3 ASN, 2 ISP, 2 ASR1000X, path issues over internet
I've run into an issue with my enterprise network, we currently use AS7029 on our Primary ASR as well as AS 600/3112 on our Secondary ASR. I can see our traffic go outbound but not all of that traffic returns back to my network, this has resulted in a lot of connection timeouts, or resets as browser errors for the clients. When I shut down one ISP everything works and this works both ways between my different ISPs. Another weird thing is that some of my external NAT'd IPs connect to the internet just fine with no issues, but others do not. Our clients are having most of their issues reaching anything that is hosted by AWS or Akamai, and it is intermittent as only some clients run into this issue and others don't, in addition to this some of our exteneral NAT IPs run into the issue while others are immune. I recently found out that both of my ISPs are peering partners with both services which I'm not sure if that could be an issue and how would I get around that?
Connected via AS7029
Set as Primary, previously had AS prepend statement repeated 3 times, removed but has not fixed issues
Connected via AS600/3112
Dual-homed via router on a stick
Flow of traffic Outbound:
Client Site > WAN > 7k > F5 > iBoss > ASA > AR1 > AS7029 or (AR2 > AS600/3112)
What I noticed in a traceroute yesterday prior to testing one network on and off the traffic flowed like this:
What could be the cause of the above issue when a traceroute is performed?
I'm willing to provide some configuration however TAC has validated that there is nothing wrong on my end I just want to get a better understanding of why this could be happening.
Any suggestions are welcome, I've also considered taking half of my /21 and forwarding it through one router while pruning it on the other to make the flows of traffic more equal so it would be like this.
OverviewCisco SDA Overview:Cisco ACI Overview:How the Integration works:Configuration:Topology:Cisco DNAC to ISE Integration:Cisco ISE to ACI Integration:Verification:Policy Enforcement in ACI Domain:Policy Enforcement in Cisco SD-Access Domain:
The long-awaited Cisco Catalyst 9600 Series switches are now here. As foundational building blocks for the Cisco Digital Network Architecture, Catalyst 9600 Series switches help customers simplify complexity, optimize IT, and reduce operational cost...
Inviting all Network professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network management tools.
Click here to take the 5-minute survey: http://cs.co/9009E28lV
Calling Cisco Customers who manage networks in your companies
We have a quick 5-minute survey for you to complete. Your response will help Cisco improve a product feature that could benefit you.
Click here now: http://cs.co/9002E0kjC
Since the last blog on IOS-XE release, there has been a standard maintenance release which was followed by the recently published Extended Maintenance Release(EMR) and the last release on the 16.x train, IOS-XE 16.12.1. With this being an EMR release, it ...