Solved: Re:BGP Multihomed

Tauer Drumond · ‎07-29-2013

Hello,

I have two ASR 1001.

Each one has one eBGP session with his own ISP

ROUTER A ----bgp----> ISP A

FIREWALL --->

ROUTER B ----bgp-----> ISP B

If my inside traffic flows through ISP A and returns through ISP A = GOOD - everything is OK

If my inside traffic flows through ISP B and returns through ISP B = GOOD - everything is OK

but

if my inside traffic flows through ISP A and return through ISP B = BAD - we have resets, connection times out, etc

if my inside traffic flows through ISP B and return through ISP A = BAD - we have resets, connection times out, etc

____________________________________________________________________________________________________________

If outiside traffic comes through ISP A and my firewall answer throught ISP A = GOOD - everything is OK

If outiside traffic comes through ISP B and my firewall answer throught ISP B = GOOD - everything is OK

but

If outiside traffic comes through ISP A and my firewall answer throught ISP B = BAD - we have resets, connection times out, etc

If outiside traffic comes through ISP B and my firewall answer through ISP A = BAD - we have resets, connection times out, etc

Please,

help!

Thanks!

mvsheik123 · ‎07-30-2013

Ok.. did you try tcp state bypass on ASA suggested in the links I posted?

ASA(config)# access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 any

ASA(config)# class-map tcp_bypass

ASA(config-cmap)# match access-list tcp_bypass

ASA(config-cmap)# policy-map tcp_bypass_policy

ASA(config-pmap)# class tcp_bypass

ASA(config-pmap-c)# set connection advanced-options tcp-state-bypass

ASA(config-pmap-c)# set connection timeout idle 0:10:00

ASA(config-pmap-c)# service-policy tcp_bypass_policy inside

Thx

MS

View solution in original post

JohnTylerPearce · ‎07-30-2013

If you had network 188.0.0.0/24 for example and advertised it to your network in a way suck that it should always use ISP A over ISP B then your answer is yes unless there was a link failure between you and the ISP

Sent from Cisco Technical Support Android App

View solution in original post

shillings · ‎07-31-2013

I wonder if you could divide your block in half, then advertise both halves to each ISP. However, amend the AS_PATH attribute so that the Internet at large will favour the first half via ISP A and the second half via ISP B.

You'd have to ensure the ISPs don't aggregate your two halves back into a single block, when they advertise out to the rest of the Internet.

You'd also have to configure your own outbound routing to mirror this, and how would you do that? Apply half the public block to outside interface 1 and the other half to outside interface 2, I presume. If one link failed, then all outbound traffic would need to route via the single working interface.

Plenty to think about...

View solution in original post

mvsheik123 · ‎07-30-2013

Hi,

What you are experiecing is Assymetrical routing issue. It is not uncommom to have assymetrical routing in multihomed environment and few apps will have issues with that. Are you getting default routes or full/partial table from ISP? There is a similar disc (below link) and few suggestions to resolve. Also, google for 'Assymetrical routing' , youwill fine more info with regards to this.

https://supportforums.cisco.com/thread/193588

Thx

MS

Tauer Drumond · ‎07-30-2013

Hi Mvsheik...
I`m receiving full routing from both ISP

mvsheik123 · ‎07-30-2013

Hi,

My bad. I guess, it has nothing to do with receiving tables. How you advertise to your ISP will tell decide on incoming traffic. Check the below links, it might help you.

http://serverfault.com/questions/399240/how-to-prevent-asymmetric-routing-with-multiple-ebgp-routers

https://supportforums.cisco.com/docs/DOC-14491

Thx

MS

Tauer Drumond · ‎07-30-2013

Hi Mvsheik,

I`ll read them carefully, but before that, I`d like to tell you that I`m using the feature (ip source-route) in router A, and I`m not using it in router B

Do you think this can be the problem?

mvsheik123 · ‎07-30-2013

Nope. Also, you can disable that on RTR A, as this can be good source for hackers.

Thx

MS

Tauer Drumond · ‎07-30-2013

Yes... I disabled that... and the behavior is the same. I`m freaking out

mvsheik123 · ‎07-30-2013

If you share your infrastrure diagram and sanitized configs of routers, experts may be able to help better. Also, make sure you read the link I posted.

Thx

MS

PS: please rate helpful posts.

Tauer Drumond · ‎07-30-2013

Follow attachment with diagram

basic config on RTR A

neighbor 10.10.10.2 remote-as X

neighbor 10.10.10.2 password Y

neighbor 10.10.10.2 filter-list 1 out

ip as-path access-list 1 permit ^$

basic config on RTR B

neighbor 20.20.20.3 remote-as X

neighbor 20.20.20.3 filter-list 1 out

neighbor 20.20.20.4 remote-as X

neighbor 20.20.20.4 filter-list 1 out

ip as-path access-list 1 permit ^$

mvsheik123 · ‎07-30-2013

Hi,

2 default routes on ASA may not work well, as ASA does not support load balance. You may want to go with HSRP for RTR A and RTR B and have VIP as default gateway. That might solve your issue.

Another option- You can have a dynamic protocol (ex: OSPF) on RTRA and RTRB and inject both default routes into your network. Iam not sure if this works as you are recieving Full tables. Lets wait for some experts shed some light here.

Thx

MS

PS: pls rate helpful posts.

Tauer Drumond · ‎07-30-2013

I`ve tried to HSRP, but the result is the same.

If RTR A is the active, and the incoming traffic from Internet comes through RTR B, I got the same problem.

The problem is exaclty the traffic flowing through one and coming back through another one and vice-versa

mvsheik123 · ‎07-30-2013

Ok.. did you try tcp state bypass on ASA suggested in the links I posted?

ASA(config)# access-list tcp_bypass extended permit tcp 192.168.1.0 255.255.255.0 any

ASA(config)# class-map tcp_bypass

ASA(config-cmap)# match access-list tcp_bypass

ASA(config-cmap)# policy-map tcp_bypass_policy

ASA(config-pmap)# class tcp_bypass

ASA(config-pmap-c)# set connection advanced-options tcp-state-bypass

ASA(config-pmap-c)# set connection timeout idle 0:10:00

ASA(config-pmap-c)# service-policy tcp_bypass_policy inside

Thx

MS

Tauer Drumond · ‎07-30-2013

I didn`t because ASA is not gererating any error...

In this case, ASA should generate a error like Dey TCP (No Connection). Am I right?

I only see a TCP Reset-O on ASA

JohnTylerPearce · ‎07-30-2013

Are you advertising routes into your service provider? It didn't look like you were, but I was just wondering

Sent from Cisco Technical Support Android App

Tauer Drumond · ‎07-30-2013

Yes, I am....on both routers.

It`s true because if I shutdown the peering between RTR A and ISP A, all Internet traffic comes through RTR B, and vice-versa