01-14-2014 03:50 AM - edited 03-04-2019 10:04 PM
Hello All,
I have a very perplexing issue. I am trying to get to a dual-homed configuration. Both my ISPs are working with BGP on separate routers. If I use only one or the other uniquely, the internet works, everything is good. When I activate both at once I see issues getting to certain websites, people attempting to login to our VPN can't seem to get to our VPN concentrator.
Here's my config in a nutshell
Full BGP tables from both providers (no default route)
1 block PI space
1 block ISP assigned but have permission to origin from my AS (Slowly IP renumbering to our PI space)
Both IP spaces have HSRP configured on their router interfaces (x.x.x.254 x.x.x.253 HSRP=x.x.x.1) (y.y.y.253, y.y.y.254 HSRP=y.y.y.1)
The tests I've been running are 3 fold
From my PI space (x.x.x.x) to www.as577.net
From my ISP assigned space (y.y.y.y) to www.as577.net
From my LAN behind a firewall NAT'd to an ISP assigned space (z.z.z.z) to www.as577.net
When using 1 ISP All three of these work.
When activating both ISPs and getting the tables and waiting a requisite amount of time (5 mins) to make sure everything converges I seem to have issues getting to some sites and not others. IE www.google.com works, but the site above does not.
I've tried wireshark from the client machines and I see the requests go out but not come back.
DNS seems ok as I've tried to do nslookup on the site in question and am using the google public DNS and it's responding back with IPs.
Just wondering if anyone might have any pointers as to other things I could check. Is there a reliable way to check if networks in my upstream are accepting my ISP assigned space from my AS?
Thanks for your help
--Dave
01-14-2014 10:08 AM
Is there a reliable way to check if networks in my upstream are accepting my ISP assigned space from my AS?
This can be done, by looking at route view servers. I have included a link below.
You should be able to search for your PI address space and whatever other space you are advertising.
05-31-2016 05:08 AM
Did you ever figure this issue out?
06-09-2016 06:36 AM
I did! Sorry for not posting sooner.
Ended up that we had some Palo Alto Networks firewalls in between the provider router and ours. It was dropping asymmetric traffic with a rule rejecting non-SYN TCP traffic. Once the rule was removed everything worked fine.
--Dave
06-09-2016 07:06 AM
Thanks for following up. I found a similar issue using Juniper SRX1400 devices. Two devices connected to two separate upstreams via BGP. The following had to be set:
set security flow allow-dns-reply
set security flow tcp-session no-syn-check
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide