Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
5
Helpful
2
Replies

Routing loop on route-map

Go to solution
A_Marquez
Level 1
Level 1

‎11-13-2020 06:32 AM

We recently set up a second ISP connection to help offload some traffic to and increase our bandwidth on the first connection. Our network basically goes like this > ISP> ASA> web filter> Core switch. The second ISP connection is set up the same way with everything going back to the same core switch. I was able to start directing traffic for a specific vlan off to the new Internet connection via route-map, the clients on that network are able to connect to the Internet and we thought things were fine up until staff started to try using some of our internal web services.

 

When they try to go to one of our hosted services the page loads up blank. When I do a traceroute to various servers that are part of a different VLAN I get a routing loop but if I were to traceroute a random device on a separate VLAN I don't get the routing loop, just on the one VLAN that happens to contain our servers.

 

My route-map config is pretty simple, maybe too much so:

match ip address Conn2

set ip next-hop *2nd ASA IP*

ACL for the route-map: permit 10.2.0.0 0.0.255.255

Is there something more I need to add to the ACL to prevent a routing loop or what am I doing wrong here? Core is a Cisco 6807XL, ASA's - 5525

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-13-2020 06:55 AM - edited ‎11-13-2020 06:56 AM

Hello @A_Marquez ,

>>

ACL for the route-map: permit 10.2.0.0 0.0.255.255

Is there something more I need to add to the ACL to prevent a routing loop or what am I doing wrong here? Core is a Cisco 6807XL, ASA's - 5525

 

You should use an extended ACL that :

denies flows between the subnet and the DMZ servers

allow traffic sourced from 10.2.0.0 0.0..255.255 to any

 

this way first flows are not processed by PBR and this should fix your issues

 

Hope to help

Giuseppe

 

 

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-13-2020 06:55 AM - edited ‎11-13-2020 06:56 AM

Hello @A_Marquez ,

>>

ACL for the route-map: permit 10.2.0.0 0.0.255.255

Is there something more I need to add to the ACL to prevent a routing loop or what am I doing wrong here? Core is a Cisco 6807XL, ASA's - 5525

 

You should use an extended ACL that :

denies flows between the subnet and the DMZ servers

allow traffic sourced from 10.2.0.0 0.0..255.255 to any

 

this way first flows are not processed by PBR and this should fix your issues

 

Hope to help

Giuseppe

 

 

Go to solution
A_Marquez
Level 1
Level 1
In response to Giuseppe Larosa

‎11-13-2020 09:05 AM

That did it! I had tried it earlier but I had an ACL that was configured on the subnet itself that I think was conflicting with the ACL for the route-map. Thank you for your help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card