cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
5
Replies

multihoming - 2 ISP/2 sites (no inbound traffic during failover)

joebenz
Level 1
Level 1

We currently have 2 sites where an Internet POP is located.  Both are doing eBGP and EIGRP and have ASAs behind them.  One site is a library and the other is city hall.  Currently city hall is advertising a /24 associated with the site and the library advertises their own /28 and city hall's /24.  City hall uses their internet connection as primary and library's as backup.  Library uses theirs as primary and City hall's as backup.  Right now, if either ISP fails, outbound traffic failsover to backup and there is no issue with users getting out to the internet.  However, when city hall failsover to the library's ISP, even though the libary is advertising city hall's network, no traffic is getting in.  We have the NAT and ACL configured for a city hall web server on the library's ASA, but it's still unreachable.  Would you have any suggestions on why this would not be working?  I can provide more information if needed.

Thank you.

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Did you check a looking glass and verify that your /24 was still being seen? I would have the provider verify it is learning the /24 route and tha's something they should be able to do now and during the failures. This sounds more like a BGP problem than an ASA issue.

Mohamad Qayoom
Level 3
Level 3

Are you using BGP conditional advertisements?

Can use provide your BGP configurations for both routers?

Thanks,

Mohamad

Thanks.  We did open tickets with both providers this morning to check it out.

In the meantime, here are the bgp configs of both routers, minus some IPs and ASNs

City hall


!
router bgp 11111
no synchronization
bgp log-neighbor-changes
network 216.X.X.X
neighbor ISP1-WS peer-group
neighbor ISP1-WS remote-as 33333
neighbor ISP1-WS version 4
neighbor ISP1-WS send-community
neighbor ISP1-WS prefix-list DEFAULT-ROUTE in
neighbor ISP1-WS prefix-list AS-11111-Net out
neighbor 216.X.X.X peer-group ISP1-WS
no auto-summary
!
ip route 216.X.X.X 255.255.255.0 Null0 250
!
!
ip prefix-list AS-11111-Net seq 5 permit 216.X.X.0/24
!
ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0
!
ip prefix-list no-routes seq 5 deny 0.0.0.0/0 le 32

!
route-map lowpref permit 10
set local-preference 90
!
route-map prepend permit 10
set as-path prepend 11111 11111
!
!

==========================================================================

Library


!
router bgp 11111
no synchronization
bgp log-neighbor-changes
network 70.x.x.x
neighbor ISP2 peer-group
neighbor ISP2 remote-as 22222
neighbor ISP2 password
neighbor ISP2 ebgp-multihop 7
neighbor ISP2 version 4
neighbor ISP2 send-community
neighbor ISP2 prefix-list DEFAULT-ROUTE in
neighbor ISP2 prefix-list AS-11111-Net out
neighbor ISP2 route-map prepend out
neighbor 64.x.x.x peer-group ISP2
neighbor 64.x.x.x peer-group ISP2
no auto-summary
!
ip forward-protocol nd
ip route 64.x.x.x 255.255.255.255 98.x.x.x
ip route 64.x.x.x 255.255.255.255 98.x.x.x
ip route 216.x.x.x 255.255.255.0 70.x.x.x
ip route 216.x.x.x 255.255.255.0 Null0 250

!
!
ip prefix-list AS-11111-Net seq 5 permit 216.x.x.0/24
!
ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0

!
route-map prepend permit 10
set as-path prepend 11111 11111 11111 11111 11111 11111 11111

Where are you using the route maps that you have in City Hall's configuration?

Just to confirm -- Is the problem that when City Hall's fails, it can't go out of Library's ISP, correct?

To be honest, that route map has been here before I even started working at this company so I have never looked into it

Failover works fine going out, no matter which link goes down.  The issue is when city hall failsover to the library's connection, inbound traffic to our web servers, for instance, are not working.

I did just talk to my boss and he just talked to the library's ISP and they said they might have fat fingered an IP address.  Hopefully that's the issue, but still not sure.  They're still working on it.

Review Cisco Networking for a $25 gift card