Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Redundant router help

Status
Not open for further replies.
primeaum

primeaum

Technical User
Aug 31, 2009
45
US
I have pretty much two of everything and need to make it as redundant as possible. I need to have a site-to-site VPN tunnel to our corporate offices too. This is created on the ASA's and then a tunnel on the 2811's.

Right now I have a tunnel to our Corporate office on one of the ASA's working, the other will not establish connection. At one point this worked with no issues and now it doesn't. Also, I'm trying to use GLBP to load balance the internet traffic but sometimes users cannot load pages.
In the mean time I'll work on scrubbing configs for your reading pleasure...thanks in advance.
 
Sort by date Sort by votes
Are the VPNs for backup purposes or do they serve as a primary connection? I would ditch the multiple gre tunnels and configure a DMVPN. Load balancing between two ISPs without BGP is a crap shoot at best.
 
Upvote 0 Downvote
they are primary connections. I've never setup DMVPN but I will read up on it.
Thanks for your time.
 
Upvote 0 Downvote
I have GLBP setup on both routers and some users have complained that web pages don't come up sometimes. If they hit refresh a few times it loads fine. I'm also using RDP to connect to a remote PC and lose connectivity every couple of minutes. Any ideas?

Here is the setup:
Router 1
interface FastEthernet0/0.1
encapsulation dot1Q 9
ip address 10.10.10.9 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
glbp 10 ip 10.10.10.1
glbp 10 preempt
glbp 10 weighting 50
glbp 10 load-balancing weighted
glbp 10 authentication md5 key-chain ******
glbp 10 weighting track 1

Router 2
interface FastEthernet0/0.1
encapsulation dot1Q 9
ip address 10.10.10.10 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
glbp 10 ip 10.10.10.1
glbp 10 priority 50
glbp 10 preempt delay minimum 30
glbp 10 weighting 30
glbp 10 authentication md5 key-chain ******
glbp 10 weighting track 1
 
Upvote 0 Downvote
If you do a "show glbp", are state changes being recorded? What are the counters showing? To be honest I don't think GLBP is the problem, unless the dropping started just as you started using it.

Is your Internet service coming from your corporate office? When users can't get to websites, do they have IP connectivity with other hosts off the 2800's? Just trying to narrow the scope of their connectivity loss, as there are a bunch of spots in that topology where Internet transit could fail.

I'm particularly concerned with how return traffic is coming back (ie: could assymetric routing be causing the stateful firewalls to drop return traffic for sessions originating from the other ASA). Can you confirm if the ASAs are dropping the reported user HTTP sessions?

Also if you're just trying to facilitate two tunnels between your offices, I don't know if a DMVPN redesign is necessary. I do think that a purely active/standby setup is a better approach than load-balancing across two ISPs though, as it may help with jitter and eliminate any glitches with the firewall's stateful inspections.

CCNP, CCDP
 
Upvote 0 Downvote
If you do a "show glbp", are state changes being recorded? What are the counters showing? To be honest I don't think GLBP is the problem, unless the dropping started just as you started using it.

FastEthernet0/0.1 - Group 10
State is Active
2 state changes, last state change 1d00h
Virtual IP address is 10.10.10.1
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.928 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Authentication MD5, key-chain "xxxxxx"
Preemption enabled, min delay 0 sec
Active is local
Standby is 10.10.10.10, priority 50 (expires in 8.000 sec)
Priority 100 (default)
Weighting 40 (configured 50), thresholds: lower 1, upper 50
Track object 1 state Down decrement 10
Load balancing: weighted
Group members:
0013.7f5a.6190 (10.10.10.10) authenticated
0014.f2ab.2e88 (10.10.10.9) local
There are 2 forwarders (1 active)
Forwarder 1
State is Listen
MAC address is 0007.b400.0a01 (learnt)
Owner ID is 0013.7f5a.6190
Redirection enabled, 598.896 sec remaining (maximum 600 sec)
Time to live: 14398.596 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 10.10.10.10 (primary), weighting 20 (expires in 8.012 sec)
Client selection count: 1232
Forwarder 2
State is Active
1 state change, last state change 1y0w
MAC address is 0007.b400.0a02 (default)
Owner ID is 0014.f2ab.2e88
Redirection enabled
Preemption enabled, min delay 30 sec
Active is local, weighting 40
Client selection count: 2465



Is your Internet service coming from your corporate office? When users can't get to websites, do they have IP connectivity with other hosts off the 2800's? Just trying to narrow the scope of their connectivity loss, as there are a bunch of spots in that topology where Internet transit could fail.

No, internet is going out the local T1's here. The only traffic going back to Corporate is internal. I haven't heard of anyone losing email or server connections, just web pages fail to load (until you hit reload several times)

I'm particularly concerned with how return traffic is coming back (ie: could assymetric routing be causing the stateful firewalls to drop return traffic for sessions originating from the other ASA). Can you confirm if the ASAs are dropping the reported user HTTP sessions?

How would I confirm this? I am guessing this is what is happening...

Also if you're just trying to facilitate two tunnels between your offices, I don't know if a DMVPN redesign is necessary. I do think that a purely active/standby setup is a better approach than load-balancing across two ISPs though, as it may help with jitter and eliminate any glitches with the firewall's stateful inspections.

That works for me, the setup is about fail-over more so than load balancing...just wanted to load balance if possible.

thanks again for your help.
 
Upvote 0 Downvote
I agree with Quads comments and back the active/failover stance.

When you say the only traffic that is going back to corporate is internal ... Are you referring to another circuit or are you connecting to corporate via the gre tunnels?

 
Upvote 0 Downvote
Via the GRE tunnels. They are created on both the firewalls and the routers, so on the routers they look like point to points and internal traffic is routed using OSPF.
 
Upvote 0 Downvote
So it seems that web pages have been loading fine but large downloads stop in the middle. I am also seeing a VPN (not the IPSEC/GRE Tunnels) drop from time to time.
what gives?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
224
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
402
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
113
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
216
DigiByte34
DigiByte34
Tariq Habaybeh
  • Locked
  • Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
109
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top