.

Joseph W. Doherty Wed, 06/04/2008 - 08:22
User Badges:
  • Super Bronze, 10000 points or more

With NAT on two different routers, you likely have an intractable problem. The reason outbound sessions aren't more of a problem is perhaps most are stateless. Even without OER, consider an outbound packet that takes path A, with one source IP translation. The return will be via the same path because of the your NAT'ed IP, but if for ANY reason the next outbound packet to the same outbound destination goes via path B, with a different source IP translation, the destination will think the packet is from a different host. Of course, OER becomes a reason for packets sourced from the same physical host to take different paths at different times.

bmg4357 Wed, 06/04/2008 - 08:27
User Badges:

That is what I'm seeing. Now, to build upon that, is there a way to "exclude" traffic from being OER'd by port number? If I can exclude port 1721 and 25 that will probably work for me.

Joseph W. Doherty Wed, 06/04/2008 - 11:52
User Badges:
  • Super Bronze, 10000 points or more

I don't think you can within OER but it might be possible within PfR. Not 100% certain since I haven't worked with explicit prefixes or applications in either, but PfR is much more application (port?) aware than OER, so you might be able to have PfR not learn traffic on those ports.

Actions

This Discussion