Problems with floating route?

Unanswered Question
Aug 9th, 2010

I have a situation that I'm not sure if it's a device issue or a Cisco issue. I have a Netgate appliance which creates a tunnel into our provider via cellular connection. This tunnel is always up. My router has a floating route to fall over to this appliance if the serial side is down. I get my default route from our provider via bgp.


This is what my router looks like:

*B 0.0.0.0 via 1.1.1.1


ip route 0.0.0.0 0.0.0.0 192.168.1.2 254 name Netgate

This works as intended, but I'm having weird issues sometimes with internal devices latching onto the Netgate as their route for only certain routes. For instance, we have all Cisco APs which have a redirect cache on them but no routing table. If I have a host at 192.168.30.50, the AP may find it like:

192.168.30.50      192.168.1.2

But the APs default gateway is 192.168.1.1 (my router). This is not just happening on APs though. It's happening on 3Com switches as well. I'm not sure how it's happening either. The serial side has never went down at this location. I could understand if the router had to fail over to this device and then traffic had to pass over it and kept it in cache at that point, but that's not the case. Is there something else I should be looking at on the router side? At this point, I think it's the Netgate that's causing my problem. Before I can get in touch with the provider, I wanted to make sure that it wasn't a configuration problem on my end because I'm sure that's what they'll focus on.

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 08/09/2010 - 07:07

John

The only thing that springs to mind is that one of your devices, possibly the router is sending out ICMP redirects with the Netgate as the preferred next-hop.

Can you make sure ICMP redirects are disabled, if you are not using them.

Jon

John Blakley Mon, 08/09/2010 - 07:33

Jon,

That makes sense. Can you explain this part to me though?

When Are ICMP Redirects Sent?

Cisco routers send ICMP redirects when all of these conditions are met:

  • The interface on which the packet comes into the router is the same interface on which the packet gets routed out.

  • The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.

  • The datagram is not source-routed .

  • The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)

The site that I was referring to was an AP that it's redirect was set to go out the Netgate to get to something on the other side of the WAN. The statement above makes it sound like if the packet is received on the inside interface and then routed back out the inside interface, it would then send a redirect. If the packet is received on the inside interface, but then the router has to route out the serial side, should it still be sending a redirect to the Netgate, or is this because the router's serial side may have went down at the moment one of the other devices tried to get to a far-side network? At that point, I could see the redirect happening.

Also, redirects are enabled by default on the routers. Is it a bad thing to disable them completely?

Thanks,

John

Giuseppe Larosa Mon, 08/09/2010 - 08:23

Hello John,

>> r is this because the router's serial side may have went down at the moment one of the other devices tried to get to a far-side network? At that point, I could see the redirect happening.

this makes sense to me: redirection should occur only when the next-hop is out the same interface receiving the packet and in your case this happens only when primary interface is down

then the AP keeps in its ARP cache the entry

disabling ICMP redirect in your case may help after restore of primary link.

I see two options:

or both the cisco router and the appliance supports ICMP redirect

or both have it disabled

a mix is not desirable.

Hope to help

Giuseppe

John Blakley Mon, 08/09/2010 - 08:34

How much do redirects tie in with floating routes? I'm assuming that the device will always go to it's default gateway which would then in turn forward to the appropriate route, but it wouldn't allow the device to add the "direct" entry to its cache.

Jon Marshall Mon, 08/09/2010 - 11:19

John

How much do redirects tie in with floating routes?

Don't think they do really. ICMP redirects are really about suboptimal paths in your network ie. traffic is not taking the most efficient route. Your floating  static will only kick in if the primary route is removed from the routing table.

I'm assuming that the device will always go to it's default gateway which would then in turn forward to the appropriate route, but it wouldn't allow the device to add the "direct" entry to its cache.

Not sure how the cache thing works to be honest. Certainly any device that consults a routing table, and even a PC does this, can install an ICMP redirect into it's routing table.

ICMP redirects, as i say, are really about traffic not using the most efficient path through the network so disabling them should not cause major problems unless of course your network relies on them for traffic forwarding which it really shouldn't.

Jon

Giuseppe Larosa Tue, 08/10/2010 - 11:25

Hello John,

>> How much do redirects tie in with floating routes? I'm assuming that the device will always go to it's default gateway which would then in turn forward to the appropriate route, but it wouldn't allow the device to add the "direct" entry to its cache.

As Jon has noted, if  the default gateway knows that its best path to the packet destination is via an IP next-hop, that is in the same IP subnet of the packet sender, it can send out an ICMP redirect to inform the client that next packets for the same destination can be sent directly to that IP address (that of the in same subnet next-hop).

So the end user device knows nothing about static routes or floating static routes, but it can have its ARP table populated of entries that are created during primary link failure as a result of ICMP redirects messages sent by the router.

Now, if the IP next-hop in LAN = "appliance to connect to cellular network" does not do the same when primary link is up, that is it does not send out ICMP redirects to inform client(s) that best path is now via the router, the clients may still use the secondary path in outgoing direction as a result of these ARP entries until these ARP entries will expire.

For this reason I have written that or both the router and the appliance send out ICMP redirect messages or both should have it disabled.

This is my understanding, of course if the appliance is not in the same IP subnet as the clients, all this will not happen and clients would not get any indirect sign of a change in routing.

Hope to help

Giuseppe

Actions

This Discussion