OER ingress traffic load-balancing issue

bmg4357 · ‎06-03-2008

Configuration:

Cisco 1841 Advance Security Image - OER Border router connected to business-class DSL

Cisco 2811 Enterprice Image - OER Master/Border connected to T1

Cisco 3750 Layer 3 IP Base image - Default Gateway to clients

Issue: OER is functioning well and the prefixes appear to be working correctly for traffic initated by the clinet (generic web browsing). However, traffic such as VPN and SMTP that is initiated from the Internet is sometimes load balanced to the other border router, which kills the connection to the remote client. The remote clients are dynamic IP from users working from home, so there is no way that I can find to do a static prefix map. I have looked for weeks for a way to force traffic flows to go through the router it was initiated through for SMTP and VPN, but no luck. Anybody have an idea?

Thanks in advance.

Joseph W. Doherty · ‎06-03-2008

Are there different public addresses for the two links? If so, and if you're doing different NATs for the two paths, you might want to examine whether the "OER and NAT" in: http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/oer-setup_netw.html, will address your situation.

bmg4357 · ‎06-04-2008

If I'm reading that correctly, it looks like it is speaking of a single border router connecting to two different ISP's. In my design, I actually have two border routers, each connecting to an ISP. NAT is being performed on each border router.

Also, I have noticed that the packet drops actually occur right after a prefix learning cycle. For example, I can ping router A and not router B. After prefix learning occurs, I can ping router B but not router A. This cycle repeats every time prefix learning occurs.

Joseph W. Doherty · ‎06-04-2008

With NAT on two different routers, you likely have an intractable problem. The reason outbound sessions aren't more of a problem is perhaps most are stateless. Even without OER, consider an outbound packet that takes path A, with one source IP translation. The return will be via the same path because of the your NAT'ed IP, but if for ANY reason the next outbound packet to the same outbound destination goes via path B, with a different source IP translation, the destination will think the packet is from a different host. Of course, OER becomes a reason for packets sourced from the same physical host to take different paths at different times.

bmg4357 · ‎06-04-2008

That is what I'm seeing. Now, to build upon that, is there a way to "exclude" traffic from being OER'd by port number? If I can exclude port 1721 and 25 that will probably work for me.

Joseph W. Doherty · ‎06-04-2008

I don't think you can within OER but it might be possible within PfR. Not 100% certain since I haven't worked with explicit prefixes or applications in either, but PfR is much more application (port?) aware than OER, so you might be able to have PfR not learn traffic on those ports.