Load Balancing some services timeout FTP/POP/SMTP

Answered Question
Jan 25th, 2010
User Badges:

Hallo,

on my c1802 I setup loadbalancing with two ADSL connection. The clue was this document

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml


it works well, but in services like FTP, POP or SMTP I got timeout very often or are slow. About 50/50%.


Setup is

                                                 Internal ADSL Dialer0 10M/768

LAN 192.168.0.0 -----   C1802  <

                                                 FE0 IP 172.0.0.1 ------- 172.0.0.138 ADSL MODEM with NAT not FW. 8M/512




!
no ip source-route
!


!
ip cef
no ip bootp server
ip domain name local.cz
ip name-server 193.85.1.100
ip name-server 193.85.2.100
ip name-server 212.47.0.4
ip name-server 212.47.1.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!


!
!
ip tcp synwait-time 10
track timer interface 5
!
track 123 ip sla 1 reachability
delay down 15 up 10
!
track 345 ip sla 2 reachability
delay down 15 up 10
!


!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!


interface ATM0
no ip address
no ip redirects
no ip unreachables
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0.1 point-to-point
description $ES_WAN$
no ip redirects
no ip unreachables
zone-member security out-zone
pvc 8/48
  pppoe-client dial-pool-number 1
!



!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
mtu 1492
ip dhcp client hostname c1802
ip dhcp client route track 345
ip address 172.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!


!
interface Vlan1
no ip address
bridge-group 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username  password 0
!
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.0.10 255.255.255.0
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!


!
ip dns server
ip nat inside source route-map IP193 interface Dialer0 overload
ip nat inside source route-map IP213 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 123
ip route 0.0.0.0 0.0.0.0 172.0.0.138 track 345
!


!
ip sla 1
icmp-echo 195.39.2.102 source-interface Dialer0
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 193.86.163.155 source-interface FastEthernet0
timeout 1000
threshold 40
frequency 3
ip sla schedule 2 life forever start-time now


access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.0.0.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run


!
!
!
!
route-map IP193 permit 10
match ip address 1
match interface Dialer0
!
route-map IP213 permit 10
match ip address 1
match interface FastEthernet0
!


!
control-plane
!
!
bridge 1 protocol ieee
bridge 1 route ip
!



If I disable FW problem is same, but when I disconnect one of the ADSL all works well.


Please where I have bug?


Thanks

Locus

Correct Answer by Mohamed Sobair about 7 years 2 months ago

Hi,


TCP Application does need persistency, your PBR should look like the bellow:


int BVI


IP policy route-map DO



route-map DO permit 10

match ip address 110

set interface fastethernet0



Access-list 110 permit tcp any any eq ftp

Access-list 110 permit tcp any any eq smtp

Access-list 110 permit tcp any any eq pop3




HTH

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
locus2007 Tue, 01/26/2010 - 05:52
User Badges:

I didnt tell that I have 15.0.1M1 IOS.


Any help welcomed

Ganesh Hariharan Tue, 01/26/2010 - 06:15
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi,


What i would suggest as all the three are TCP based application and need session persistency once they have started or got connected.As you said when you down one of the ADSL connection everything works perfectly fine.


To overcome these type of issue just spilt the lan subnet and divide lan traffic to go from specific connection rather load balancing.


Hope that clear your query !!


Ganesh.H

locus2007 Tue, 01/26/2010 - 07:48
User Badges:

Thanks, but I dont predict users needs.


Other what I try is to assign type of traffic FTP, POP, SMTP, IPSEC, GRE to specific connection and other traffic leave on router load balancing.

But I can't set it in PBR.

I tryed it with


acces list 111 permit 21 any any


route-map D0 permit

match ip address 111

set default interface Dialer 0


and to interface BVI1

ip policy route-map D0


But all now go to Dialer0

Correct Answer
Mohamed Sobair Tue, 01/26/2010 - 07:58
User Badges:
  • Gold, 750 points or more

Hi,


TCP Application does need persistency, your PBR should look like the bellow:


int BVI


IP policy route-map DO



route-map DO permit 10

match ip address 110

set interface fastethernet0



Access-list 110 permit tcp any any eq ftp

Access-list 110 permit tcp any any eq smtp

Access-list 110 permit tcp any any eq pop3




HTH

Mohamed

locus2007 Tue, 01/26/2010 - 11:11
User Badges:

Thanks that was problem in AccList, now I can configure sensitive services to use right route.

Actions

This Discussion

Related Content