Static route to host causes RTOs

Eduard A. · ‎10-21-2019

Hi All, default route to internet to communicate with the private networks. ISP1s are active through AD and ISP2s are backup via IP SLA. I want to communicate to the AMERICA's server via ASIA's ISP2. When I do a basic static route, everything works fine. But when I do a static route to that host via full mask, I get RTOs. Same with PBR. What seem to be the problem here?

Georg Pauwen · ‎10-21-2019

Hello,

what is your IP SLA tracking, a default route ? And what do RTO's mean in your context, do you have no connectivity at all when you use the static host route, or just lost packets ?

Eduard A. · ‎10-21-2019

We have two default route for each isp, with AD manipulation to get one to
be active, so yes our ip sla is tracking a default route. RTO i mean
request time outs, i have connectivity when using static route to host, but
i am having noticeable packey drops, which is none existent at all in a
basic static route(with a next hop IP add)
Thanks so much for replying.

paul driver · ‎10-21-2019

Hello

So its failing when you either add a more specfic static or policy route towards the american server via Asia ISP2 path?
I guess when you do this you would most probably be incuring asymetric routing with the return path coming back via Asia ISP1

Can you elaborate on what routing protocols (if any) your are using or is this soley static routing?
How are you trying to connect to the server? What is the server role?
When you static route or PBR are you able to traceroute the path towards this server, Where does it fail?

Can you post you PBR configuration and possible any successful and failed test results you may have?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Eduard A. · ‎10-21-2019

Yes im having packet drops when i configure a more specific route(static to
host and pbr).
Thought so too about the possibility of having a problem witht he return
route.
Static routing is all we have.
I am just monitoring through continous pings, its a database one.
I am afraid im not able to traceroute because of the vpn, this is why i am
on the edge of losing hope with this one.

Right my pbr is just a simple extended acl with the clients subnet as
source and the server's ip as destination, tied this with a route map
through a match ip add (acl name) and set a next hop ip, then lastly config
the map at the vlans interface

Thank you for replying

Georg Pauwen · ‎10-21-2019

Hello,

can you post the output of a traceroute when you have the less and the more specific route configured ?

Eduard A. · ‎10-21-2019

Hi,

Basically when I do a traceroute using the less specific route i got

traceroute [server IP]

1 [private gateway]

2 *

3 [server name]

that's all i got, i guess mainly because of the "tunnel" it goes to. basically the set up is like 1 subnet to another inside 1 private network, so your packets traverse your immediate gateway then the tunnel then the host. I will try the to trace using the more specific route later. thanks for replying please keep them coming.

paul driver · ‎10-21-2019

Hello

@Eduard A. wrote:
Yes im having packet drops when i configure a more specific route(static to
host and pbr).
Thought so too about the possibility of having a problem witht he return
route.
Static routing is all we have.
I am just monitoring through continous pings, its a database one.
I am afraid im not able to traceroute because of the vpn, this is why i am
on the edge of losing hope with this one.

Okay details of you vpn setup - So your vpn is denying traceroute? What kind of vpn is this, Is it possible the vpn security rules are also denying asymmetric routing- Unfortunately without details it would be hard to troubleshoot.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Eduard A. · ‎10-21-2019

we ASAs before each ISP switch.

im sorry for not being so specific here. i know it would be very hard to troubleshoot with little to nothing details. but what's confusing me is, how come a basic static route with next ip address is working all fine but the more specific route is not?

you mentioned asymmetric routing, what are the configs that might block this kind of routing?

paul driver · ‎10-22-2019

Hello

I think it could be various things negating this, more so security/filtering rules applied to upstream routers /Fws etc but without the understanding it would be hard to say.
Are you able to provide any pre-post configuration, traceroute extened ping or debug results?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul