Solved: Need help to Load balance the Traffic on Dual ISR routers with ISP connections on each Routers.

kumarmh91282 · ‎03-04-2020

Dear All,

Need Suggestions/Help with Traffic engineering (Pseudo load balancing on IPSec tunnels on ISR routers)

Exiting topology & config details: Please refer the Topology Pic

1)Two Internet connections with /30 subnet public Ip terminated on R1 and R2.

2)Default routes configured on R1 & R2 toward ISP.

3)Port 500 & 4500 Port forwarding on R1 & R2 for 172.16.10.10 (ASA outside interface IP) for Ipsec VPNs

4)NAT-PAT configured on R1 & R2 for all the Internal VLANs

5) HSRP is configured between R1 & R2 with 172.16.10.1 as Standby IP. R1 is active by default

6)Default route on ASA firewall to 172.16.10.1 (Standby IP)

7)Default route towards ASA inside interface on L3-Switch

8)All internal VLANS are able to access Internet via ISP1 by default and fall back on ISP 2 in case of any issues with ISP 1.

Requirement:

1) 4 X Crypto based IPsec Site to Site tunnels from Cisco ASA firewall to remote sites.

(ASA outside interface IP: 172.16.10.10 is Port-Forward Nated to Public IP of both ISPs.

2) Tunnel 1 & 2 should go via ISP 1 by default and fall back on ISP 2 in case of issues with ISP1

(This is taken care by the default traffic route via ISP1 and fall back on ISP 2 taken care by HSRP WAN track configs

and works absolutely fine)

3) Tunnel 3 & 4 should go via ISP2 by default and fall back on ISP 1 in case of issues with ISP 2

(Need suggestion on how to achieve this, should I use Routing protocols between R1 & R2 to achieve this ?)

Note:-

1) All 4 IPsec site to site tunnels works fine on ISP 1 or ISP 2, the configs on ASA and remote sites have been taken care.

2) Lets assume Tunnel 1 dest IP: 11.11.11.11, Tunnel 2 dest IP: 12.12.12.12, Tunnel 3 dest IP:13.13.13.13, Tunnel 4 dest

IP: 14.14.14.14

Thanks

Cristian Matei · ‎03-04-2020

Hi,

First of all, i appreciate that you explained the inputs and the outputs perfectly, making it easy to understand. While there can be many solutions, i would say the one which meets the requirements and adds not too much extras is the good one:

- leave the default route on the ASA, for Internet access, towards the HSRP VIP (owned by R1 when ISP1 and ISP2 are up)

- configure a new HSRP group between R1 and R2, HSRP VIP let's say to be 172.16.10.100, make R2 the HSRP Active router for this group, configure WAN tracking for failover to R1 (you can use the same WAN track configs as for the existing HSRP group, just change the priorities so that R2 is ACTIVE); configure static routes on the ASA, for tunnel3 and tunnel4 destinations (13.13.13.13 and 14.14.14.14) with a next-hop of the new VIP 172.16.10.100

- optionally, just for the config on the ASA to be more clear and to avoid future routing configurations which may not take this setup into account, configure static routes on the ASA, for tunnel1 and tunnel2 destinations (11.11.11.11 and 12.12.12.12) towards 172.16.10.1 (existing VIP); i say for the sake of it, because these will anyways get routed based on the existing default route which points to R1 172.16.10.1

Also, ideally match your HRSP/ISP failover timers with your DPD timers on the ASA; you would need to run DPD on the ASA, as otherwise you'll end up black holing traffic through the IPsec tunnel in case of ISP failure, until the keys expire

Regards,

Cristian Matei.

View solution in original post

Georg Pauwen · ‎03-04-2020

Hello,

in addition to the other post, I understand that the VPNs are terminated on the ASA? As an alternative, you could also configure IP SLAs on the ASA and have the tunnel failover initiated by these IP SLAs...

View solution in original post

Cristian Matei · ‎03-04-2020

Hi,

First of all, i appreciate that you explained the inputs and the outputs perfectly, making it easy to understand. While there can be many solutions, i would say the one which meets the requirements and adds not too much extras is the good one:

- leave the default route on the ASA, for Internet access, towards the HSRP VIP (owned by R1 when ISP1 and ISP2 are up)

- configure a new HSRP group between R1 and R2, HSRP VIP let's say to be 172.16.10.100, make R2 the HSRP Active router for this group, configure WAN tracking for failover to R1 (you can use the same WAN track configs as for the existing HSRP group, just change the priorities so that R2 is ACTIVE); configure static routes on the ASA, for tunnel3 and tunnel4 destinations (13.13.13.13 and 14.14.14.14) with a next-hop of the new VIP 172.16.10.100

- optionally, just for the config on the ASA to be more clear and to avoid future routing configurations which may not take this setup into account, configure static routes on the ASA, for tunnel1 and tunnel2 destinations (11.11.11.11 and 12.12.12.12) towards 172.16.10.1 (existing VIP); i say for the sake of it, because these will anyways get routed based on the existing default route which points to R1 172.16.10.1

Also, ideally match your HRSP/ISP failover timers with your DPD timers on the ASA; you would need to run DPD on the ASA, as otherwise you'll end up black holing traffic through the IPsec tunnel in case of ISP failure, until the keys expire

Regards,

Cristian Matei.

kumarmh91282 · ‎03-04-2020

Thank you very much for your guidance,

Have one more Query on the same topology:

SSL VPN is hosted on 1.1.1.2 & 2.2.2.2 public IP address,

Port 443 has been configured for port forwarding on R1 & R2 to internal Cisco ASA outside interface 172.18.10.10.

Query:

Users can login to SSL vpn via 1.1.1.2(Public IP on R1) when my default route to internet is on R1 and works fine.

when some of the users try to login via 2.2.2.2 (Public IP on R2)the connection times-out due to return path (Default route pointing to R1)

How do we address this asymmetric routing, Please need suggestions/Help on the same.

Cristian Matei · ‎03-04-2020

Hi,

The packets get dropped inbound on the remote client. So SSL comes in destined to 2.2.2.2, get's NAT' and routed to the ASA as destined to 172.18.10.10, the ASA replies and routes the packet to R1, which translates the source now to 1.1.1.1, and when the remote client receives the SSL reply from 1.1.1.1, it drops it cause it never initiated a request to it. The routers will not drop the traffic in this case, unless you have ZBFW configured.

What do you actually want to achieve:

- failover, if the clients connect to 1.1.1.1 and this is not reachable due to ISP1 failure, converge and connect to 2.2.2.2

- load-balancing, the clients can connect to both 1.1.1.1 and 2.2.2.2 simultaneously as long as both ISP's are functional

Regards,

Cristian Matei.

kumarmh91282 · ‎03-04-2020

Thank you for replying to the Query:

Please can you advice on how to achieve:

- load-balancing, the clients can connect to both 1.1.1.1 and 2.2.2.2 simultaneously as long as both ISP's are functional

Georg Pauwen · ‎03-04-2020

Hello,

in addition to the other post, I understand that the VPNs are terminated on the ASA? As an alternative, you could also configure IP SLAs on the ASA and have the tunnel failover initiated by these IP SLAs...

dpsw120 · ‎12-06-2020

Hello sir, i have kindly have same situation but in my design my asa running in transparent mode it just inspect traffic before reach my isr but the proble is the one to one nat load only on first router i want to load balancing it the problem if i create one to one nat in second router i cant access the one to one nat i just created. Do you have any solution for this? I can upload a simple topology if you want to look at it.

Thank you.

Georg Pauwen · ‎12-06-2020

Hello,

yes, if you can upload a topology, that would help. An EEM script would be an option. The script can add/remove static NAT entries based on the availability of an ISP.

dpsw120 · ‎12-06-2020

I'll look into eem, but eem implement its look like failover than load balancing hmmm i already attach the topology.

Georg Pauwen · ‎12-06-2020

Hello,

so basically what you need is outbound static NAT load balancing. Not sure if that is possible at all, as static NAT involves one-to-one mapping...

I'll see what I can find...

dpsw120 · ‎12-06-2020

Yes sir that's right, i need outbound static nat to be load balancing through this 2 devices. Thank you sir, i hope you can help me.

dpsw120 · ‎12-15-2020

hello sir, do you have any answer yet?

Georg Pauwen · ‎12-15-2020

Hello,

sorry for my late reply. The only way I can think of is to configure static NAT statements, using the 'extendable' keyword. Below is an example for two static NAT translations for a host with IP address 192.168.10.2:

interface GigabitEthernet0/0
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Link to ISP_1
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Link to ISP_2
ip address 2.2.2.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
ip nat inside source static tcp 192.168.10.2 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.10.2 80 2.2.2.1 80 extendable