09-05-2009 12:26 PM - edited 03-04-2019 05:57 AM
Hello,A 1841 with 4 port Hwic is connected to 2 public internet Adsl lines through 2 small adsl routers (achieving inside to public IP DNat).
The 2 Dsl links have equal cost (static routes) and can load-balance traffic, protect against link failure with IP SLA route tracking.
Users are connected to inside interface F0/0.
1841 is using 12.4(24)T1 last Firewall IOS with IP inspect rules
When users try to up or download to an outside FTP server, FTP Transfer aborts (mainly on LIST command).
If I disable one of the dsl links (ie giving a higher cost to static route), FTP works.
I also tested successfully with a FTP route map PBR to force FTP to go through the same link.
FTP is using PASV mode.
When it aborts, I always see a %FW-DROP-PKT (due to syn pkt) in log.
With debugging, I found that FTP Control and FTP Data connections frequently don't always use the same path.
But I thought that IP cef was using defaultly a per-destination load-sharing.
So, for a FTP transfer, Data and Control connection should go through the same path.
With FTP PBR, I loose the ability to recover dsl Line failure (fixed static route).
It would be better that FTP could change its path even when one Dsl Line fails.
Below is relevant config :
interface FastEthernet0/0
ip address a.a.a.a 255.255.255.0
ip access-group Acl_Inside in
ip wccp web-cache redirect in
ip inspect Cbac out
ip nat inside
ip virtual-reassembly
ip policy route-map Rm_Ftp
duplex auto
speed auto
!
track 3 ip sla 303 reachability
delay down 10 up 10
!
track 4 ip sla 304 reachability
delay down 10 up 10
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.0
ip access-group Acl_Inside in
ip wccp web-cache redirect in
ip inspect Cbac out
ip nat inside
ip virtual-reassembly
ip policy route-map Rm_Ftp
!
interface FastEthernet0/0/0
description ** modem Adsl 1 **
switchport access vlan 303
!
interface FastEthernet0/0/1
description ** modem Adsl 2 **
switchport access vlan 304
!
interface Vlan303
description ** Adsl 1 **
ip address 10.10.7.1 255.255.255.0
ip access-group Acl_Outside in
ip inspect Cbac out
ip virtual-reassembly max-reassemblies 256
!
interface Vlan304
description ** Adsl 2 **
ip address 10.10.8.1 255.255.255.0
ip access-group Acl_Outside in
ip inspect Cbac out
ip virtual-reassembly max-reassemblies 256
!
ip route 0.0.0.0 0.0.0.0 10.10.7.254 track 3
ip route 0.0.0.0 0.0.0.0 10.10.8.254 track 4
ip route 10.10.7.254 255.255.255.255 FastEthernet0/0/0
ip route 10.10.8.254 255.255.255.255 FastEthernet0/0/1
ip route 193.253.xx.xxx 255.255.255.255 10.10.8.254
ip route 193.253.yy.yyy 255.255.255.255 10.10.7.254
!
route-map Rm_Ftp permit 10
match ip address Acl_Rm_Ftp
set ip next-hop 10.10.7.254
set interface FastEthernet0/0/0
!
ip sla 303
icmp-echo 193.253.xx.xxx
threshold 1000
ip sla schedule 303 life forever start-time now
ip sla 304
icmp-echo 193.253.yy.yyy
threshold 1000
ip sla schedule 304 life forever start-time now
!
route-map Rm_Ftp permit 10
match ip address Acl_Rm_Ftp
set ip next-hop 10.10.7.254
set interface FastEthernet0/0/0
!
09-05-2009 01:25 PM
Hi Fremont,
Its indeed correct that the default CEF loadbalancing is per destination, however, from your describtion it seems the packet arives out of sequence at the destination which results in terminating FTP connection.
I would first ensure that Per packet loadbalancing is not in use. If the problem still exist, then following is a suggestion that would help you achieve what you are looking for:
1- Apply PBR for the FTP connection using the (verify-reachability) Object tracking to both nexthops (10.10.7.254 & 10.10.8.254).
2- This would ensure the FTP connection uses a single path but would be routed to the second path whenever the first path fails.
3- However, the above wont allow you to have FTP traffic loadbalance across equal paths but would ensure redundancy.
HTH
Mohamed
09-06-2009 09:14 AM
hello Mohamed,
Thanks a lot for your answer.
I agree with you that FTP route map is not a kind solution.
But I tried many IP CEF debug commands without clear explaination on what happens.
And I don't know where I can find
Thank you also for learning me about a tracking object on PBR
I will experiment it with something like:
route-map Rm_FTP
set ip next-hop verify-availability 10.10.7.254 1 track 303
set ip next-hop verify-availability 10.10.8.254 1 track 4
Best regards
Alain
09-07-2009 05:50 AM
What protocols are you inspecting?
Have you tried just using ip inspect in on the inside interface and removing ip inspect out on the adsl interfaces?
09-07-2009 11:48 PM
Hello,
here is my 1841 ip inspect config:
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete high 2000
ip inspect max-incomplete low 1999
ip inspect one-minute high 4000
ip inspect one-minute low 3999
ip inspect hashtable-size 8192
ip inspect tcp window-scale-enforcement loose
ip inspect tcp max-incomplete host 50 block-time 0
ip inspect tcp reassembly alarm on
ip inspect name Cbac pop3
ip inspect name Cbac pptp
ip inspect name Cbac tcp router-traffic
ip inspect name Cbac udp router-traffic
ip inspect name Cbac icmp router-traffic
ip inspect name Cbac http java-list 10
ip inspect name Cbac esmtp
ip inspect name Cbac ftp
...track 3 ip sla 303 reachability
delay down 10 up 10
!
track 4 ip sla 304 reachability
delay down 10 up 10
!
interface FastEthernet0/0
ip address
ip access-group Acl_Inside in
ip wccp web-cache redirect in
ip inspect Cbac out
ip nat inside
ip virtual-reassembly
ip policy route-map Rm_Ftp
!
interface FastEthernet0/1
ip address
ip access-group Acl_DmzProxy in
ip helper-address
ip helper-address
ip inspect Cbac out
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0/0
description ** Adsl rtr 1 **
switchport access vlan 303
!
interface FastEthernet0/0/1
description ** Adsl rtr 2 **
switchport access vlan 304
!
!
interface Vlan303
description ** Adsl 1 **
ip address
ip access-group Acl_Outside in
ip inspect Cbac out
ip virtual-reassembly max-reassemblies 256
!
interface Vlan304
description ** Adsl 2 **
ip address
ip access-group Acl_Outside in
ip inspect Cbac out
ip virtual-reassembly max-reassemblies 256
!
router eigrp 1
redistribute connected
passive-interface default
no passive-interface FastEthernet0/0
network
distribute-list Acl_Eigrp out
auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
ip route
ip route
ip route
ip route
ip sla 303
icmp-echo
threshold 1000
ip sla schedule 303 life forever start-time now
ip sla 304
icmp-echo
threshold 1000
ip sla schedule 304 life forever start-time now
!
route-map Rm_Ftp permit 10
match ip address Acl_Rm_Ftp
set ip next-hop verify-availability
set ip next-hop verify-availability
set interface FastEthernet0/0/0
On intfs, I always use :
- ip access-group
- ip inspect name Cbac out
in order to
filter incoming traffic
allow returning traffic
so, if FTP client's traffic is allowed to come in inside intf, answers from external FTP server are allowed to come back on outside adsl intfs.
Best regards,
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide