07-29-2013 01:38 PM - edited 03-04-2019 08:35 PM
Hello,
I have two ASR 1001.
Each one has one eBGP session with his own ISP
ROUTER A ----bgp----> ISP A
FIREWALL --->
ROUTER B ----bgp-----> ISP B
If my inside traffic flows through ISP A and returns through ISP A = GOOD - everything is OK
If my inside traffic flows through ISP B and returns through ISP B = GOOD - everything is OK
but
if my inside traffic flows through ISP A and return through ISP B = BAD - we have resets, connection times out, etc
if my inside traffic flows through ISP B and return through ISP A = BAD - we have resets, connection times out, etc
____________________________________________________________________________________________________________
If outiside traffic comes through ISP A and my firewall answer throught ISP A = GOOD - everything is OK
If outiside traffic comes through ISP B and my firewall answer throught ISP B = GOOD - everything is OK
but
If outiside traffic comes through ISP A and my firewall answer throught ISP B = BAD - we have resets, connection times out, etc
If outiside traffic comes through ISP B and my firewall answer through ISP A = BAD - we have resets, connection times out, etc
Please,
help!
Thanks!
Solved! Go to Solution.
07-30-2013 12:22 PM
That sounds right. Since you are having issues with a sync routing, whatever destination network that traffic is destined for you could implement an attribute so that your ISP would prefer one path over another and hopefully that should help
Sent from Cisco Technical Support Android App
07-30-2013 12:25 PM
Hi John,
does that mean that I`ll never use an ISP and the traffic will return from another?
Meaning.. the way the traffic is flowing, must be the way it comes back
07-30-2013 01:02 PM
If you had network 188.0.0.0/24 for example and advertised it to your network in a way suck that it should always use ISP A over ISP B then your answer is yes unless there was a link failure between you and the ISP
Sent from Cisco Technical Support Android App
07-31-2013 08:20 AM
I understand...
But, like shown in my scenario, I`d like to use and advertise my block to both ISP simultanely...
I didn`t know if the packet flows through one and returns through another one, I would have problem.
Assymetric routing is common everywhere...
07-31-2013 08:58 AM
I wonder if you could divide your block in half, then advertise both halves to each ISP. However, amend the AS_PATH attribute so that the Internet at large will favour the first half via ISP A and the second half via ISP B.
You'd have to ensure the ISPs don't aggregate your two halves back into a single block, when they advertise out to the rest of the Internet.
You'd also have to configure your own outbound routing to mirror this, and how would you do that? Apply half the public block to outside interface 1 and the other half to outside interface 2, I presume. If one link failed, then all outbound traffic would need to route via the single working interface.
Plenty to think about...
07-31-2013 11:53 AM
Yes... I was thinking about to tunning this scenario, so every traffic flows e returns only through one ISP
But I was wondering if EVERYBODY in the world who works with more than one ISP have the same problem
07-31-2013 03:18 PM
You would be correct sir. Depending on your network topology, and how your redundancy is configured, what routes, and attributes you are sending out can make quite a difference. Also, depends on if you have provider assigned or independent provider assigned networks. And a lot of Tier2/3 routers, I dought will take a lot of /24s at all, mostly /19 or /22. I've never worked for an ISP, so my real life experience on that subject is limited.
But if you have asymetric routing, it may be necessary to influence the way traffic comes back to you.
08-01-2013 06:11 AM
I was wondering if my ASA could be acting negatively on this issue.
I dont see any DENY or anything, but someone warning me about TTL issues
08-01-2013 08:11 AM
Hey all,
I just figured out what is going on.
Each router connects internally to 2 CISCO IPS...... I have 2 IPS....
So... when one connection comes through one IPS and returns through the other IPS, I had problem.
So... I've disabled both IPS inspection, and the traffic now flows as expected, even if flowing through one Service Provider and returning through another, because now, I have no inspection on the traffic. When I enable both IPS inspection, the problem happens.
I didn't mention IPS on previous posts, because I was monitoring them and receving no error. Both IPS didn't generate any error about that, so I've discarted this option. But, now I know IPS is the problem.
Here's my topology
IPS 01 ------- ROUTER A ----bgp-----> ISP A
FIREWALL ------->
IPS 02 ------- ROUTER B ----bgp-----> ISP B
Thank you all for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide