Problem with load balance config - Page 2

gkonheiser · ‎11-26-2011

Hi There

I am trying to get my router up with a load balancinf config but unfortunatly I cant get conectivity, ie clients can not ping the outside. I think it may be a nat issue, any help is greatrly appriciated.

Thx

Current configuration : 6069 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 101.9

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$jYzP$JHBnIoVQjtjBWV4.vZrUn/

!

no aaa new-model

ip cef

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.xxx.1 192.168.xxx.245

!

ip dhcp pool Icon

network 192.168.xxx.0 255.255.255.0

domain-name iconasset

dns-server 192.168.xxx.37 192.168.xxx.39

default-router 192.168.xxx.1

lease 1 2 1

!

ip dhcp pool XBox360

host 192.168.xxx.238 255.255.255.0

client-identifier 0100.125a.49c2.1e

client-name GKXBox360

!

ip domain name iconasset.com

ip name-server 192.168.xxx.37

ip name-server 192.168.xxx.39

ip ssh port 2001 rotary 1 10

ip ssh version 2

ip sla monitor 1

type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho 164.128.xxx.39 source-interface FastEthernet0/0

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 2 life forever start-time now

ip sla monitor 3

type echo protocol ipIcmpEcho 62.2.xxx.158 source-interface FastEthernet0/1

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 3 life forever start-time now

ip sla monitor 4

type echo protocol ipIcmpEcho 62.2.xxx.60 source-interface FastEthernet0/1

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 4 life forever start-time now

!

crypto pki trustpoint TP-self-signed-3414616334

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3414616334

revocation-check none

rsakeypair TP-self-signed-3414616334

!

crypto pki certificate chain TP-self-signed-3414616334

certificate self-signed 01

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33343134 36313633 3334301E 170D3131 31313236 31303131

31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436

31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100AFAE 2609F7FE 6C4B2947 F73A61FF 429C0AA4 7C789F44 0DDB2043 A0AD4F0D

C21AE526 A70C1005 D0785E81 ACE289E7 C5E865F6 969CF17B 7DA8B230 422586E4

4C368A02 09006E23 02A81A36 F5335411 18CBFB78 5FA217B0 9E378FD5 507598EC

789F8EEB B6F160B7 C0344D5F 8968A8B3 CB6645C8 26CBA7D5 1D7BEDFF 8405AB44

252B0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

551D1104 17301582 13313031 2E392E69 636F6E61 73736574 2E636F6D 301F0603

551D2304 18301680 14F22A7A 45A3608F C67EC41E F4148BC3 DE98F9DB 13301D06

03551D0E 04160414 F22A7A45 A3608FC6 7EC41EF4 148BC3DE 98F9DB13 300D0609

2A864886 F70D0101 04050003 8181009B DE247294 62BED5FC F48BE051 9AFCC30F

1ADD4A93 71B5AF0A 1AEDFD27 43538917 5B033F15 AD46AC82 A824A06E 48C18F80

9DDA4B63 CB9B5659 9846FB13 AECBE37F A5B4BDB7 326E8277 6E392D78 56F34A16

3B1DD4DE EA17967F A33664B9 88FF5469 1E0E13E0 3E14C1AB DEF74ECD 5F659914

A8DE7009 3A75B571 5CFAEE5A 12238D

quit

username gko privilege 15 password 7 056545A5E5F75191F5D40

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 rtr 3 reachability

!

track 4 rtr 4 reachability

!

track 10 list boolean or

object 1

object 2

!

track 20 list boolean or

object 3

object 4

!

interface FastEthernet0/0

ip address 212.243.xxx.26 255.255.255.248

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 62.2.xxx.38 255.255.255.252

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/0/0

duplex full

speed 100

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 192.168.xxx.9 255.255.255.0

ip load-sharing per-packet

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10

ip route 0.0.0.0 0.0.0.0 62.2.xxx.37 track 20

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-port 4443

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nat1 interface FastEthernet0/0 overload

ip nat inside source route-map nat2 interface FastEthernet0/1 overload

!

access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any

snmp-server community Konheiser1 RW 60

snmp-server community public9 RO

snmp-server enable traps tty

!

route-map nat2 permit 10

match ip address 150

match interface FastEthernet0/1

!

route-map nat1 permit 10

match ip address 150

match interface FastEthernet0/0

!

route-map isp2 permit 10

match interface FastEthernet0/1

!

route-map isp1 permit 10

match interface FastEthernet0/0

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

gkonheiser · ‎12-06-2011

Hi Rick

If I understand you correctly then this should be the complete route config,

ip route 0.0.0.0 0.0.0.0 212.243.229.25 track 10

ip route 0.0.0.0 0.0.0.0 62.2.48.37 track 20

ip route 62.2.17.60 255.255.255.255 FastEthernet0/1 62.2.48.37 permanent

ip route 62.2.24.158 255.255.255.255 FastEthernet0/1 62.2.48.37 permanent

ip route 164.128.36.34 255.255.255.255 FastEthernet0/0 212.243.229.25 permanent

ip route 164.128.76.39 255.255.255.255 FastEthernet0/0 212.243.229.25 permanent

Or am I being stupid and missing something?

here is the the results from, show ip int stat, show ip route, ping to 8.8.8.8 and show ip sla mon stat

101.9#show ip int bri

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 212.243.229.26 YES NVRAM up up

FastEthernet0/1 62.2.48.38 YES NVRAM up up

FastEthernet0/0/0 unassigned YES unset up up

FastEthernet0/0/1 unassigned YES unset up down

FastEthernet0/0/2 unassigned YES unset up down

FastEthernet0/0/3 unassigned YES unset up down

Vlan1 192.168.101.9 YES NVRAM up up

NVI0 unassigned NO unset up up

101.9#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 212.243.229.25 to network 0.0.0.0

212.243.229.0/29 is subnetted, 1 subnets

C 212.243.229.24 is directly connected, FastEthernet0/0

62.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S 62.2.17.60/32 [1/0] via 62.2.48.37, FastEthernet0/1

C 62.2.48.36/30 is directly connected, FastEthernet0/1

S 62.2.24.158/32 [1/0] via 62.2.48.37, FastEthernet0/1

164.128.0.0/32 is subnetted, 2 subnets

S 164.128.36.34 [1/0] via 212.243.229.25, FastEthernet0/0

S 164.128.76.39 [1/0] via 212.243.229.25, FastEthernet0/0

C 192.168.101.0/24 is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 212.243.229.25

[1/0] via 62.2.48.37

101.9#

101.9#ping www.web.de

Translating "www.web.de"...domain server (192.168.101.37) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 213.165.64.75, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

101.9#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

101.9#show ip sla mon stat

Round trip time (RTT) Index 1

Latest RTT: 1 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 204

Number of failures: 0

Operation time to live: Forever

Round trip time (RTT) Index 2

Latest RTT: 4 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 204

Number of failures: 0

Operation time to live: Forever

Round trip time (RTT) Index 3

Latest RTT: 15 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 18

Number of failures: 187

Operation time to live: Forever

Round trip time (RTT) Index 4

Latest RTT: 11 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 18

Number of failures: 187

Operation time to live: Forever

101.9#

Regards

Gordon

Richard Burts · ‎12-10-2011

Gordon

Thanks for the additional information. Just to be sure that I am understanding correctly, if you shut down one (either one) of the ISP connections then these pings work ok?

Would you try a traceroute to these destinations? Perhaps that might shed a little light on what is going on.

HTH

Rick

HTH

Rick

gkonheiser · ‎12-12-2011

Morning Rick

Yes you understand correctly, If I shutdown either one of the ISP connections then all pings work. Here is the result of a traceroute to 8.8.8.8 when both ISPs are connected and the ping to 8.8.8.8 doesn't respond. It looks like the ping can get there but not back?

101.9#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

1 212.243.xxx.25 0 msec * 0 msec

2 *

i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) 0 msec *

3 i79zhb-000-vla50.bb.ip-plus.net (138.187.152.129) 0 msec * 0 msec

4 *

i79zhb-025-ten0-5-0-9.bb.ip-plus.net (138.187.129.61) 8 msec *

5 i79inx-015-ae2.bb.ip-plus.net (138.187.130.110) 0 msec * 0 msec

6 *

72.14.222.46 0 msec *

7 72.14.232.88 8 msec * 8 msec

8 *

72.14.236.68 8 msec *

9 209.85.254.114 8 msec *

209.85.254.116 8 msec

10 * * *

11 google-public-dns-a.google.com (8.8.8.8) 8 msec * 8 msec

101.9#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

1 *

212.243.xxx.25 0 msec *

2 i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) 0 msec * 0 msec

3 *

i79zhb-000-vla50.bb.ip-plus.net (138.187.152.129) 0 msec *

4 i79zhb-025-ten0-5-0-9.bb.ip-plus.net (138.187.129.61) 4 msec * 8 msec

5 *

i79inx-015-ae2.bb.ip-plus.net (138.187.130.110) 4 msec *

6 72.14.222.46 0 msec * 0 msec

7 *

72.14.232.88 8 msec *

8 72.14.236.68 8 msec * 52 msec

9 *

209.85.254.116 8 msec *

10 * * *

11 *

google-public-dns-a.google.com (8.8.8.8) 8 msec *

101.9#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

101.9#

What I have noticed is strange is when I run a traceroute to 8.8.8.8 with a source of f0/1, ISP with IP

62.2.xxx.227, the first hop is the other ISPs gateway, 212.243.xxx.25. I can see that this would be a problem as the ISP would block the ping thou its gateway from a source it doesn't recognize. How can I prevent this?

101.9#traceroute 8.8.8.8 source f0/1

Type escape sequence to abort.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

1 *

212.243.xxx.25 4 msec *

2 i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) !A

217-168-57-105.static.cablecom.ch (217.168.57.105) 8 msec *

Thanks

Gordon

NAGISWAREN2 · ‎12-12-2011

Is it a must for you to track availability of 2 IP for each ISP? If not you may try jus to ping 1 single IP and add default route using track 1 - 4, without track 10 or 20. Another stuggetion is try to track one single ISP. Another ISP jus add-in default routing without track command..

Regards, Nagis

Richard Burts · ‎12-13-2011

Gordon

I am wondering if the problem could somehow be assymetric paths when both ISP are up.

And I just went back and re-read the config that you showed in the original post. I notice that you are specifying load share per packet. I would suggest taking that out and see what happens.

HTH

Rick

HTH

Rick

gkonheiser · ‎12-13-2011

Hi RIck

I think the assymetric paths could be the problem as they are two different ISPs. How can I ensure this doesn't happen?

Also I removed the Per packet load sharing a while ago.

Regards

Gordon

Richard Burts · ‎12-13-2011

Gordon

While I think about what might be causing this issue I have something that I would like you to try. Instead of testing from the router itself, would you try testing from a PC which is connected in VLAN 1 and which is configured to have this router as its default gateway?

HTH

Rick

HTH

Rick

gkonheiser · ‎12-14-2011

HI Rick

OK very strange. with both WAN interfaces up and all SLA Monitors responding, I am unable to ping or TraceRoute 8.8.8.8 from the router or a client PC. However if I pick a new address, www.web.de which is 213.165.64.75, I can ping and Traceroute from the client but not from the router?

If I then do a Clear IP Translation * , then I can ping 8.8.8.8 from the client but not from the router.

Regards

Gordon

Richard Burts · ‎12-15-2011

Gordon

I still do not have a clear understanding of what the problem is but it certainly seems to be related to the address translation that the router is doing.

One of my theories is that the problem you have with the router accessing things may be related to the fact that you would translate traffic for users but are not translating traffic if the source address is the router itself. So I would suggest making a change that would look something like this

!

access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any

access-list 150 permit ip host 212.243.xxx.26 any

!

access-list 160 permit ip 192.168.xxx.0 0.0.0.255 any

access-list 160 permit ip host 62.2.xxx.38 any

!

route-map nat2 permit 10

match ip address 150

match interface FastEthernet0/1

!

route-map nat1 permit 10

match ip address 160

match interface FastEthernet0/0

!

I have another theory that perhaps the problem is that the router has built a translation for an address when it goes out one address but if the router then sends traffic from that address out the other interface then perhaps it gets confused. So can you confirm that ip cef is enabled on the router and that cef is using the per destination load balancing method?

HTH

Rick

HTH

Rick