Problem with load balance config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2011 04:10 AM - edited 03-04-2019 02:24 PM
Hi There
I am trying to get my router up with a load balancinf config but unfortunatly I cant get conectivity, ie clients can not ping the outside. I think it may be a nat issue, any help is greatrly appriciated.
Thx
Current configuration : 6069 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 101.9
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$jYzP$JHBnIoVQjtjBWV4.vZrUn/
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.xxx.1 192.168.xxx.245
!
ip dhcp pool Icon
network 192.168.xxx.0 255.255.255.0
domain-name iconasset
dns-server 192.168.xxx.37 192.168.xxx.39
default-router 192.168.xxx.1
lease 1 2 1
!
ip dhcp pool XBox360
host 192.168.xxx.238 255.255.255.0
client-identifier 0100.125a.49c2.1e
client-name GKXBox360
!
!
ip domain name iconasset.com
ip name-server 192.168.xxx.37
ip name-server 192.168.xxx.39
ip ssh port 2001 rotary 1 10
ip ssh version 2
ip sla monitor 1
type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 164.128.xxx.39 source-interface FastEthernet0/0
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 2 life forever start-time now
ip sla monitor 3
type echo protocol ipIcmpEcho 62.2.xxx.158 source-interface FastEthernet0/1
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 3 life forever start-time now
ip sla monitor 4
type echo protocol ipIcmpEcho 62.2.xxx.60 source-interface FastEthernet0/1
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 4 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-3414616334
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3414616334
revocation-check none
rsakeypair TP-self-signed-3414616334
!
!
crypto pki certificate chain TP-self-signed-3414616334
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343134 36313633 3334301E 170D3131 31313236 31303131
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436
31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFAE 2609F7FE 6C4B2947 F73A61FF 429C0AA4 7C789F44 0DDB2043 A0AD4F0D
C21AE526 A70C1005 D0785E81 ACE289E7 C5E865F6 969CF17B 7DA8B230 422586E4
4C368A02 09006E23 02A81A36 F5335411 18CBFB78 5FA217B0 9E378FD5 507598EC
789F8EEB B6F160B7 C0344D5F 8968A8B3 CB6645C8 26CBA7D5 1D7BEDFF 8405AB44
252B0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13313031 2E392E69 636F6E61 73736574 2E636F6D 301F0603
551D2304 18301680 14F22A7A 45A3608F C67EC41E F4148BC3 DE98F9DB 13301D06
03551D0E 04160414 F22A7A45 A3608FC6 7EC41EF4 148BC3DE 98F9DB13 300D0609
2A864886 F70D0101 04050003 8181009B DE247294 62BED5FC F48BE051 9AFCC30F
1ADD4A93 71B5AF0A 1AEDFD27 43538917 5B033F15 AD46AC82 A824A06E 48C18F80
9DDA4B63 CB9B5659 9846FB13 AECBE37F A5B4BDB7 326E8277 6E392D78 56F34A16
3B1DD4DE EA17967F A33664B9 88FF5469 1E0E13E0 3E14C1AB DEF74ECD 5F659914
A8DE7009 3A75B571 5CFAEE5A 12238D
quit
username gko privilege 15 password 7 056545A5E5F75191F5D40
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability
!
track 10 list boolean or
object 1
object 2
!
track 20 list boolean or
object 3
object 4
!
!
!
!
interface FastEthernet0/0
ip address 212.243.xxx.26 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 62.2.xxx.38 255.255.255.252
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/0/0
duplex full
speed 100
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 192.168.xxx.9 255.255.255.0
ip load-sharing per-packet
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10
ip route 0.0.0.0 0.0.0.0 62.2.xxx.37 track 20
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat1 interface FastEthernet0/0 overload
ip nat inside source route-map nat2 interface FastEthernet0/1 overload
!
access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any
snmp-server community Konheiser1 RW 60
snmp-server community public9 RO
snmp-server enable traps tty
!
route-map nat2 permit 10
match ip address 150
match interface FastEthernet0/1
!
route-map nat1 permit 10
match ip address 150
match interface FastEthernet0/0
!
route-map isp2 permit 10
match interface FastEthernet0/1
!
route-map isp1 permit 10
match interface FastEthernet0/0
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2011 04:40 AM
There are a couple of things that you should check.
Why do you have match interface statement in you Nat route map. It should have only the access-list statement as the source of the packets.
Second for the load balancing to work, you need to enable " ip cef load-balance " global command. Also I would let the router load- balance on per destination basis vs per packet as it will introduce asymmetric routing behaviour and application issues.
I would take ip load-balance per packet statement off the interface vlan 1.
I hope that you have the correct gateway defined on your hosts sitting behind this router to .9, the interface ip of vlan 1.
Sent from Cisco Technical Support iPad App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2011 05:28 AM
Thanks for your help. When I issue the comand ip load-sharing per-destination on the interfaces if appears to goin correctly but when I do a show run it is not in the config. Also the only global command that I can find is ip cef load-sharing algorithm original. which also does not appear in the config once I ahve issued it??
Regards
Gordon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2011 05:46 AM
the configuration for NAT is correct. I do not agree with my colleague Amit about the match interface in the route map. This is the correct implementation when the same source traffic goes out 2 interfaces and needs to be translated differently on each interface.
I do agree with Amit in suggesting that you remove the per packet load share. It is likely to cause problems for applications running over the network.
I believe that the fundamental problem is that the DHCP assignment says the default router is .1 but the router interface is .9. Fix this and I believe that client traffic will work.
HTH
Rick
Sent from Cisco Technical Support iPhone App
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2011 05:49 AM
You are setting those commands to their default value and that is the reason that they do not show up in the config. This is not a problem.
HTH
Rick
Sent from Cisco Technical Support iPhone App
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2011 01:59 AM
Hi There
My client have there IPs manualy configured with .9 as there gateways. The .1 route for the DHCP clients is another route out.
I am testing config directly from the router. If I have,
ip route 0.0.0.0 0.0.0.0 212.243.xxx.25
without the track then I am able to ping out side, and when I do a SHOW IP SLA MONITOR STAT I can see that both the monitors are up for this interface. However when I use
ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10
I am only able to ping as far as my Gateway, 212.243.xxx.25, but no futher and obviously SHOW IP SLA MONITOR STAT reports both monitors down.
Cant figure out why , any ideas. Thanks again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2011 07:36 AM
Hi Gordon
without the track then I am able to ping out side, and when I do a SHOW IP SLA MONITOR STAT I can see that both the monitors are up for this interface. However when I use
ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10
I am only able to ping as far as my Gateway, 212.243.xxx.25, but no futher and obviously SHOW IP SLA MONITOR STAT reports both monitors down.
Both monitors show down because you are not able to ping those public ip addresses and the track object removes the static routes from the routing table. Once you remove the track object they get re-instated and hence you are able to ping outside.
You might want to try and use some DNS servers in the public space which are up most of the time or you can try and setup IPSLA to ping the public DNS server of your ISP. but tracking both the interfaces you are sort of taking a risk. Normally, these tracking conditions are used in a prmary/backup scenario where when you loose the primary link the router uses the floating static route(back up static route).
HTH
Kishore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2011 02:19 AM
Could there be a problem with the fact that I am using the sequence number 10 in two statement,
route-map nat2 permit 10
and also,
track 10 list boolean
That is probabply a strupid thing to say, I am just grasping at straws at this point.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2011 03:19 AM
Gordon
Thanks for the clarification and the additional information. The problem is certainly not that you are using 10 in multiple places.
I believe that I do see the problem and it is related to the track function. Let us look at the first one that you configure:
type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0
So it is going to try to ping to 164.128.x.34. But does it know how to get to that address, other than through the static default route which is using track? It looks to me like it does not. As a test, when you have the configuration using tracking try to manually ping to those addresses. I suspect that your ping will fail. And if the ping fails then the static default route is withdrawn from the routing table.
I suggest that you configure a static host route for each of the track destinations that might look something like this
ip route 164.128.x.34 255.255.255.255 fastethernet0/0 212.243.x.25
Give that a try and let us know how it works.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2011 12:05 AM
Hi Rick
That was exactly correct, once I had the static routes in place the trackers reponded OK.
Unfortunately now I have a different problem in that when I have just one ISP ( F 0/0 ) up then I am able to ping the internet. When I have both ISPs up ( F 0/0 and F 0/1 ) I am unable to ping the internet.
I am thinking it is a NAT issue but not sure.
Thanks
Gordon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2011 05:42 AM
Gordon
I am glad that my suggestion helped you to fix the problem with tracking. I am not sure what this new symptom is about. If you do have Internet connectivity with one ISP up then I would assume that NAT is working ok. And it would appear that somehow the second ISP being up interferes with the first ISP.
Here are a couple of things to check. With both ISPs up check the output of show ip interface brief. Are all the interfaces in the up/up state? Then check the output of show ip route. Are the expected routes in the routing table? And if neither of these show any issue then it may be helpful to post the updated config of the router so we can see it with the changes that you have made.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-29-2011 10:20 PM
Morning Rick
With both ISPs connected I get up/up from show ip int brief. On doing show ip route I get :-
Gateway of last resort is 212.243.229.25 to network 0.0.0.0
212.243.229.0/29 is subnetted, 1 subnets
C 212.243.229.24 is directly connected, FastEthernet0/0
62.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 62.2.17.60/32 [1/0] via 62.2.48.37
C 62.2.48.36/30 is directly connected, FastEthernet0/1
S 62.2.24.158/32 [1/0] via 62.2.48.37
164.128.0.0/32 is subnetted, 2 subnets
S 164.128.36.34 [1/0] via 212.243.229.25
S 164.128.76.39 [1/0] via 212.243.229.25
C 192.168.101.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 212.243.229.25
[1/0] via 62.2.48.37
So I cant see anything wrong there??
Here is the config :-
Building configuration...
Current configuration : 7942 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 101.9
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$jYzP$Asx!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.xxx.1 192.168.xxx.245
!
ip dhcp pool Icon
network 192.168.xxx.0 255.255.255.0
domain-name iconasset
dns-server 192.168.xxx.37 192.168.xxx.39
default-router 192.168.xxx.1
lease 1 2 1
!
!
!
ip domain name iconasset.com
ip name-server 192.168.xxx.37
ip name-server 192.168.xxx.39
ip ssh port 2001 rotary 1 10
ip ssh version 2
ip sla monitor 1
type echo protocol ipIcmpEcho 164.128.xxx.34 source-interface FastEthernet0/0
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 164.128.xxx.39 source-interface FastEthernet0/0
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 2 life forever start-time now
ip sla monitor 3
type echo protocol ipIcmpEcho 62.2.xxx.158 source-interface FastEthernet0/1
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 3 life forever start-time now
ip sla monitor 4
type echo protocol ipIcmpEcho 62.2.xxx.60 source-interface FastEthernet0/1
timeout 1000
threshold 250
frequency 10
ip sla monitor schedule 4 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-3414616334
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3414616334
revocation-check none
rsakeypair TP-self-signed-3414616334
!
!
crypto pki certificate chain TP-self-signed-3414616334
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343134 36313633 3334301E 170D3131 31313236 31303131
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34313436
31363333 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFAE 2609F7FE 6C4B2947 F73A61FF 429C0AA4 7C789F44 0DDB2043 A0AD4F0D
C21AE526 A70C1005 D0785E81 ACE289E7 C5E865F6 969CF17B 7DA8B230 422586E4
4C368A02 09006E23 02A81A36 F5335411 18CBFB78 5FA217B0 9E378FD5 507598EC
quit
username xxxxxxx privilege 15 password 7
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability
!
track 10 list boolean or
object 1
object 2
!
track 20 list boolean or
object 3
object 4
!
