Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
5
Helpful
4
Replies

Dual Home BGP Issue Some Websites Don't Seem to Load

David Lagace
Level 1
Level 1

‎01-14-2014 03:50 AM - edited ‎03-04-2019 10:04 PM

Hello All,

I have a very perplexing issue.  I am trying to get to a dual-homed configuration.  Both my ISPs are working with BGP on separate routers.  If I use only one or the other uniquely, the internet works, everything is good.  When I activate both at once I see issues getting to certain websites, people attempting to login to our VPN can't seem to get to our VPN concentrator.

Here's my config in a nutshell

Full BGP tables from both providers (no default route)

1 block PI space

1 block ISP assigned but have permission to origin from my AS (Slowly IP renumbering to our PI space)

Both IP spaces have HSRP configured on their router interfaces (x.x.x.254 x.x.x.253 HSRP=x.x.x.1) (y.y.y.253, y.y.y.254 HSRP=y.y.y.1)

The tests I've been running are 3 fold

From my PI space (x.x.x.x) to www.as577.net

From my ISP assigned space (y.y.y.y) to www.as577.net

From my LAN behind a firewall NAT'd to an ISP assigned space (z.z.z.z) to www.as577.net

When using 1 ISP All three of these work.

When activating both ISPs and getting the tables and waiting a requisite amount of time (5 mins) to make sure everything converges I seem to have issues getting to some sites and not others.  IE www.google.com works, but the site above does not.

I've tried wireshark from the client machines and I see the requests go out but not come back. 

DNS seems ok as I've tried to do nslookup on the site in question and am using the google public DNS and it's responding back with IPs.

Just wondering if anyone might have any pointers as to other things I could check.  Is there a reliable way to check if networks in my upstream are accepting my ISP assigned space from my AS? 

Thanks for your help

--Dave

1 person had this problem
Labels:
Preview file
209 KB
0 Helpful
4 Replies 4

JohnTylerPearce
Level 7
Level 7

‎01-14-2014 10:08 AM

  Is there a reliable way to check if networks in my upstream are accepting my ISP assigned space from my AS?

This can be done, by looking at route view servers. I have included a link below.

http://routeserver.org/

You should be able to search for your PI address space and whatever other space you are advertising.

0 Helpful

Nick White
Level 1
Level 1

‎05-31-2016 05:08 AM

Did you ever figure this issue out?

0 Helpful

David Lagace
Level 1
Level 1
In response to Nick White

‎06-09-2016 06:36 AM

I did!  Sorry for not posting sooner.

Ended up that we had some Palo Alto Networks firewalls in between the provider router and ours.  It was dropping asymmetric traffic with a rule rejecting non-SYN TCP traffic.  Once the rule was removed everything worked fine.

--Dave

Nick White
Level 1
Level 1
In response to David Lagace

‎06-09-2016 07:06 AM

Thanks for following up. I found a similar issue using Juniper SRX1400 devices. Two devices connected to two separate upstreams via BGP. The following had to be set:

set security flow allow-dns-reply

set security flow tcp-session no-syn-check

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card