Dual BGP router questions

Unanswered Question
Dec 2nd, 2008
User Badges:

Greetings,

We recently migrated our edge routers to 2 seperate BGP connections to 2 seperate ISP's. Our routers are running firewall feature set.

While we were going throught the issues with the ISP's we had an IP Inspect ftp statement on the inside interface. Once we finally got the second ISP working we noticed our ftp sessions were failing. I move the inspect statement to the new ISP router because it was our preferred path and the ftp started working again. I really need to have the inspect statements on each inside interface but when I add it the original ISP all ftp stops working.

I can provide more detail regarding our routers if need be.


Thanks to any/all that may add input.


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Harold Ritter Tue, 12/02/2008 - 14:51
User Badges:
  • Cisco Employee,

Rick,


It looks to me as if the issue is due to asymmetric routing, which is something you want to avoid at all price when using FWs in the path.


Regards

rmcole Tue, 12/02/2008 - 15:37
User Badges:

Thanks for the reply but from what I was told having 2 ISP's on 2 different routers will have asymmetric routing and that shouldn't be an issue.

These routers are not acting as firewalls except for the ip inspect.

Giuseppe Larosa Wed, 12/03/2008 - 02:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Rick,

ip inspect is a smart feature and it works like a firewall: it creates temporary opens if it sees both directions of the flow : the permissions are created if the session setup is seen with asymmetric routing the risk is that the return traffic arrives on the router that hasn't seen the packets in the other directions and that has not opened the temporary permissions traffic is dropped.


You need to try to influence the return path from internet to your AS:

you can use AS path prepending by prepending your own AS number in updates sent to the second ISP (you need to make a choice here if you want to keep using inspect for security or you want to use both ISPs in load balancing without ip inspect)


Hope to help

Giuseppe


Actions

This Discussion