Solved: BGP Multihomed - Page 2

Tauer Drumond · ‎07-29-2013

Hello,

I have two ASR 1001.

Each one has one eBGP session with his own ISP

ROUTER A ----bgp----> ISP A

FIREWALL --->

ROUTER B ----bgp-----> ISP B

If my inside traffic flows through ISP A and returns through ISP A = GOOD - everything is OK

If my inside traffic flows through ISP B and returns through ISP B = GOOD - everything is OK

but

if my inside traffic flows through ISP A and return through ISP B = BAD - we have resets, connection times out, etc

if my inside traffic flows through ISP B and return through ISP A = BAD - we have resets, connection times out, etc

____________________________________________________________________________________________________________

If outiside traffic comes through ISP A and my firewall answer throught ISP A = GOOD - everything is OK

If outiside traffic comes through ISP B and my firewall answer throught ISP B = GOOD - everything is OK

but

If outiside traffic comes through ISP A and my firewall answer throught ISP B = BAD - we have resets, connection times out, etc

If outiside traffic comes through ISP B and my firewall answer through ISP A = BAD - we have resets, connection times out, etc

Please,

help!

Thanks!

JohnTylerPearce · ‎07-30-2013

That sounds right. Since you are having issues with a sync routing, whatever destination network that traffic is destined for you could implement an attribute so that your ISP would prefer one path over another and hopefully that should help

Sent from Cisco Technical Support Android App

Tauer Drumond · ‎07-30-2013

Hi John,

does that mean that I`ll never use an ISP and the traffic will return from another?

Meaning.. the way the traffic is flowing, must be the way it comes back

JohnTylerPearce · ‎07-30-2013

If you had network 188.0.0.0/24 for example and advertised it to your network in a way suck that it should always use ISP A over ISP B then your answer is yes unless there was a link failure between you and the ISP

Sent from Cisco Technical Support Android App

Tauer Drumond · ‎07-31-2013

I understand...
But, like shown in my scenario, I`d like to use and advertise my block to both ISP simultanely...
I didn`t know if the packet flows through one and returns through another one, I would have problem.

Assymetric routing is common everywhere...

shillings · ‎07-31-2013

I wonder if you could divide your block in half, then advertise both halves to each ISP. However, amend the AS_PATH attribute so that the Internet at large will favour the first half via ISP A and the second half via ISP B.

You'd have to ensure the ISPs don't aggregate your two halves back into a single block, when they advertise out to the rest of the Internet.

You'd also have to configure your own outbound routing to mirror this, and how would you do that? Apply half the public block to outside interface 1 and the other half to outside interface 2, I presume. If one link failed, then all outbound traffic would need to route via the single working interface.

Plenty to think about...

Tauer Drumond · ‎07-31-2013

Yes... I was thinking about to tunning this scenario, so every traffic flows e returns only through one ISP

But I was wondering if EVERYBODY in the world who works with more than one ISP have the same problem

JohnTylerPearce · ‎07-31-2013

You would be correct sir. Depending on your network topology, and how your redundancy is configured, what routes, and attributes you are sending out can make quite a difference. Also, depends on if you have provider assigned or independent provider assigned networks. And a lot of Tier2/3 routers, I dought will take a lot of /24s at all, mostly /19 or /22. I've never worked for an ISP, so my real life experience on that subject is limited.

But if you have asymetric routing, it may be necessary to influence the way traffic comes back to you.

Tauer Drumond · ‎08-01-2013

I was wondering if my ASA could be acting negatively on this issue.

I dont see any DENY or anything, but someone warning me about TTL issues

Tauer Drumond · ‎08-01-2013

Hey all,

I just figured out what is going on.

Each router connects internally to 2 CISCO IPS...... I have 2 IPS....

So... when one connection comes through one IPS and returns through the other IPS, I had problem.

So... I've disabled both IPS inspection, and the traffic now flows as expected, even if flowing through one Service Provider and returning through another, because now, I have no inspection on the traffic. When I enable both IPS inspection, the problem happens.

I didn't mention IPS on previous posts, because I was monitoring them and receving no error. Both IPS didn't generate any error about that, so I've discarted this option. But, now I know IPS is the problem.

Here's my topology

IPS 01 ------- ROUTER A ----bgp-----> ISP A

FIREWALL ------->

IPS 02 ------- ROUTER B ----bgp-----> ISP B

Thank you all for the help