Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

BGP Multihomed

Hello,

I have two ASR 1001.

Each one has one eBGP session with his own ISP

                           ROUTER A  ----bgp---->  ISP A

FIREWALL --->

                           ROUTER B  ----bgp-----> ISP B

If my inside traffic flows through ISP A and returns through ISP A  = GOOD - everything is OK

If my inside traffic flows through ISP B and returns through ISP B  = GOOD - everything is OK

but

if my inside traffic flows through ISP A and return through ISP B  = BAD - we have resets, connection times out, etc

if my inside traffic flows through ISP B and return through ISP A  = BAD - we have resets, connection times out, etc

____________________________________________________________________________________________________________

If outiside traffic comes through ISP A and my firewall answer throught ISP A  = GOOD - everything is OK

If outiside traffic comes through ISP B and my firewall answer throught ISP B = GOOD - everything is OK


but

If outiside traffic comes through ISP A and my firewall answer throught ISP B  = BAD - we have resets, connection times out, etc

If outiside traffic comes through ISP B and my firewall answer through ISP A  = BAD - we have resets, connection times out, etc

Please,

help!

Thanks!

3 ACCEPTED SOLUTIONS

Accepted Solutions

BGP Multihomed

Ok.. did you try tcp state bypass on ASA suggested in the links I posted?

ASA(config)# access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 any

ASA(config)# class-map tcp_bypass

ASA(config-cmap)# match access-list tcp_bypass

ASA(config-cmap)# policy-map tcp_bypass_policy

ASA(config-pmap)# class tcp_bypass

ASA(config-pmap-c)# set connection advanced-options tcp-state-bypass

ASA(config-pmap-c)# set connection timeout idle 0:10:00

ASA(config-pmap-c)# service-policy tcp_bypass_policy inside

Thx

MS

Re:BGP Multihomed

If you had network 188.0.0.0/24 for example and advertised it to your network in a way suck that it should always use ISP A over ISP B then your answer is yes unless there was a link failure between you and the ISP


Sent from Cisco Technical Support Android App

Silver

Re: BGP Multihomed

I wonder if you could divide your block in half, then advertise both halves to each ISP. However, amend the AS_PATH attribute so that the Internet at large will favour the first half via ISP A and the second half via ISP B.

You'd have to ensure the ISPs don't aggregate your two halves back into a single block, when they advertise out to the rest of the Internet.

You'd also have to configure your own outbound routing to mirror this, and how would you do that? Apply half the public block to outside interface 1 and the other half to outside interface 2, I presume. If one link failed, then all outbound traffic would need to route via the single working interface.

Plenty to think about...

23 REPLIES

BGP Multihomed

Hi,

What you are experiecing is Assymetrical routing issue. It is not uncommom to have assymetrical routing in multihomed environment and few apps will have issues with that. Are you getting default routes or full/partial table from ISP?  There is a similar disc (below link) and few suggestions to resolve. Also, google for 'Assymetrical routing' , youwill fine more info with regards to this.

https://supportforums.cisco.com/thread/193588

Thx

MS

New Member

BGP Multihomed

Hi Mvsheik...
I`m receiving full routing from both ISP

BGP Multihomed

Hi,

My bad. I guess, it has nothing to do with receiving tables. How you advertise to your ISP will tell decide on incoming traffic. Check the below links, it might help you.

http://serverfault.com/questions/399240/how-to-prevent-asymmetric-routing-with-multiple-ebgp-routers

https://supportforums.cisco.com/docs/DOC-14491

Thx

MS

New Member

BGP Multihomed

Hi Mvsheik,

I`ll read them carefully, but before that, I`d like to tell you that I`m using the feature (ip source-route) in router A, and I`m not using it in router B

Do you think this can be the problem?

BGP Multihomed

Nope. Also, you can disable that on RTR A, as this can be good source for hackers.

Thx

MS

New Member

BGP Multihomed

Yes... I disabled that... and the behavior is the same. I`m freaking out

BGP Multihomed

If you share your infrastrure diagram and sanitized configs of routers, experts may be able to help better. Also, make sure you read the link I posted.

Thx

MS

PS: please rate helpful posts.

New Member

BGP Multihomed

Follow attachment with diagram

basic config on RTR A

neighbor 10.10.10.2 remote-as X

neighbor 10.10.10.2 password Y

neighbor 10.10.10.2 filter-list 1 out

ip as-path access-list 1 permit ^$

basic config on RTR B

neighbor 20.20.20.3 remote-as X

neighbor 20.20.20.3 filter-list 1 out

neighbor 20.20.20.4 remote-as X

neighbor 20.20.20.4 filter-list 1 out

ip as-path access-list 1 permit ^$

BGP Multihomed

Hi,

2 default routes on ASA may not work well, as ASA does not support load balance. You may want to go with HSRP for RTR A and RTR B and have VIP as default gateway. That might solve your issue.

Another option- You can have a dynamic protocol (ex: OSPF) on RTRA and RTRB and inject both default routes into your network. Iam not sure if this works as you are recieving Full tables. Lets wait for some experts shed some light here.

Thx

MS

PS: pls rate helpful posts.

New Member

BGP Multihomed

I`ve tried to HSRP, but the result is the same.

If RTR A is the active, and the incoming traffic from Internet comes through RTR B, I got the same problem.

The problem is exaclty the traffic flowing through one and coming back through another one and vice-versa

BGP Multihomed

Ok.. did you try tcp state bypass on ASA suggested in the links I posted?

ASA(config)# access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 any

ASA(config)# class-map tcp_bypass

ASA(config-cmap)# match access-list tcp_bypass

ASA(config-cmap)# policy-map tcp_bypass_policy

ASA(config-pmap)# class tcp_bypass

ASA(config-pmap-c)# set connection advanced-options tcp-state-bypass

ASA(config-pmap-c)# set connection timeout idle 0:10:00

ASA(config-pmap-c)# service-policy tcp_bypass_policy inside

Thx

MS

New Member

BGP Multihomed

I didn`t because ASA is not gererating any error...

In this case, ASA should generate a error like Dey TCP (No Connection). Am I right?

I only see a TCP Reset-O on ASA

Re:BGP Multihomed

Are you advertising routes into your service provider? It didn't look like you were, but I was just wondering


Sent from Cisco Technical Support Android App

New Member

BGP Multihomed

Yes, I am....on both routers.

It`s true because if I shutdown the peering between RTR A and ISP A, all Internet traffic comes through RTR B, and vice-versa

Re:BGP Multihomed

That sounds right. Since you are having issues with a sync routing, whatever destination network that traffic is destined for you could implement an attribute so that your ISP would prefer one path over another and hopefully that should help


Sent from Cisco Technical Support Android App

New Member

BGP Multihomed

Hi John,

does that mean that I`ll never use an ISP and the traffic will return from another?

Meaning.. the way the traffic is flowing, must be the way it comes back

Re:BGP Multihomed

If you had network 188.0.0.0/24 for example and advertised it to your network in a way suck that it should always use ISP A over ISP B then your answer is yes unless there was a link failure between you and the ISP


Sent from Cisco Technical Support Android App

New Member

BGP Multihomed

I understand...
But, like shown in my scenario, I`d like to use and advertise my block to both ISP simultanely...
I didn`t know if the packet flows through one and returns through another one, I would have problem.

Assymetric routing is common everywhere... 

Silver

Re: BGP Multihomed

I wonder if you could divide your block in half, then advertise both halves to each ISP. However, amend the AS_PATH attribute so that the Internet at large will favour the first half via ISP A and the second half via ISP B.

You'd have to ensure the ISPs don't aggregate your two halves back into a single block, when they advertise out to the rest of the Internet.

You'd also have to configure your own outbound routing to mirror this, and how would you do that? Apply half the public block to outside interface 1 and the other half to outside interface 2, I presume. If one link failed, then all outbound traffic would need to route via the single working interface.

Plenty to think about...

New Member

BGP Multihomed

Yes... I was thinking about to tunning this scenario, so every traffic flows e returns only through one ISP

But I was wondering if EVERYBODY in the world who works with more than one ISP have the same problem

BGP Multihomed

You would be correct sir. Depending on your network topology, and how your redundancy is configured, what routes, and attributes you are sending out can make quite a difference. Also, depends on if you have provider assigned or independent provider assigned networks. And a lot of Tier2/3 routers, I dought will take a lot of /24s at all, mostly /19 or /22. I've never worked for an ISP, so my real life experience on that subject is limited.

But if you have asymetric routing, it may be necessary to influence the way traffic comes back to you.

New Member

BGP Multihomed

I was wondering if my ASA could be acting negatively on this issue.

I dont see any DENY or anything, but someone warning me about TTL issues

New Member

BGP Multihomed

Hey all,

I just figured out what is going on.

Each router connects internally to 2 CISCO IPS...... I have 2 IPS....


So... when one connection comes through one IPS and returns through the other IPS, I had problem.

So... I've disabled both IPS inspection, and the traffic now flows as expected, even if flowing through one Service Provider and returning through another, because now, I have no inspection on the traffic. When I enable both IPS inspection, the problem happens.

I didn't mention IPS on previous posts, because I was monitoring them and receving no error. Both IPS didn't generate any error about that, so I've discarted this option. But, now I know IPS is the problem.

Here's my topology

                                      IPS 01 ------- ROUTER A  ----bgp-----> ISP A

FIREWALL ------->

                                      IPS 02 ------- ROUTER B  ----bgp-----> ISP B

Thank you all for the help

430
Views
5
Helpful
23
Replies