Dual Internet Link Issue (Load-balance)

rock981119 · ‎01-21-2012

Hi All,

We have deploy a Cisco ISR 2921 to connect two ISP for internet access, Link 1 is fix public IP, link 2 is xDSL.

And we configure dual link load-balance, the configure just like the famous DOC"https://supportforums.cisco.com/docs/DOC-8313"

name:"dual internet links NATing with PBR and IP SLA".

Inside network to internet is ok, and traffic was load-balance, Dual link can be redundancy. But there has some issue we don't realize.

Most people interesting how the inside traffic load-balance outside, but ignore the traffic from outside issue.

Issue description:

WAN Link 1 fix IP is 219.134.186.A

WAN Link 2 is dynamic xxx.xxx.xxx.B

1. I wanna remote accsess that router from my home, but fail. And I try ping that fix IP 219.134.186.A, it just timeout.

2. I use another public IP ping 219.134.186.A, is ok.

3. I use 4-6 different public IP to ping 219.134.186.A, 50% can echo.

So I realize when packet arrive router interface IP 219.134.186.A, the router reply using Link2 IP. I think is CEF determined.

That mean if we wanna remote contral that router or build VPN it may 50% IP can succeed.

I try to figure out if traffic just to the router interface IP, the router can use same-interface to reply. then I find a command in interface:

interface GigabitEthernet0/0

ip address 219.134.186.A 255.255.255.248

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip route-cache same-interface

no ip route-cache cef

duplex auto

speed auto

crypto map mymap

At the very start I try many public IP to ping 219.134.186.A, very public IP can receive reply.

But a few days later, router running-config has not change, router using another interface IP reply again.

Sorry my english skill was too bad, hope all guy can understand and help me to figure out, Thx.

------------------------------

Rock

Best Wish.

Neeraj Arora · ‎01-24-2012

Hi Zhi Yu,

My very first comment on your question would be: the document you referred to is specifically talking about loadbalancing of traffic going OUT towards Internet utilizing both the links.

And then I would like to Agree with you about facing issues when trying to ping, take RDP sessions or build VPN's.

Now the final statement which I hope should clarify your doubt: For hosting any of the services on the Internet for Eg. Mail server, HTTP server, RDP, VPN. LOADBALANCING IS NEVER RECOMMENDED

You are bound to face the issues you mentioned in your post and unless you know the public ip's from where you are going to access these services hosted on the router, it will fail or should I say it will fail most of the times as you will not have any control over which interface of the router will respond your request.

So my suggestion would be, if you have Multiple ISP links, do not loadbalancing. Use Failover configuration instead which will enable you to keep one interface as Active and the other as Backup.

After saying that, you can still tweak some less important traffic to use the backup link but I cannot say that without knowing details about your exact setup/requirements.

Hope the above information helps.

Neeraj

rock981119 · ‎01-25-2012

Hi

Many situation you need loan balance outgoing traffic to multi-link, i think it is base function for a router.

But Cisco router seemingly can't identify which interface ingress and back traffic to same way.

So i find command under interface "ip route-cache same-interface" , but seemingly not work very well.

Some other router like "F5" can do that, and in china many cheap router can do that, i think cisco can too.