Solved: Re: Issue with a local VLAN NAT'ing out and back in (Partially working connection)

Michael Perkins · ‎11-11-2020

Hi

I have an issue that has been present for a few weeks on a small network I have setup.

I have 2 inbound routers for a line (1 is backup). These connect into 2x SG350 Switch's with a 3rd SG350 switch Trunked to spread the network to another area.

On these switch's I have configured 2x VLANs, VLAN2 on the IP range of the ISPs Routers (I have no control over these routers) and VLAN3 to extend our IP Capability's on site as the ISP Range is only about 10 devices.

I also have a router (Setup as router on a stick on one of the switch's) which is carrying out NAT for VLAN3 so it can reach the outside world.

Issue I have is:

VLAN2 can connect to the internet no issues, runs fine on the ISP Range.

VLAN3 on my internal range Can get connectivity, but it seems sporadic and is not reliable. Sometimes you can browse sometimes not. Programs such as Skype/Teams even Whatsapp will communicate through it fine but internet browsing and connection to some servers is not working. Also a site such as the bbb.co.uk will ping on some of its IPs but not all (as shown attached from a cmd prompt output). At first I thought this was a DNS issue but seeing as pinging the direct IPs is also not working I assume it is more likely NAT / Routing of the return traffic? I find it strange that some of the traffic is returning however.

The router which is used for the NAT can itself ping outside fine. It has one GE interface on VLAN2 and one on VLAN3 and is connected to one switch. The only thing I find strange with the router is I cannot ping it from outside of the network myself, although I can ping and connect to all of my switch's from outside of the network using the ISPs static range they provided us.

I have a very similar setup at another site that uses 1 switch and 1 router (again router on a stick effectively) behind 2 ISP routers and that works fine so tried to replicate the setup but facing this issue.

Router config is below for Ref:

!

hostname NATRouter

no ipv6 cef

ip source-route

ip cef

!

ip dhcp excluded-address 10.10.10.1 10.10.10.4

!

ip dhcp pool Staging

network 10.10.10.0 255.255.255.0

default-router 217.33.44.17

dns-server 194.72.6.57 194.73.82.242

netbios-name-server 194.72.6.57 194.73.82.242

lease 0 0 1

!

multilink bundle-name authenticated

crypto pki token default removal timeout 0 license udi pid CISCO1921/K9 sn FCZ1603C48B

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Link to CR1 VLAN2 Port 24

ip address 217.33.44.23 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Link to CR1 VLAN3 Port 12

ip address 10.10.10.4 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip nat inside source list 4 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 217.33.44.18

ip route 0.0.0.0 0.0.0.0 217.33.44.19

ip route 0.0.0.0 0.0.0.0 217.33.44.17

!

access-list 4 permit 10.10.10.0 0.0.0.255 any

!
control-plane

!

Any help would be much appreciated.

Georg Pauwen · ‎11-12-2020

Hello,

just to make sure, there should only be one default route. I assume you have removed the other two ?

One thing you could try is change the MTU size on the egress interface:

interface GigabitEthernet0/0

description Link to CR1 VLAN2 Port 24

ip address 217.33.44.23 255.255.255.240

--> mtu 1400

--> ip tcp adjust-mss 1360

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

View solution in original post

Georg Pauwen · ‎11-11-2020

Hello,

you have three default routes, which seems odd:

ip route 0.0.0.0 0.0.0.0 217.33.44.18

ip route 0.0.0.0 0.0.0.0 217.33.44.19

ip route 0.0.0.0 0.0.0.0 217.33.44.17

These routes do load balancing by default, which could explain your problem. What IP address is actually configured on the other side ?

Michael Perkins · ‎11-11-2020

Hi Georg

The routes are the 2 routers and Default Gateway provided by the ISP. That might make sense as the backup router is not currently commissioned. I have removed and left it as just the Default Gateway as a route and it dose seem to be working! Ill keep an eye on it

Thanks.

Richard Burts · ‎11-11-2020

I agree that the 3 default routes look like an issue. I would also point out something about your DHCP pool. You have this as the default router for the pool

default-router 217.33.44.17

In a DHCP pool the default router is generally the IP of the router interface in the subnet used by the pool. In this case 10.10.10.4. The address you have for default router would be the default gateway for the router, but the hosts in the subnet might do better if their gateway was a local device.

HTH

Rick

Michael Perkins · ‎11-12-2020

Hi

So still seems to be struggling with browser traffic. I also changed the default route of the DHCP range to 10.10.10.4 to try that but the same result. Pings / Tracert's now seem to work fine for sites from a client but they are struggling more than before to load a web page. Skype etc still works OK however.

Georg Pauwen · ‎11-12-2020

Hello,

just to make sure, there should only be one default route. I assume you have removed the other two ?

One thing you could try is change the MTU size on the egress interface:

interface GigabitEthernet0/0

description Link to CR1 VLAN2 Port 24

ip address 217.33.44.23 255.255.255.240

--> mtu 1400

--> ip tcp adjust-mss 1360

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

Michael Perkins · ‎11-12-2020

Thanks Georg

Gave that a go and it seems to be stable now! Much Appreciated.