Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Problem with load balance config

Hi There

I am trying to get my router up with a load balancinf config but unfortunatly I cant get conectivity, ie clients can not ping the outside. I think it may be a nat issue, any help is greatrly appriciated.

Thx

Current configuration : 6069 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 101.9

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$jYzP$JHBnIoVQjtjBWV4.vZrUn/

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.xxx.1 192.168.xxx.245

!

ip dhcp pool Icon

   network 192.168.xxx.0 255.255.255.0

   domain-name iconasset

   dns-server 192.168.xxx.37 192.168.xxx.39

   default-router 192.168.xxx.1

   lease 1 2 1

!

ip dhcp pool XBox360

   host 192.168.xxx.238 255.255.255.0

   client-identifier 0100.125a.49c2.1e

   client-name GKXBox360

!

!

ip domain name iconasset.com

ip name-server 192.168.xxx.37

ip name-server 192.168.xxx.39

ip ssh port 2001 rotary 1 10

ip ssh version 2

ip sla monitor 1

type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho 164.128.xxx.39 source-interface FastEthernet0/0

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 2 life forever start-time now

ip sla monitor 3

type echo protocol ipIcmpEcho 62.2.xxx.158 source-interface FastEthernet0/1

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 3 life forever start-time now

ip sla monitor 4

type echo protocol ipIcmpEcho 62.2.xxx.60 source-interface FastEthernet0/1

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 4 life forever start-time now

!

!

crypto pki trustpoint TP-self-signed-3414616334

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3414616334

revocation-check none

rsakeypair TP-self-signed-3414616334

!

!

crypto pki certificate chain TP-self-signed-3414616334

certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343134 36313633 3334301E 170D3131 31313236 31303131

  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436

  31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AFAE 2609F7FE 6C4B2947 F73A61FF 429C0AA4 7C789F44 0DDB2043 A0AD4F0D

  C21AE526 A70C1005 D0785E81 ACE289E7 C5E865F6 969CF17B 7DA8B230 422586E4

  4C368A02 09006E23 02A81A36 F5335411 18CBFB78 5FA217B0 9E378FD5 507598EC

  789F8EEB B6F160B7 C0344D5F 8968A8B3 CB6645C8 26CBA7D5 1D7BEDFF 8405AB44

  252B0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

  551D1104 17301582 13313031 2E392E69 636F6E61 73736574 2E636F6D 301F0603

  551D2304 18301680 14F22A7A 45A3608F C67EC41E F4148BC3 DE98F9DB 13301D06

  03551D0E 04160414 F22A7A45 A3608FC6 7EC41EF4 148BC3DE 98F9DB13 300D0609

  2A864886 F70D0101 04050003 8181009B DE247294 62BED5FC F48BE051 9AFCC30F

  1ADD4A93 71B5AF0A 1AEDFD27 43538917 5B033F15 AD46AC82 A824A06E 48C18F80

  9DDA4B63 CB9B5659 9846FB13 AECBE37F A5B4BDB7 326E8277 6E392D78 56F34A16

  3B1DD4DE EA17967F A33664B9 88FF5469 1E0E13E0 3E14C1AB DEF74ECD 5F659914

  A8DE7009 3A75B571 5CFAEE5A 12238D

  quit

username gko privilege 15 password 7 056545A5E5F75191F5D40

!

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 rtr 3 reachability

!

track 4 rtr 4 reachability

!

track 10 list boolean or

object 1

object 2

!

track 20 list boolean or

object 3

object 4

!

!

!

!

interface FastEthernet0/0

ip address 212.243.xxx.26 255.255.255.248

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 62.2.xxx.38 255.255.255.252

ip load-sharing per-packet

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/0/0

duplex full

speed 100

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 192.168.xxx.9 255.255.255.0

ip load-sharing per-packet

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10

ip route 0.0.0.0 0.0.0.0 62.2.xxx.37 track 20

!

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-port 4443

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nat1 interface FastEthernet0/0 overload

ip nat inside source route-map nat2 interface FastEthernet0/1 overload

!

access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any

snmp-server community Konheiser1 RW 60

snmp-server community public9 RO

snmp-server enable traps tty

!

route-map nat2 permit 10

match ip address 150

match interface FastEthernet0/1

!

route-map nat1 permit 10

match ip address 150

match interface FastEthernet0/0

!

route-map isp2 permit 10

match interface FastEthernet0/1

!

route-map isp1 permit 10

match interface FastEthernet0/0

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

23 REPLIES
Cisco Employee

Re: Problem with load balance config

There are a couple of things that you should check.

Why do you have match interface statement in you Nat route map. It should have only the access-list statement as the source of the packets.

Second for the load balancing to work, you need to enable " ip cef load-balance " global command. Also I would let the router load- balance on per destination basis vs per packet as it will introduce asymmetric routing behaviour and application issues.

I would take ip load-balance per packet statement off the interface vlan 1.

I hope that you have the correct gateway defined on your hosts sitting behind this router to .9, the interface ip of vlan 1.

Sent from Cisco Technical Support iPad App

New Member

Problem with load balance config

Thanks for your help. When I issue the comand ip load-sharing per-destination on the interfaces  if appears to goin correctly but when I do a show run it is not in the config. Also the only global command that I can find is ip cef load-sharing algorithm original. which also does not appear in the config once I ahve issued it??

Regards

Gordon

Hall of Fame Super Gold

Re: Problem with load balance config

the configuration for NAT is correct. I do not agree with my colleague Amit about the match interface in the route map. This is the correct implementation when the same source traffic goes out 2 interfaces and needs to be translated differently on each interface.

I do agree with Amit in suggesting that you remove the per packet load share. It is likely to cause problems for applications running over the network.

I believe that the fundamental problem is that the DHCP assignment says the default router is .1 but the router interface is .9. Fix this and I believe that client traffic will work.

HTH

Rick

Sent from Cisco Technical Support iPhone App

Hall of Fame Super Gold

Re: Problem with load balance config

You are setting those commands to their default value and that is the reason that they do not show up in the config. This is not a problem.

HTH

Rick

Sent from Cisco Technical Support iPhone App

New Member

Re: Problem with load balance config

Hi There

My client have there IPs manualy configured with .9 as there gateways. The .1 route for the DHCP clients is another route out.

I am testing config directly from the router. If I have,

ip route 0.0.0.0 0.0.0.0 212.243.xxx.25

without the track then I am able to ping out side, and when I do a  SHOW IP SLA MONITOR STAT  I can see that both the monitors are up for this interface. However when I use

ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10

I am only able to ping as far as my Gateway, 212.243.xxx.25, but no futher and obviously SHOW IP SLA MONITOR STAT reports both monitors down.

Cant figure out why , any ideas. Thanks again.

Re: Problem with load balance config

Hi Gordon

without the track then I am able to ping out side, and when I do a  SHOW IP SLA MONITOR STAT  I can see that both the monitors are up for this interface. However when I use

ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10

I am only able to ping as far as my Gateway, 212.243.xxx.25, but no futher and obviously SHOW IP SLA MONITOR STAT reports both monitors down.

Both monitors show down because you are not able to ping those public ip addresses and the track object removes the static routes from the routing table. Once you remove the track object they get re-instated and hence you are able to ping outside.

You might want to try and use some DNS servers in the public space which are up most of the time or you can try and setup IPSLA to ping the public DNS server of your ISP. but tracking both the interfaces you are sort of taking a risk. Normally, these tracking conditions are used in a prmary/backup scenario where when you loose the primary link the router uses the floating static route(back up static route).

HTH

Kishore

New Member

Re: Problem with load balance config

Could there be a problem with the fact that I am using the sequence number 10 in two statement,

route-map nat2 permit 10

and also,

track 10 list boolean

That is probabply a strupid thing to say, I am just grasping at straws at this point.

Hall of Fame Super Gold

Re: Problem with load balance config

Gordon

Thanks for the clarification and the additional information. The problem is certainly not that you are using 10 in multiple places.

I believe that I do see the problem and it is related to the track function. Let us look at the first one that you configure:

type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0

So it is going to try to ping to 164.128.x.34. But does it know how to get to that address, other than through the static default route which is using track? It looks to me like it does not. As a test, when you have the configuration using tracking try to manually ping to those addresses. I suspect that your ping will fail. And if the ping fails then the static default route is withdrawn from the routing table.

I suggest that you configure a static host route for each of the track destinations that might look something like this

ip route 164.128.x.34 255.255.255.255 fastethernet0/0 212.243.x.25

Give that a try and let us know how it works.

HTH

Rick

New Member

Re: Problem with load balance config

Hi Rick

That was exactly correct, once I had the static routes in place the trackers reponded OK.

Unfortunately now I have a different problem in that when I have just one ISP ( F 0/0 ) up then I am able to ping the internet. When I have both ISPs up ( F 0/0 and F 0/1 ) I am unable to ping the internet.

I am thinking it is a NAT issue but not sure. 

Thanks

Gordon

Hall of Fame Super Gold

Problem with load balance config

Gordon

I am glad that my suggestion helped you to fix the problem with tracking. I am not sure what this new symptom is about. If you do have Internet connectivity with one ISP up then I would assume that NAT is working ok. And it would appear that somehow the second ISP being up interferes with the first ISP.

Here are a couple of things to check. With both ISPs up check the output of show ip interface brief. Are all the interfaces in the up/up state? Then check the output of show ip route. Are the expected routes in the routing table? And if neither of these show any issue then it may be helpful to post the updated config of the router so we can see it with the changes that you have made.

HTH

Rick

New Member

Re: Problem with load balance config

Morning Rick

With both ISPs connected I get up/up from show ip int brief. On doing show ip route I get :-

Gateway of last resort is 212.243.229.25 to network 0.0.0.0

     212.243.229.0/29 is subnetted, 1 subnets

C       212.243.229.24 is directly connected, FastEthernet0/0

     62.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S       62.2.17.60/32 [1/0] via 62.2.48.37

C       62.2.48.36/30 is directly connected, FastEthernet0/1

S       62.2.24.158/32 [1/0] via 62.2.48.37

     164.128.0.0/32 is subnetted, 2 subnets

S       164.128.36.34 [1/0] via 212.243.229.25

S       164.128.76.39 [1/0] via 212.243.229.25

C    192.168.101.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 212.243.229.25

               [1/0] via 62.2.48.37

So I cant see anything wrong there??

Here is the config :-

Building configuration...

Current configuration : 7942 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 101.9

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$jYzP$Asx!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.xxx.1 192.168.xxx.245

!

ip dhcp pool Icon

   network 192.168.xxx.0 255.255.255.0

   domain-name iconasset

   dns-server 192.168.xxx.37 192.168.xxx.39

   default-router 192.168.xxx.1

   lease 1 2 1

!

!

!

ip domain name iconasset.com

ip name-server 192.168.xxx.37

ip name-server 192.168.xxx.39

ip ssh port 2001 rotary 1 10

ip ssh version 2

ip sla monitor 1

type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol ipIcmpEcho 164.128.xxx.39 source-interface FastEthernet0/0

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 2 life forever start-time now

ip sla monitor 3

type echo protocol ipIcmpEcho 62.2.xxx.158 source-interface FastEthernet0/1

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 3 life forever start-time now

ip sla monitor 4

type echo protocol ipIcmpEcho 62.2.xxx.60 source-interface FastEthernet0/1

timeout 1000

threshold 250

frequency 10

ip sla monitor schedule 4 life forever start-time now

!

!

crypto pki trustpoint TP-self-signed-3414616334

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3414616334

revocation-check none

rsakeypair TP-self-signed-3414616334

!

!

crypto pki certificate chain TP-self-signed-3414616334

certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343134 36313633 3334301E 170D3131 31313236 31303131

  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436

  31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AFAE 2609F7FE 6C4B2947 F73A61FF 429C0AA4 7C789F44 0DDB2043 A0AD4F0D

  C21AE526 A70C1005 D0785E81 ACE289E7 C5E865F6 969CF17B 7DA8B230 422586E4

  4C368A02 09006E23 02A81A36 F5335411 18CBFB78 5FA217B0 9E378FD5 507598EC

  quit

username xxxxxxx privilege 15 password 7

!

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 rtr 3 reachability

!

track 4 rtr 4 reachability

!

track 10 list boolean or

object 1

object 2

!

track 20 list boolean or

object 3

object 4

!

!

!

!

interface FastEthernet0/0

ip address 212.243.xxx.26 255.255.255.248

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 62.2.xxx.38 255.255.255.252

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/0/0

duplex full

speed 100

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 192.168.xxx.9 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10

ip route 0.0.0.0 0.0.0.0 62.2.xxx.37 track 20

ip route 62.2.17.60 255.255.255.255 62.2.xxx.37 permanent

ip route 62.2.24.158 255.255.255.255 62.2.xxx.37 permanent

ip route 164.128.36.34 255.255.255.255 212.243.xxx.25 permanent

ip route 164.128.76.39 255.255.255.255 212.243.xxx.25 permanent

!

!

ip http server

ip http authentication local

ip http secure-server

ip http secure-port 4489

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nat1 interface FastEthernet0/0 overload

ip nat inside source route-map nat2 interface FastEthernet0/1 overload

!

access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any

snmp-server enable traps tty

!

route-map nat2 permit 10

match ip address 150

match interface FastEthernet0/1

!

route-map nat1 permit 10

match ip address 150

match interface FastEthernet0/0

!

route-map isp2 permit 10

match interface FastEthernet0/1

!

route-map isp1 permit 10

match interface FastEthernet0/0

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

Hope you can see something. Thanks  

Gordon

Hall of Fame Super Gold

Problem with load balance config

Gordon

I do have a suggestion, though I am not sure that it will fix your most recent issue. My suggestion is to add the outbound interface into the host static routes that I asked you to configure (as I had shown in my post) like this

ip route 62.2.17.60 255.255.255.255 Fast0/1 62.2.xxx.37 permanent

ip route 62.2.24.158 255.255.255.255 Fst0/1 62.2.xxx.37 permanent

ip route 164.128.36.34 255.255.255.255 Fast0/0 212.243.xxx.25 permanent

ip route 164.128.76.39 255.255.255.255 Fast0/0 212.243.xxx.25 permanent

this will make sure that if there is some problem with one ISP that you do not use the path through the other ISP to get to the address that you are tracking.

If you make this change and still have the problem then can you tell me a little more about the problem. When you say you have only the ISP on Fast0/0 and it works, what is happening with Fast0/1? Is it shut down? unplugged? something else?

And what happens if you disable ISP 1 on Fast0/0 and bring up ISP 2 on Fast0/1? does that work ok?

And when you have problems in ping to the Internet with both ISP active how are you doing the ping? Is it from a PC going through the router or from the router itself? And if from the router is it a simple standard ping or is it an extended ping which allows you to specify the source interface address? And is it a ping to a name or a ping to an IP address? What address?

HTH

Rick

New Member

Re: Problem with load balance config

Hi Rick

I thought that the routes I put in would do the same as your suggestion but I have change them now to specify the interface and not the IP address.

When I have both ISPs plugged in and up/up  and ping from the router with an advanced ping to test both interfaces as the source with a destination of 8.8.8.8  I get no responce. If I then issue a shut on either of the interfaces then I am able to ping 8.8.8.8. but when I do show ip sla mon stat  it shows all trackers responding.

I hope I covered everything. thanks for taking the time.

Regards

Gordon

Hall of Fame Super Gold

Re: Problem with load balance config

Gordon

You misunderstood what I was suggesting. To specify the interface and not the IP address is not a good change. I was suggesting that you specify both the interface and the next hop address.

To specify the interface and not the IP address may work. But it depends on the next hop device(s) supporting proxy arp. And it makes the router work harder (it greatly increases the amount of arp traffic and increases the amount of memory consumed in the arp table). So please put the IP address back into the static route.

I am quite puzzled about what is causing this problem. With both interfaces up/up perhaps you could post the output of show ip route?

HTH

Rick

New Member

Re: Problem with load balance config

Hi Rick

If I understand you correctly then this should be the complete route config,

ip route 0.0.0.0 0.0.0.0 212.243.229.25 track 10

ip route 0.0.0.0 0.0.0.0 62.2.48.37 track 20

ip route 62.2.17.60 255.255.255.255 FastEthernet0/1 62.2.48.37 permanent

ip route 62.2.24.158 255.255.255.255 FastEthernet0/1 62.2.48.37 permanent

ip route 164.128.36.34 255.255.255.255 FastEthernet0/0 212.243.229.25 permanent

ip route 164.128.76.39 255.255.255.255 FastEthernet0/0 212.243.229.25 permanent

Or am I being stupid and missing something?

here is the the results from, show ip int stat, show ip route, ping to 8.8.8.8 and show ip sla mon stat

101.9#show ip int bri

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            212.243.229.26  YES NVRAM  up                    up

FastEthernet0/1            62.2.48.38      YES NVRAM  up                    up

FastEthernet0/0/0          unassigned      YES unset  up                    up

FastEthernet0/0/1          unassigned      YES unset  up                    down

FastEthernet0/0/2          unassigned      YES unset  up                    down

FastEthernet0/0/3          unassigned      YES unset  up                    down

Vlan1                      192.168.101.9   YES NVRAM  up                    up

NVI0                       unassigned      NO  unset  up                    up

101.9#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 212.243.229.25 to network 0.0.0.0

     212.243.229.0/29 is subnetted, 1 subnets

C       212.243.229.24 is directly connected, FastEthernet0/0

     62.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S       62.2.17.60/32 [1/0] via 62.2.48.37, FastEthernet0/1

C       62.2.48.36/30 is directly connected, FastEthernet0/1

S       62.2.24.158/32 [1/0] via 62.2.48.37, FastEthernet0/1

     164.128.0.0/32 is subnetted, 2 subnets

S       164.128.36.34 [1/0] via 212.243.229.25, FastEthernet0/0

S       164.128.76.39 [1/0] via 212.243.229.25, FastEthernet0/0

C    192.168.101.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 212.243.229.25

               [1/0] via 62.2.48.37

101.9#

101.9#ping www.web.de

Translating "www.web.de"...domain server (192.168.101.37) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 213.165.64.75, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

101.9#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

101.9#show ip sla mon stat

Round trip time (RTT)   Index 1

        Latest RTT: 1 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 204

Number of failures: 0

Operation time to live: Forever

Round trip time (RTT)   Index 2

        Latest RTT: 4 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 204

Number of failures: 0

Operation time to live: Forever

Round trip time (RTT)   Index 3

        Latest RTT: 15 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 18

Number of failures: 187

Operation time to live: Forever

Round trip time (RTT)   Index 4

        Latest RTT: 11 ms

Latest operation start time: 17:51:42.535 UTC Tue Dec 6 2011

Latest operation return code: OK

Number of successes: 18

Number of failures: 187

Operation time to live: Forever

101.9#

Regards

Gordon

Hall of Fame Super Gold

Re: Problem with load balance config

Gordon

Thanks for the additional information. Just to be sure that I am understanding correctly, if you shut down one (either one) of the ISP connections then these pings work ok?

Would you try a traceroute to these destinations? Perhaps that might shed a little light on what is going on.

HTH

Rick

New Member

Re: Problem with load balance config

Morning Rick

Yes you understand correctly, If I shutdown either one of the ISP connections then all pings work. Here is the result of a traceroute to 8.8.8.8 when both ISPs are connected and the ping to 8.8.8.8 doesn't respond. It looks like the ping can get there but not back?

101.9#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

  1 212.243.xxx.25 0 msec *  0 msec

  2  *

    i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) 0 msec *

  3 i79zhb-000-vla50.bb.ip-plus.net (138.187.152.129) 0 msec *  0 msec

  4  *

    i79zhb-025-ten0-5-0-9.bb.ip-plus.net (138.187.129.61) 8 msec *

  5 i79inx-015-ae2.bb.ip-plus.net (138.187.130.110) 0 msec *  0 msec

  6  *

    72.14.222.46 0 msec *

  7 72.14.232.88 8 msec *  8 msec

  8  *

    72.14.236.68 8 msec *

  9 209.85.254.114 8 msec *

    209.85.254.116 8 msec

10  *  *  *

11 google-public-dns-a.google.com (8.8.8.8) 8 msec *  8 msec

101.9#traceroute 8.8.8.8

Type escape sequence to abort.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

  1  *

    212.243.xxx.25 0 msec *

  2 i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) 0 msec *  0 msec

  3  *

    i79zhb-000-vla50.bb.ip-plus.net (138.187.152.129) 0 msec *

  4 i79zhb-025-ten0-5-0-9.bb.ip-plus.net (138.187.129.61) 4 msec *  8 msec

  5  *

    i79inx-015-ae2.bb.ip-plus.net (138.187.130.110) 4 msec *

  6 72.14.222.46 0 msec *  0 msec

  7  *

    72.14.232.88 8 msec *

  8 72.14.236.68 8 msec *  52 msec

  9  *

    209.85.254.116 8 msec *

10  *  *  *

11  *

    google-public-dns-a.google.com (8.8.8.8) 8 msec *

101.9#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

101.9#

What I have noticed is strange is when I run a traceroute to 8.8.8.8 with a source of f0/1, ISP with IP

62.2.xxx.227, the first hop is the other ISPs gateway, 212.243.xxx.25. I can see that this would be a problem as the ISP would block the ping thou its gateway from a source it doesn't recognize.  How can I prevent this?

101.9#traceroute 8.8.8.8 source f0/1

Type escape sequence to abort.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

  1  *

    212.243.xxx.25 4 msec *

  2 i79zhb-011-gig0-3x85.bb.ip-plus.net (164.128.5.101) !A

    217-168-57-105.static.cablecom.ch (217.168.57.105) 8 msec *

Thanks

Gordon

New Member

Problem with load balance config

Is it a must for you to track availability of 2 IP for each ISP? If not you may try jus to ping 1 single IP and add default route using track 1 - 4,  without track 10 or 20. Another stuggetion is try to track one single ISP. Another ISP jus add-in default routing without track command..

Regards, Nagis
Hall of Fame Super Gold

Problem with load balance config

Gordon

I am wondering if the problem could somehow be assymetric paths when both ISP are up.

And I just went back and re-read the config that you showed in the original post. I notice that you are specifying load share per packet. I would suggest taking that out and see what happens.

HTH

Rick

New Member

Re: Problem with load balance config

Hi RIck

I think the assymetric paths could be the problem as they are two different ISPs. How can I ensure this doesn't happen?

Also I removed the Per packet load sharing a while ago.

Regards

Gordon

Hall of Fame Super Gold

Problem with load balance config

Gordon

While I think about what might be causing this issue I have something that I would like you to try. Instead of testing from the router itself, would you try testing from a PC which is connected in VLAN 1 and which is configured to have this router as its default gateway?

HTH

Rick

New Member

Re: Problem with load balance config

HI Rick

OK very strange. with both WAN interfaces up and all SLA Monitors responding, I am unable to ping or TraceRoute  8.8.8.8 from the router or a client PC. However if I pick a new address, www.web.de which is 213.165.64.75, I can ping and Traceroute from the client but not from the router?

If I then do a Clear IP Translation * , then I can ping 8.8.8.8 from the client but not from the router.

Regards

Gordon

Hall of Fame Super Gold

Re: Problem with load balance config

Gordon

I still do not have a clear understanding of what the problem is but it certainly seems to be related to the address translation that the router is doing.

One of my theories is that the problem you have with the router accessing things may be related to the fact that you would translate traffic for users but are not translating traffic if the source address is the router itself. So I would suggest making a change that would look something like this

!

access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any

access-list 150 permit ip host 212.243.xxx.26 any

!

access-list 160 permit ip 192.168.xxx.0 0.0.0.255 any

access-list 160 permit ip host 62.2.xxx.38 any

!

route-map nat2 permit 10

match ip address 150

match interface FastEthernet0/1

!

route-map nat1 permit 10

match ip address 160

match interface FastEthernet0/0

!

I have another theory that perhaps the problem is that the router has built a translation for an address when it goes out one address but if the router then sends traffic from that address out the other interface then perhaps it gets confused. So can you confirm that ip cef is enabled on the router and that cef is using the per destination load balancing method?

HTH

Rick

903
Views
0
Helpful
23
Replies
CreatePlease to create content