11-26-2011 04:10 AM - edited 03-04-2019 02:24 PM
Hi There
I am trying to get my router up with a load balancinf config but unfortunatly I cant get conectivity, ie clients can not ping the outside. I think it may be a nat issue, any help is greatrly appriciated.
Thx
Current configuration : 6069 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 101.9
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$jYzP$JHBnIoVQjtjBWV4.vZrUn/
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.xxx.1 192.168.xxx.245
!
ip dhcp pool Icon
network 192.168.xxx.0 255.255.255.0
domain-name iconasset
dns-server 192.168.xxx.37 192.168.xxx.39
default-router 192.168.xxx.1
lease 1 2 1
!
ip dhcp pool XBox360
host 192.168.xxx.238 255.255.255.0
client-identifier 0100.125a.49c2.1e
client-name GKXBox360
!
!
ip domain name iconasset.com
ip name-server 192.168.xxx.37
ip name-server 192.168.xxx.39
ip ssh port 2001 rotary 1 10
ip ssh version 2
ip sla monitor 1
type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 164.128.xxx.39 source-interface FastEthernet0/0
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 2 life forever start-time now
ip sla monitor 3
type echo protocol ipIcmpEcho 62.2.xxx.158 source-interface FastEthernet0/1
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 3 life forever start-time now
ip sla monitor 4
type echo protocol ipIcmpEcho 62.2.xxx.60 source-interface FastEthernet0/1
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 4 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-3414616334
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3414616334
revocation-check none
rsakeypair TP-self-signed-3414616334
!
!
crypto pki certificate chain TP-self-signed-3414616334
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343134 36313633 3334301E 170D3131 31313236 31303131
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436
31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFAE 2609F7FE 6C4B2947 F73A61FF 429C0AA4 7C789F44 0DDB2043 A0AD4F0D
C21AE526 A70C1005 D0785E81 ACE289E7 C5E865F6 969CF17B 7DA8B230 422586E4
4C368A02 09006E23 02A81A36 F5335411 18CBFB78 5FA217B0 9E378FD5 507598EC
789F8EEB B6F160B7 C0344D5F 8968A8B3 CB6645C8 26CBA7D5 1D7BEDFF 8405AB44
252B0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13313031 2E392E69 636F6E61 73736574 2E636F6D 301F0603
551D2304 18301680 14F22A7A 45A3608F C67EC41E F4148BC3 DE98F9DB 13301D06
03551D0E 04160414 F22A7A45 A3608FC6 7EC41EF4 148BC3DE 98F9DB13 300D0609
2A864886 F70D0101 04050003 8181009B DE247294 62BED5FC F48BE051 9AFCC30F
1ADD4A93 71B5AF0A 1AEDFD27 43538917 5B033F15 AD46AC82 A824A06E 48C18F80
9DDA4B63 CB9B5659 9846FB13 AECBE37F A5B4BDB7 326E8277 6E392D78 56F34A16
3B1DD4DE EA17967F A33664B9 88FF5469 1E0E13E0 3E14C1AB DEF74ECD 5F659914
A8DE7009 3A75B571 5CFAEE5A 12238D
quit
username gko privilege 15 password 7 056545A5E5F75191F5D40
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability
!
track 10 list boolean or
object 1
object 2
!
track 20 list boolean or
object 3
object 4
!
!
!
!
interface FastEthernet0/0
ip address 212.243.xxx.26 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 62.2.xxx.38 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/0/0
duplex full
speed 100
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 192.168.xxx.9 255.255.255.0
ip load-sharing per-packet
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10
ip route 0.0.0.0 0.0.0.0 62.2.xxx.37 track 20
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat1 interface FastEthernet0/0 overload
ip nat inside source route-map nat2 interface FastEthernet0/1 overload
!
access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any
snmp-server community Konheiser1 RW 60
snmp-server community public9 RO
snmp-server enable traps tty
!
route-map nat2 permit 10
match ip address 150
match interface FastEthernet0/1
!
route-map nat1 permit 10
match ip address 150
match interface FastEthernet0/0
!
route-map isp2 permit 10
match interface FastEthernet0/1
!
route-map isp1 permit 10
match interface FastEthernet0/0
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
12-06-2011 09:55 AM
Hi Rick
If I understand you correctly then this should be the complete route config,
ip route 0.0.0.0 0.0.0.0 212.243.229.25 track 10
ip route 0.0.0.0 0.0.0.0 62.2.48.37 track 20
ip route 62.2.17.60 255.255.255.255 FastEthernet0/1 62.2.48.37 permanent
ip route 62.2.24.158 255.255.255.255 FastEthernet0/1 62.2.48.37 permanent
ip route 164.128.36.34 255.255.255.255 FastEthernet0/0 212.243.229.25 permanent
ip route 164.128.76.39 255.255.255.255 FastEthernet0/0 212.243.229.25 permanent
Or am I being stupid and missing something?
here is the the results from, show ip int stat, show ip route, ping to 8.8.8.8 and show ip sla mon stat
101.9#show ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 212.243.229.26 YES NVRAM up up
FastEthernet0/1 62.2.48.38 YES NVRAM up up
FastEthernet0/0/0 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES unset up down
FastEthernet0/0/2 unassigned YES unset up down
FastEthernet0/0/3 unassigned YES unset up down
Vlan1 192.168.101.9 YES NVRAM up up
NVI0 unassigned NO unset up up
101.9#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 212.243.229.25 to network 0.0.0.0
212.243.229.0/29 is subnetted, 1 subnets
C 212.243.229.24 is directly connected, FastEthernet0/0
62.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 62.2.17.60/32 [1/0] via 62.2.48.37, FastEthernet0/1
C 62.2.48.36/30 is directly connected, FastEthernet0/1
S 62.2.24.158/32 [1/0] via 62.2.48.37, FastEthernet0/1
164.128.0.0/32 is subnetted, 2 subnets
S 164.128.36.34 [1/0] via 212.243.229.25, FastEthernet0/0
S 164.128.76.39 [1/0] via 212.243.229.25, FastEthernet0/0
C 192.168.101.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 212.243.229.25
[1/0] via 62.2.48.37
101.9#
101.9#ping www.web.de
Translating "www.web.de"...domain server (192.168.101.37) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 213.165.64.75, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
101.9#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
101.9#show ip sla mon stat
Round trip time (RTT) Index 1
Latest RTT: 1 ms
Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011
Latest operation return code: OK
Number of successes: 204
Number of failures: 0
Operation time to live: Forever
Round trip time (RTT) Index 2
Latest RTT: 4 ms
Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011
Latest operation return code: OK
Number of successes: 204
Number of failures: 0
Operation time to live: Forever
Round trip time (RTT) Index 3
Latest RTT: 15 ms
Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011
Latest operation return code: OK
Number of successes: 18
Number of failures: 187
Operation time to live: Forever
Round trip time (RTT) Index 4
Latest RTT: 11 ms
Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011
Latest operation return code: OK
Number of successes: 18
Number of failures: 187
Operation time to live: Forever
101.9#
Regards
Gordon
12-10-2011 10:22 AM
Gordon
Thanks for the additional information. Just to be sure that I am understanding correctly, if you shut down one (either one) of the ISP connections then these pings work ok?
Would you try a traceroute to these destinations? Perhaps that might shed a little light on what is going on.
HTH
Rick
12-12-2011 10:58 PM
Morning Rick
Yes you understand correctly, If I shutdown either one of the ISP connections then all pings work. Here is the result of a traceroute to 8.8.8.8 when both ISPs are connected and the ping to 8.8.8.8 doesn't respond. It looks like the ping can get there but not back?
101.9#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to google-public-dns-a.google.com (8.8.8.8)
1 212.243.xxx.25 0 msec * 0 msec
2 *
i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) 0 msec *
3 i79zhb-000-vla50.bb.ip-plus.net (138.187.152.129) 0 msec * 0 msec
4 *
i79zhb-025-ten0-5-0-9.bb.ip-plus.net (138.187.129.61) 8 msec *
5 i79inx-015-ae2.bb.ip-plus.net (138.187.130.110) 0 msec * 0 msec
6 *
72.14.222.46 0 msec *
7 72.14.232.88 8 msec * 8 msec
8 *
72.14.236.68 8 msec *
9 209.85.254.114 8 msec *
209.85.254.116 8 msec
10 * * *
11 google-public-dns-a.google.com (8.8.8.8) 8 msec * 8 msec
101.9#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to google-public-dns-a.google.com (8.8.8.8)
1 *
212.243.xxx.25 0 msec *
2 i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) 0 msec * 0 msec
3 *
i79zhb-000-vla50.bb.ip-plus.net (138.187.152.129) 0 msec *
4 i79zhb-025-ten0-5-0-9.bb.ip-plus.net (138.187.129.61) 4 msec * 8 msec
5 *
i79inx-015-ae2.bb.ip-plus.net (138.187.130.110) 4 msec *
6 72.14.222.46 0 msec * 0 msec
7 *
72.14.232.88 8 msec *
8 72.14.236.68 8 msec * 52 msec
9 *
209.85.254.116 8 msec *
10 * * *
11 *
google-public-dns-a.google.com (8.8.8.8) 8 msec *
101.9#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
101.9#
What I have noticed is strange is when I run a traceroute to 8.8.8.8 with a source of f0/1, ISP with IP
62.2.xxx.227, the first hop is the other ISPs gateway, 212.243.xxx.25. I can see that this would be a problem as the ISP would block the ping thou its gateway from a source it doesn't recognize. How can I prevent this?
101.9#traceroute 8.8.8.8 source f0/1
Type escape sequence to abort.
Tracing the route to google-public-dns-a.google.com (8.8.8.8)
1 *
212.243.xxx.25 4 msec *
2 i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) !A
217-168-57-105.static.cablecom.ch (217.168.57.105) 8 msec *
Thanks
Gordon
12-12-2011 11:17 PM
Is it a must for you to track availability of 2 IP for each ISP? If not you may try jus to ping 1 single IP and add default route using track 1 - 4, without track 10 or 20. Another stuggetion is try to track one single ISP. Another ISP jus add-in default routing without track command..
12-13-2011 05:55 AM
Gordon
I am wondering if the problem could somehow be assymetric paths when both ISP are up.
And I just went back and re-read the config that you showed in the original post. I notice that you are specifying load share per packet. I would suggest taking that out and see what happens.
HTH
Rick
12-13-2011 07:04 AM
Hi RIck
I think the assymetric paths could be the problem as they are two different ISPs. How can I ensure this doesn't happen?
Also I removed the Per packet load sharing a while ago.
Regards
Gordon
12-13-2011 10:04 AM
Gordon
While I think about what might be causing this issue I have something that I would like you to try. Instead of testing from the router itself, would you try testing from a PC which is connected in VLAN 1 and which is configured to have this router as its default gateway?
HTH
Rick
12-14-2011 12:05 AM
HI Rick
OK very strange. with both WAN interfaces up and all SLA Monitors responding, I am unable to ping or TraceRoute 8.8.8.8 from the router or a client PC. However if I pick a new address, www.web.de which is 213.165.64.75, I can ping and Traceroute from the client but not from the router?
If I then do a Clear IP Translation * , then I can ping 8.8.8.8 from the client but not from the router.
Regards
Gordon
12-15-2011 12:53 PM
Gordon
I still do not have a clear understanding of what the problem is but it certainly seems to be related to the address translation that the router is doing.
One of my theories is that the problem you have with the router accessing things may be related to the fact that you would translate traffic for users but are not translating traffic if the source address is the router itself. So I would suggest making a change that would look something like this
!
access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any
access-list 150 permit ip host 212.243.xxx.26 any
!
access-list 160 permit ip 192.168.xxx.0 0.0.0.255 any
access-list 160 permit ip host 62.2.xxx.38 any
!
route-map nat2 permit 10
match ip address 150
match interface FastEthernet0/1
!
route-map nat1 permit 10
match ip address 160
match interface FastEthernet0/0
!
I have another theory that perhaps the problem is that the router has built a translation for an address when it goes out one address but if the router then sends traffic from that address out the other interface then perhaps it gets confused. So can you confirm that ip cef is enabled on the router and that cef is using the per destination load balancing method?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide