Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
5
Helpful
6
Replies

Load share between ASA and 7206 not working

huangedmc
Level 3
Level 3

‎10-18-2009 07:46 AM - edited ‎03-04-2019 06:24 AM

We're trying to load share between two 7206's that go out to Internet via two different ISP's.

We first filtered inbound BGP, so that only the default 0/0 route is received.

We then established OSPF between the 7206's and the ASA firewall.

We then redistribute the default from 7206's to the ASA via OSPF.

router ospf 1

default-information originate metric-type 1

The ASA has both defaults, but it's apparently not sending outbound traffic to 7206's in a round-robin fashion that we were hoping for.

Why?

The 7206's and ASA are on the same 161.38.221.0/24 subnet via connected route.

ASA# sh route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 161.38.221.2 to network 0.0.0.0

C 161.38.221.0 255.255.255.0 is directly connected, outside

O*E1 0.0.0.0 0.0.0.0 [110/11] via 161.38.221.2, 7:16:23, outside

[110/11] via 161.38.221.3, 7:16:23, outside

ASA# sh route outside 0.0.0.0

Routing entry for 0.0.0.0 0.0.0.0, supernet

Known via "ospf 1", distance 110, metric 11, candidate default path

Tag 1, type extern 1

Last update from 161.38.221.2 on outside, 7:17:46 ago

Routing Descriptor Blocks:

* 161.38.221.2, from 10.1.240.230, 7:17:46 ago, via outside

Route metric is 11, traffic share count is 1

161.38.221.3, from 10.1.240.231, 7:17:46 ago, via outside

Route metric is 11, traffic share count is 1

We noticed the 7206 that's sending more traffic has an * next to it.

Does that mean it's the "best default" between the two default routes?

How can we load share in this scenario?

Labels:
0 Helpful
6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-18-2009 11:11 AM

Hello Kevin,

other colleagues have reported this limit of ASA that doesn't use two parallel OSPF paths.

As a workaround you could think of using two default static routes pointing to the two next-hops.

this should work

Hope to help

Giuseppe

0 Helpful

nsn-amagruder
Level 5
Level 5

‎10-18-2009 06:54 PM

If you have the NPE-G1/2, connect the spare two GigE interfaces to each other, run BGP between them, accept full or partial routes from your ISP and kill ospf between the ASA's and 7200's. This will provide you will outbound load sharing and a more efficient path to the destination.

0 Helpful

huangedmc
Level 3
Level 3
In response to nsn-amagruder

‎10-18-2009 07:14 PM

Thank you both for your replies.

I'll give two static defaults a try. Hopefully it'll work.

We already had full routes & iBGP between the two 7206's.

The problem lies between the ASA & the 7206's.

We're running HSRP on the 7206's, and have the ASA point the default to the virtual IP of the HSRP group.

Traffic would always exit through the active HSRP node, which is why we're exploring the option of sending the default from ASA to both 7206's in parallel.

0 Helpful

nsn-amagruder
Level 5
Level 5
In response to huangedmc

‎10-19-2009 04:40 AM

If you receive full routing tables on both BGP routers and have iBGP running between them, all traffic will go to the active HSRP router, but some traffic is guaranteed to go over the interconnected links assuming both ISP's are Tier 1 providers.

If the interconnect is not being used, you could help manually select the path using prepend or another method.

If you put in two defaults, make sure you enable tracking.

0 Helpful

huangedmc
Level 3
Level 3
In response to nsn-amagruder

‎10-25-2009 03:36 PM

It turns out the two default routes received via OSPF were working - since it's flow-based load sharing, at the first glance it wasn't working.

According to the link below, ECMP isn't supported across multiple interfaces on ASA's:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1047894

"ECMP is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses."

It actually makes sense, since the same traffic can't traverse through different interfaces, otherwise firewall would think packets are being spoofed.

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to huangedmc

‎10-26-2009 01:05 AM

Hello Kevin,

>> It actually makes sense, since the same traffic can't traverse through different interfaces, otherwise firewall would think packets are being spoofed.

Yes it is a firewall first of all.

Nice to know that despite the fact the IP routing table of ASA shows only one default route entry you see that per flow load balancing is in effect.

This can be helpful for other collegues that can have the same issue.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card