Question

Office network headache

Asked by: DzemoBond

Hello Experts,

I hope someone can help me with giving some input about configuration and possible design flaws which cause our proposed new office network to lose connectivity for a few seconds (still in testing phase with only few users). What I notice is that my outgoing VPN session goes down and then re-establishes within 2-3 seconds. My Outlook and AIM client also complain by briefly loosing contact to mail/AIM servers. However, constant ping to public IP always succeeds and sees no connectivity problems during the time VPN session goes down.

Attached is diagram of future network. Here is my design (feel free to critique):

1)      WAN consists of two cable modems that perform NATing to 192.168.11.x network and DSL modem has static IP. Three (3) Cisco 1811 routers are connected to each cable/Dsl modem. 192.168.11.x is NATed to 10.10.10.x/28 for cable modems and DSL public IP is NATed to 10.10.10.x/28 as well. I configured Cisco GLBP for load-balancing and failover to Internet. (During testing phase there is only DSL and one Cable modem in the pool).  IP SLA is configured on 1811 routers and used to track reachability of WAN next hop and determine when to take a router out of GLBP pool.
2)      Juniper SSG20 inside interface is configured as Trunk routing three internal VLANs. Inside port is subinterfaced and configured as GW for all user VLANs.
3)      Cisco 3560G is configured as DHCP server for all 3 VLANs.

I realize that there are few single points of failure in the design. However, main requirement was to establish diversity and failover capability with respect to Internet connectivity.

So far, I was not able to identify reason for brief outages. I see no GLBP or physical layer issues. Is it possible that some NAT timers must be tweaked?

Any input is really appreciated.
Thanks,
Dzemo

-----------RTR-CM2.SCI--------
ip sla 1
 icmp-echo 10.53.0.1
 frequency 5 
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
 
interface FastEthernet0
 description Link_to_DMZ-1.SCI.fe0/2
 ip address 10.10.10.3 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 glbp 10 ip 10.10.10.10
 glbp 10 preempt delay minimum 60
 glbp 10 weighting 100 lower 95
 glbp 10 weighting track 1 decrement 10
!
interface FastEthernet1
 description To_CM2.TWC
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 duplex auto
 speed auto
 
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip route 192.168.2.0 255.255.255.0 10.10.10.1
ip route 192.168.3.0 255.255.255.0 10.10.10.1
ip route 192.168.4.0 255.255.255.0 10.10.10.1
!
!
ip http server
no ip http secure-server
ip nat pool ovrld 192.168.11.3 192.168.11.3 prefix-length 24
ip nat inside source list 1 pool ovrld overload
!
logging trap debugging
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
 
====================================
====================================
 
 
-------RTR-DSL.SCI-------
ip sla 1
 icmp-echo 71.X.X.1
 frequency 5
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
 
 
interface FastEthernet0
 description Link_to_DMZ-1.SCI.fe0/3
 ip address 10.10.10.4 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 glbp 10 ip 10.10.10.10
 glbp 10 weighting 100 lower 95
 glbp 10 weighting track 1 decrement 10
!
interface FastEthernet1
 description Link_to_DSL-1.Verizon_Modem
 ip address 71.X.X.69 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 duplex auto
 speed auto
 
 
ip route 0.0.0.0 0.0.0.0 71.x.x.1
ip route 192.168.2.0 255.255.255.0 10.10.10.1
ip route 192.168.3.0 255.255.255.0 10.10.10.1
ip route 192.168.4.0 255.255.255.0 10.10.10.1
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 71.x.x.69 71.x.x.69 prefix-length 24
ip nat inside source list 1 pool ovrld overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
 
 
====================================
====================================
 
 
 
-------CORE-1.SCI--------
 
ip routing
no ip domain-lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.3.1 192.168.3.100
ip dhcp excluded-address 192.168.4.1 192.168.4.100
!
ip dhcp pool Users_EastWest_DHCP
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 4.2.2.2 
   lease 7
!
ip dhcp pool QA_Lab_Room_DHCP
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 4.2.2.2 
   lease 7
!
ip dhcp pool Training_Room_DHCP
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
   dns-server 4.2.2.2 
   lease 7
 
 
 
interface FastEthernet0/2
 description Link_to_AS-1E.SCI
 switchport access vlan 2
!
interface FastEthernet0/3
 description Link_to_AS-1W.SCI
 switchport access vlan 2
!
interface FastEthernet0/4
 description Link_to_WF-1.SCI
 switchport access vlan 2
!
interface FastEthernet0/5
 description Link_to_QA-1.SCI
 switchport access vlan 3
!
interface FastEthernet0/6
 description Link_to_TR-1.SCI
 switchport access vlan 4
!
interface FastEthernet0/7
!
interface FastEthernet0/8
 description Trunk_to_FW-1.SCI_Juniper
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface Vlan1
 no ip address
!
interface Vlan2
 description Users_EastWestWifi
 ip address 192.168.2.6 255.255.255.0
!
interface Vlan3
 description QA_Lab_Room
 ip address 192.168.3.6 255.255.255.0
!
interface Vlan4
 description Training_Room
 ip address 192.168.4.6 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 0.0.0.0 0.0.0.0 192.168.4.1

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-27 at 12:19:40ID24687813
Tags

GLBP

,

VLAN

,

Juniper

Topics

Network Design & Methodology

,

Miscellaneous Networking

,

Networking Hardware Firewalls

Participating Experts
1
Points
500
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Change a DSL router from No-NAT to NAT
    Is it possible to change a router from No-NAT to NAT without an engineer coming round? We have 16 allocated IP addresses, and our network needs more. We are not worried about VPN or anything. It costs loads to get an engineer, so I wondered if anyone knew how to do it. Than...
  2. Router with VLAN/VPN advice
    Hi all, I am responsible for a building where we have several tenants (24) and a small management office. Each of the tenants will have between 1 and 4 computers (more likely just one, not being heavy users). In order to save some money we are trying to offer some shared int...
  3. Do I need a router for this situation- VPN GW to GW
    I am setting up a IPSec VPN tunnel bet ween our VA office to our New Jersey office. I am using Smoothwall Express (with SuperKernel 2.4.30RC5b, OpenSwan 1.0.9, and NAT-T). Also I have a Smoothwall as the Gateway at each location. ***For those not familiar with Smoothwall- it ...
  4. vpn over dsl
    we are planning to get an asa cisco appliance and have some of the smaller remote users on a vpn into that box. one question though that i have is if there is a easy and inexpensive solution to have basically 2 seperate connections at the users house. the company may or may...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: QuoriPosted on 2009-08-27 at 15:23:42ID: 25203248

First thing - you mentioned VPN. What is establishing the tunnel - the client or the router? (I see no crypto maps' on the interfaces).

Second - why are you double NAT'ing? There is no obvious reason to if you just point a default on the 1811 edge to the 192.168 interfaces on the cable modems (which you are doing anyway). Though I did notice a couple of the NTU's have the same LAN facing IP - not sure if this is a diagram typo due to copy/paste. If not, may want to fix this.... In short,  VPN never plays well with double NAT.

Third - ip nat inside source list 1 pool ovrld overload -- use the interface, not pool.

Fourth -
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip route 0.0.0.0 0.0.0.0 192.168.4.1

What the McFudge are you trying to do here??


Fifth - tweak the MTU and MSS by
From Windows XP: pint -f 4.2.2.2 -l 1472
Change the '1472' up or down until it responds with something other than "Packet needs to be fragmented but DF bit set"

Once you have your tuned MTU, take off 40 and that is your MSS. Apply this config to your public facing interfaces with ip mty <value> and ip tcp adjust-mss <value>

 

by: DzemoBondPosted on 2009-08-27 at 16:23:59ID: 25203538

Quori - tx for fast response and valuable input !!

First thing - VPN -- Users are VPN clients connecting to different location. (No site2site tunnel cuz users are mobile in&out of office)

Second - double NAT'ing -- quite honestly I dont know myself why :( I will eliminate NAT'ing on 1811 routers and see if anything changes. As far as IP typo, all routers have unique internal 10.10.10.x IPs, but Cablemodem routers have same outside 192.168.11.x interfaces which I do not control (default modem configuration)

Third - NAT source interface -- good point but I will try to eliminate nat

Fourth - default routes -- ooops, never removed it... that was leftover from my earlier configuration scenario when 3560G was acting as L3 switch.


Fifth - tweak the MTU and MSS  -- will definitely play with these values.


Question:
GLBP configuration - does anything sticks out as misconfigured or not optimally configured ?

 

by: QuoriPosted on 2009-08-27 at 17:16:03ID: 25203903

My GLBP is rusty. I shall lab something up and get back to you as soon as I can, unless another expert jumps in first.

 

by: QuoriPosted on 2009-08-27 at 17:18:31ID: 25203950

One other thing to note - since all teh cable modems are running default config and out of your control (or do you just not want to change them?) you may want to change your static default route to include an interface:

ip route 0.0.0.0 0.0.0.0 fa1 192.168.11.1

Just to be safe, so you don't get any asymmetric routing issues with since next-hops are identical in NLRI but different physical devices.

 

by: DzemoBondPosted on 2009-08-31 at 13:09:38ID: 25225981

Few updates on my issue - it looks like existing GLBP configuration is the culprit here.

But first..
RE: " the need for double NAT'ing " -- well it turns out I might have short memory problem ;) The need for NAT stems from the CableModem 'expecting' 192.168.11.x address at ETH1 interface.  
I did implement Quori' suggestion to use Interface instead of the pool name for NAT.

RE: " default routes to 3 internal 192.168.x.x networks" - without this I wont be able to ssh/telnet to routers.

As for GLBP I tested by having only one of WAN links in the pool and I had no issues during that time. Shortly after I connected DSL as a part of GLBP pool, my VPN client started acting up again.

I found this site and need to check if anything applies to my configuration. It could be related to mismatch with MAC aging and ARP timeout
http://cciethebeginning.wordpress.com/tag/glbp/

RTR-DSL.SCI
====================
interface FastEthernet0
 description Link_to_DMZ-1.SCI.fe0/3
 ip address 10.10.10.4 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 glbp 10 ip 10.10.10.10
 glbp 10 weighting 100 lower 95
 glbp 10 weighting track 1 decrement 10
 
 
RTR-CM2.SCI
===================
 
interface FastEthernet0
 description Link_to_DMZ-1.SCI.fe0/2
 ip address 10.10.10.3 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 glbp 10 ip 10.10.10.10
 glbp 10 weighting 100 lower 95
 glbp 10 weighting track 1 decrement 10
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:

Select allOpen in new window

 

by: QuoriPosted on 2009-08-31 at 14:05:56ID: 25226556

"RE: " default routes to 3 internal 192.168.x.x networks" - without this I wont be able to ssh/telnet to routers."

You realize that at any given time, only one of those routes will be installed in the routing table, right?


With your GLBP - do you have a public ASN? Reason I ask is a possible cause could be asymetric routing. Your traffic is leaving via one device/provider and attempting to return via another device/provider which would work if you were peering BGP with your own ASN and the advertised range was known via multiple paths to all applicable providers. But with NAT, it simply won't.

 

by: DzemoBondPosted on 2009-09-02 at 11:37:45ID: 25244134

That would explain why i could not connect from .3.x and 4.x networks. I removed three /24 routes and now have one default route to 192.168.0.0/16. Not sure what logic I followed - I guess I was in Rookie-ulala land. Thanks for reality check.

As for ASN - no, we dont do any BGP peering.

After some more reading, testing and considering your feedback, I concluded that the way network is setup now, GLBP would not properly do load-balancing being that Netscreen FW is considered the only 'host' using default round-robin method. Weighted method looks similar to round-robin, with just load distribution being different. Host-Dependent method looks like more suitable solution when NATing is used where hosts would stick to particular AVF, but again my only 'host' is Netscreen FW so it kind of defeats the purpose. I gave up on GLBP and configured HSRP :(

 

by: DzemoBondPosted on 2009-09-02 at 11:41:33ID: 31621408

While the exact solution was not provided, other suggestions and feedback provided proved to be beneficial in determining proper solution for the overall design.

 

by: QuoriPosted on 2009-09-02 at 16:55:00ID: 25246817

Sorry to say, with your internet transit connectivity it was never viable for you to use GLBP to the outside purely because you had no consistent routes back.

If you think about it - say a request comes from host 192.168.2.100 on VLAN2, goes out RTR-CM1.SCI and is source translated from 192.168.2.100 to 192.168.11.3 then to CM1.TWC again source translated from 192.168.11.3 to 206.105.x.x. This works for the age of the arp entry, so a set of frames is sent this way, but then GLBP polls for the load and decides (for the same connection mind you) to go from 192.168.2.100 on VLAN 2, goes to RTR-DSL.SCI translated from 192.168.2.100 to 71.x.x.x so now it is a totally new TCP socket even though you're half way through handshaking/etc from another source (206.105.x.x)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...