Hi Peter,ISP told me it's not

Riccardo Rita · ‎09-23-2015

Hi everybody,

I'm facing with this strange issue since some days.

Here is my scenario:

Cisco 1721 with two wic1-adsl (PPPoE + PPPoA) for redundancy.

So I implemented the IP SLA and everythings seems to work except the external ping to the ISP on the Diale3. I cannot Telnet router from the Dialer3 and ping is completely fragmented with a lot of packet loss.

When I shutdown the Dialer1 ping response from Dialer3 becomes regular.

PVC are both up.

So What I'm wrong?

In other environment with the same router and ios and PPPoE + RFC1483 works like a charm.

Here below my configuration.

ip sla monitor 1
type echo protocol ipIcmpEcho x.x.x.x source-interface Dialer1 (I used the next hop by ISP)
timeout 1000
threshold 1000
frequency 30
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho x.x.x.x source-interface Dialer3 (I used the next hop by ISP)
timeout 1000
threshold 1000
frequency 30
ip sla monitor schedule 2 life forever start-time now

!

!
track 123 rtr 1 reachability
delay down 10 up 10
!
track 455 rtr 2 reachability
delay down 10 up 10
!

!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 3
!
!
interface ATM1
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM1.1 point-to-point
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 1
!

!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname xxxxxxxxxx
ppp chap password xxxxxxxxxxx
ppp pap refuse
ppp ipcp dns request
!
interface Dialer3
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 3
dialer-group 3
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxx password xxxxxxxxxxxxxxxx
ppp ipcp dns request

!

ip route 0.0.0.0 0.0.0.0 Dialer1 track 123
ip route 0.0.0.0 0.0.0.0 Dialer3 track 455

!

ip nat inside source route-map adsl interface Dialer1 overload
ip nat inside source route-map fonia interface Dialer3 overload

!

route-map adsl permit 10
match ip address 105 106
match interface Dialer1
!
route-map fonia permit 10
match ip address 106 105
match interface Dialer3

Thaks a lot for you time.

Hope to resolve.

Ricky

Peter Paluch · ‎09-23-2015

Hi Ricky,

What do you mean by saying "external ping to the ISP on the Diale3"? What is external about it? Are you pinging from the router itself, or are you pinging from a station behind that router?

Also, when you issue show ip route x.x.x.x where x.x.x.x is the problematic IP address that does not properly respond to pings, what route is shown? Does the router choose just a single route toward that address, or does it display multiple routing entries? (In case the router says "Network not in table" then it means that the destination is only reachable through the default route and no particular other route - please let me know about that as well, too.)

Just a housekeeping remark: Your Dialer3 is operating over PPPoE. You are missing two important commands on that interface for the PPPoE to work properly:

mtu 1492
ip tcp adjust-mss 1452

You should add those commands to the Dialer3 at your earliest convenience and shut/no shut the interface. The purpose of these two commands is to accomodate for the added overhead caused by the additional PPP and PPPoE headers which must fit into an ordinary Ethernet frame.

Best regards,
Peter

Riccardo Rita · ‎09-23-2015

Hi Peter,

thanks for your reply.

For external ping I mean that i'm pinging from a remote site (my office) toward customer's public ip configured on dialer3.

The sh ip route x.x.x.x for the public ip on dialer3 show me the following :

Routing entry for x.x.x.x/32
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Dialer3
Route metric is 0, traffic share count is 1

The sh ip route show me this:

S* 0.0.0.0/0 is directly connected, Dialer1
is directly connected, Dialer3

I tried to to put the command you suggested but situation seems not changed.

I talk to the ISP and they did't notice strange behaviour on the line. And they assure me there are no limitation in configuring ip SLA for this line.

So my question is why on the other scenario with PPPoE and RFC1483(P2P) everythigs works fine?

If I shutdown the dialer1 external ping becomes regular so maybe there's somethig wrong with dialer3 configuration or ISP SLA timeouts?

Thanks

Ricky

Peter Paluch · ‎09-24-2015

Hi Ricky,

I am somewhat confused about the details.

You are saying that you are having problems when you are pinging the IP address currently assigned to Dialer3 from a remote office. Is this correct?

Are you also having troubles with the IP SLA operation 2? In particular, does the track object 455 flap between the down and up states? Please do not assume the success or failure of IP SLA operation 2 based on your external pings - these are unrelated.

What I am suspecting is that when you're pinging the IP address of Dialer3 from an external IP address, the router has two default routes to send replies over. It is possible that it performs load balancing and that some of the replies make it out Dialer3, some others are sent via Dialer1 and that possibly causes some of the replies to get lost. If you bring down Dialer1, the only remaining default route is the one through Dialer3, and that's why it starts working correctly then.

Would this be a plausible scenario? Are you experiencing any other connectivity problems apart from these external pings?

Best regards,
Peter

Riccardo Rita · ‎09-24-2015

Hi Peter,

about your first question yes it's correct.

At the moment I'm not experiencing any problems with IP SLA operation and on the router console no errors about flapping.

When I try to do more traceroute command 8.8.8.8 from the router I can see trace coming out from the Dialer3 and Dialer1.

So at this point your assumption should be correct.

I need to go back on the customer's site and make some test from the internal lan toward internet,just to be sure that everythings is ok and VPN tunnels works correctly.

I'll let you know as soon.

One more doubt: the PPPoE will'be reserved for phone services so if I have this strange ping response I don't think voice traffic will pass through correcly with no problems. eg. (voice drops, hangups etc.)

Thanks

Ricky

Riccardo Rita · ‎10-01-2015

Hi Peter,

so it seems to be related with anti-spoofing filter activated by default from the ISP on the PPPoE line.

The other line on dialer1 with PPPoA seems to respond correctly because probably the filter is off.

I'm waiting for their feedback.

Ricky.

Riccardo Rita · ‎10-01-2015

Hi Peter,

ISP told me it's not possibile to switch off the anti-spoofing filter.

On the other line PPPoA the filter seems to be on but the ping response is normal.

So till now I have no solution.

Regards.

Ricky

Cisco 1721 Ip SLA, two dialer external ping not stable - packet loss