!
!
!
interface FastEthernet0/0
ip address 212.243.xxx.26 255.255.255.248
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 62.2.xxx.38 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/0/0
duplex full
speed 100
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 192.168.xxx.9 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 212.243.xxx.25 track 10
ip route 0.0.0.0 0.0.0.0 62.2.xxx.37 track 20
ip route 62.2.17.60 255.255.255.255 62.2.xxx.37 permanent
ip route 62.2.24.158 255.255.255.255 62.2.xxx.37 permanent
ip route 164.128.36.34 255.255.255.255 212.243.xxx.25 permanent
ip route 164.128.76.39 255.255.255.255 212.243.xxx.25 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4489
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat1 interface FastEthernet0/0 overload
ip nat inside source route-map nat2 interface FastEthernet0/1 overload
!
access-list 150 permit ip 192.168.xxx.0 0.0.0.255 any
snmp-server enable traps tty
!
route-map nat2 permit 10
match ip address 150
match interface FastEthernet0/1
!
route-map nat1 permit 10
match ip address 150
match interface FastEthernet0/0
!
route-map isp2 permit 10
match interface FastEthernet0/1
!
route-map isp1 permit 10
match interface FastEthernet0/0
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
Hope you can see something. Thanks
Gordon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2011 11:38 AM
Gordon
I do have a suggestion, though I am not sure that it will fix your most recent issue. My suggestion is to add the outbound interface into the host static routes that I asked you to configure (as I had shown in my post) like this
ip route 62.2.17.60 255.255.255.255 Fast0/1 62.2.xxx.37 permanent
ip route 62.2.24.158 255.255.255.255 Fst0/1 62.2.xxx.37 permanent
ip route 164.128.36.34 255.255.255.255 Fast0/0 212.243.xxx.25 permanent
ip route 164.128.76.39 255.255.255.255 Fast0/0 212.243.xxx.25 permanent
this will make sure that if there is some problem with one ISP that you do not use the path through the other ISP to get to the address that you are tracking.
If you make this change and still have the problem then can you tell me a little more about the problem. When you say you have only the ISP on Fast0/0 and it works, what is happening with Fast0/1? Is it shut down? unplugged? something else?
And what happens if you disable ISP 1 on Fast0/0 and bring up ISP 2 on Fast0/1? does that work ok?
And when you have problems in ping to the Internet with both ISP active how are you doing the ping? Is it from a PC going through the router or from the router itself? And if from the router is it a simple standard ping or is it an extended ping which allows you to specify the source interface address? And is it a ping to a name or a ping to an IP address? What address?
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2011 10:54 PM
Hi Rick
I thought that the routes I put in would do the same as your suggestion but I have change them now to specify the interface and not the IP address.
When I have both ISPs plugged in and up/up and ping from the router with an advanced ping to test both interfaces as the source with a destination of 8.8.8.8 I get no responce. If I then issue a shut on either of the interfaces then I am able to ping 8.8.8.8. but when I do show ip sla mon stat it shows all trackers responding.
I hope I covered everything. thanks for taking the time.
Regards
Gordon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2011 04:31 AM
Gordon
You misunderstood what I was suggesting. To specify the interface and not the IP address is not a good change. I was suggesting that you specify both the interface and the next hop address.
To specify the interface and not the IP address may work. But it depends on the next hop device(s) supporting proxy arp. And it makes the router work harder (it greatly increases the amount of arp traffic and increases the amount of memory consumed in the arp table). So please put the IP address back into the static route.
I am quite puzzled about what is causing this problem. With both interfaces up/up perhaps you could post the output of show ip route?
HTH
Rick
Rick
