10-09-2008 04:21 AM - edited 03-03-2019 11:51 PM
Hi,
I'm hoping someone will be able to help me with a solution to my problem.
I have a CISCO 2811 running IOS 12.4 and 4 ADSL lines unfortunately not bonded so have seperate public IP addresses. NAT and CEF as been setup so that traffic is pretty much balanced over all 4 lines.
The problem is FTP, connecting to a server using standard ports is either very slow to connect or times out when trying to connnect for "data". I have tried shuttind down all but one interface and it works fine, as you bring up the interfaces the delay gets bigger. I suspect the problem is that sometimes the data channel traffic is getting sent down another line and therefore has a different IP address which means it gets blocked by the FTP service because it hasnt been authenticated. I may be wrong though.
I can't work out how to resolve the problem. I thought of an alternative way trying to force all FTP trafic down one line which isn't ideal but would do as a temporarly work around, but I cant get it to work.
Basically what I am doing is creating two ACL's like so
ip nat inside source route-rmd0 interface Dialer0 overload
ip nat inside source route-rmd1 interface Dialer1 overload
ip nat inside source route-rmd2 interface Dialer2 overload
ip nat inside source route-rmd3 interface Dialer3 overload
!
.....
.....
!
access-list 115 deny tcp any any eq ftp
access-list 115 deny tcp any any eq ftp-data
access-list 115 permit ip any any
access-list 6 permit 192.168.1.0 0.0.0.255
route-map rmd3 permit 10
match ip address 6
match interface Dialer3
!
route-map rmd2 permit 10
match ip address 115
match interface Dialer2
!
route-map rmd1 permit 10
match ip address 115
match interface Dialer1
!
route-map rmd0 permit 10
match ip address 115
match interface Dialer0
!
But this doesn't seem to resolve the problem either.
Anyone got any bright ideas?
10-13-2008 05:17 AM
Yea I have been using Wireshark which replaces Ethereal although its not really told me alot that I don't already know.
I had a look at the NBAR stuff but couldn't see anyway to use it how I need to. You can't seem to (well not obviously) be able to specify a policy that matches FTP traffic to use a certain interface.
Can't believe it can be this difficult to get working.
Lee.
10-13-2008 12:10 PM
Hello Lee ,
>> I suspect the problem is that sometimes the data channel traffic is getting sent down another line and therefore has a different IP address which means it gets blocked by the FTP service because it hasnt been authenticated. I may be wrong though.
No, this cannot happen :
the FTP is sourced by using a single public address once that is chosen a NAT entry is created and also the data connection is constrained to use the same IP endpoints.
I hope you are not using any per packet load-balancing command in your router that could be a problem
Are you using also CBAC or other security measures that could affect the FTP sessions setup ?
Hope to help
Giuseppe
10-23-2008 06:51 AM
I had the same problem. Usind PBR on f0/0 fixed it but if dialer 3 is down then it doesn't work.
See from cisco doc..
http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml
[["Set Clauses-Defining the Route:
If the match clauses are satisfied, one of the following set clauses can be used to specify the criteria for forwarding packets through the router; they are evaluated in the order listed:
1 List of interfaces through which the packets can be routed-If more than one interface is specified, then the first interface that is found to be up will be used for forwarding the packets."]]
dialer is always up (spoofing) and if it is down (atm down) packtets will still be sent to dialer 3. Any solution?
10-23-2008 07:14 AM
Hi Azharmirza,
No success so far.
In the end we have got a some Cisco Partner looking into it, although that was end of last weekend and still no resolution.
I spent over week trying to get my head around IOS but never really got no where. In response to giuslar, apparently can happen the engineer from company was watching traffic and the return would come in on a different dialer. We are using CEF which apparently should do load balancing per stream. *Shrugs*
10-24-2008 04:52 AM
Hello,
I solved this for my seup. I had exactly the same setup as mentioned in the 1st post. I used a dirty hack using EEM.
As the ftp session open multiple flows it always goes through the 1st & then 2nd dialer and connection is reset.
I created a policy route-map ftp1 to match ftp traffic & force out via dialer 1 but also tracked dialer 1 state and if dailer 1 goes down, EEM will automatically change the cli config to set interface to dialer 2 (when dialer 1 is down). For this i created another route-map to set interface via dialer 2. For me it works... I also changed "ip cef load-sharing algorithm original"
If you require any more info please let me know.
Regards,
10-24-2008 05:02 AM
Hi azharmirza,
Could you post any examples of what changes are needed to get it working.
Thanks,
Lee.
11-10-2008 07:26 AM
Just an quick update. Updating IOS to 12.4(18) resolved the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide