SVR Firewall Routing Issue

Answered Question
Aug 10th, 2009

I posted this in the UC520 spot but I think this is where the question should be more properly posted. I have a bit of an issue and with a multi-site installation of the SVR’s and was wondering if you could lend your technical expertise to take a look at routing issue I’m having with a client. This particular client has their branch office located in Carson, CA with 6 remote branch offices nationally, with 4 of the sites being connected via a private MPLS network provided by AT&T. WE are replacing the MPLS networks at most of the branch offices with the Site-To-Site VPN’s from the SVR’s and new Internet connections at the branches with the SVR’s. However, there is one branch in Las Vegas that doesn’t have an SVR and their only connection is the MPLS. The branch offices are configured to connect back to the Carson office for network resources and go out to the Internet via the PIX firewall at the Carson office. Currently, the PIX firewall and the SVR at the Carson office are in parallel and the phone performance is being affected by all of the Internet traffic from the branch offices AND headquarters.

We are attempting to collapse the PIX firewall at the corporate office and use the SVR as the primary Internet gateway for all traffic to take advantage of the SVR’s QoS features. However, when we make the SVR the default gateway the remote branch offices can no longer go out to the Internet, although computers at the Carson office can go out to the Internet just fine. I have duplicated the route entries on the SVR from the PIX to the best of my ability and I suspect that somewhere in this process is where the problem is occurring. Let me give you the configuration parameters:

Carson Office (Headquarters)

LAN Subnet: 192.168.9.0/255.255.255.0

Default Gateway: 192.168.9.1 (Cisco MPLS Router)

PIX Firewall LAN: 192.168.9.254

PIX Firewall WAN: 12.70.90.130

SVR LAN: 192.168.9.12

SVR WAN: 12.70.90.133

Internet Default Gateway: 12.70.90.129

Las Vegas Office

LAN Subnet: 192.168.11.0

Default Gateway: 192.168.11.1

All of the computers at the Carson office are configured with the MPLS router (192.168.9.1) as their default gateway. It is configured with the PIX Firewall LAN IP (192.168.9.254) as it’s default gateway and all traffic seems to work fine with the exception of no QoS functionality. When we change the default gateway on the MPLS Router to the SVR LAN IP (192.168.9.12) the remote branches can’t go out to the Internet. I have added the routing statements (SVR Routing Table) that were in the PIX (PSC Current PIX Config) but we still have the issue. I have attached a copy of a trace route (Remote Branch Trace Comparisons) from one of the computers in the Las Vegas office to show what happens to the traffic. From the trace it shows that when the PIX is in place traffic bound for the Internet goes from the Serial Interface of the MPLS router directly to the Internet Default Gateway (12.70.90.129). However, when we make the SVR the default gateway of the MPLS Router, traffic bound for the Internet from the Las Vegas office goes from the Serial Interface of the MPLS Router to the LAN IP of the SVR and times out from there. Here in lies the problem. To the layman, everything appears to be configured correctly, but something must need to be tweaked somewhere to facilitate that connection. I’ve been on with AT&T (they used to manage the PIX and currently provide the MPLS) to see if there was something persistent with their routes that could be the problem but of course they said no.

I have this problem too.
0 votes
Correct Answer by William Childs about 7 years 3 months ago

Rod,

I think the problem you may be experiencing is related to the fact that the SVR does not understand or do MPLS tagging (the 2.5 layer label). You may need to try changing the PIX to do strictly ethernet to the SVR (make the PIX the edge router in the MPLS network so it strips the tag before sending it to the SVR) and this will hopefully fix the issue. If it does not, please post your findings. If I am misunderstanding the issue please help me with how the MPLS gets integrated into your lan (infront or behind) your SVR. The way I understand it is you have 2 internet connections at the main site, one is your mpls connection from att for your backbone network, and the other is perhaps a cable or dsl (maybe t1 depending on if you have a SVR3000 or 3500). The drawback I think you will find is that your SVRs do not support MPLS and your network migration may have to be completed all at once on a plug and PRAY (definitely a weekend job) situation. One other question I have is, Do you have any vpn tunnels on your mpls network? This could pose a problem but is unlikely.

Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
William Childs Thu, 08/20/2009 - 20:54

Rod,

I think the problem you may be experiencing is related to the fact that the SVR does not understand or do MPLS tagging (the 2.5 layer label). You may need to try changing the PIX to do strictly ethernet to the SVR (make the PIX the edge router in the MPLS network so it strips the tag before sending it to the SVR) and this will hopefully fix the issue. If it does not, please post your findings. If I am misunderstanding the issue please help me with how the MPLS gets integrated into your lan (infront or behind) your SVR. The way I understand it is you have 2 internet connections at the main site, one is your mpls connection from att for your backbone network, and the other is perhaps a cable or dsl (maybe t1 depending on if you have a SVR3000 or 3500). The drawback I think you will find is that your SVRs do not support MPLS and your network migration may have to be completed all at once on a plug and PRAY (definitely a weekend job) situation. One other question I have is, Do you have any vpn tunnels on your mpls network? This could pose a problem but is unlikely.

Bill

Actions

This Discussion