Solved

No Outbound traffic on Broadband Interface on Cisco Router

Posted on 2008-10-30
14
883 Views
Last Modified: 2012-06-27
Good Evening,
I've setup a cisco 2800 with a broadband connection to our local cable provider.
Interface information:
IP a.b.c.130
Mask: 255.255.255.48
Default gateway SHOULD be a.b.c.129

Connected Route for interface:
     a.b.c.0/29 is subnetted, 1 subnets
C       a.b.c.128 is directly connected, GigabitEthernet0/1 (gb0/1 = .129)

Traffic is able to enter the interface without issue however no outbound information is leaving the router for the internet.  I've removed the Firewall and ACL information.  There are multiple connections on this router, the t1's are working fine however when I try to fail the t1's and run on the cable connection only obviously we run into issues.

When the T1's are failed, I can ping a.b.c.129 however a ping to 4.2.2.2 fails and an extended Trace shows * * * from the very first hop.

Any other information I can provide I will!  
Thanks,
Postie
0
Comment
Question by:Posthumous
  • 7
  • 6
14 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22847527
Do you have a flaoting static default route to direct traffic out the broadband interface if the T1's fail?

Do you have any routes directing traffic out the gig0/1 interface.

Also I'm assuming that the following info you provided is a typo, but can you check the interface subnet mask and make sure its 255.255.255.248

"Mask: 255.255.255.48"
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22849435
Good Morning,
Yeah .48 was a type apologies, it is .248.

There are currently 3 routes in the system
0.0.0.0 0.0.0.0 T1#1 distance 1
0.0.0.0 0.0.0.0 T1#2 distance 1
0.0.0.0 0.0.0.0 Cable distance 10

However, if I take out the routes and leave only the gigabit link route, and admin down the two t1's that's where i'm running into issues, haven't even gotten to the point where the fail overs being troubleshot per say.  

Last night I did the following:
Removed all default static T1 routes leaving only the cable route
Removed all firewalls and access lists from the cable interface
Ping d.e.f.129 (default gateway of cable route) !!!!!  - all good
ping 4.2.2.2 (DNS internet) ..... - all bad

Messed around with a few other things trying to figure out why data won't go out the cable interface but would come in it from other sites, eventually just put the code back to the way it was and went to bed.  Only thing I could think of was to wipe the whole router and rebuild it piece by piece but just didn't have the energy at that point to attempt.



Current configuration : 15080 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco2800
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
logging buffered 51200 debugging
logging rate-limit all 100
enable secret 5 $1$9/VC$ol8RuDQ81TipSPuhvfM4y.
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EST recurring
no network-clock-participate wic 0
no ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
no ip bootp server
ip domain name companyconstruction.com
ip name-server 192.168.1.12
ip name-server 192.168.1.97
!
!
!
crypto pki trustpoint TP-self-signed-3994249393
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3994249393
 revocation-check none
 rsakeypair TP-self-signed-3994249393
!
!
crypto pki certificate chain TP-self-signed-3994249393
 certificate self-signed 01
  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393934 32343933 3933301E 170D3038 30383139 31363238
  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39393432
  34393339 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B567 3BE5466C 2BEC9FA4 BED51DA8 93DA86F5 CBEB0E4E ADAB44F5 847A8A55
  C9A5C75F E548599D 32ACAD47 A7B481A9 F8F2B3D6 C7712845 E98CD5A3 50D4C13C
  41C85A66 7EE0C7A1 382C6213 BFE8D6B6 5496EF2D 52D51909 B672C69C A5C6AE26
  1846A27C 6156799C D86FEC40 C52153FA DF1382EF D3015A5C CAFFA014 1932D3D9
  874D0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
  03551D11 04253023 82216369 73636F32 3830302E 65617374 65726E63 6F6E7374
  72756374 696F6E2E 636F6D30 1F060355 1D230418 30168014 073221CA E4B9876E
  BA7ED815 B6E3D4D0 AC6B935D 301D0603 551D0E04 16041407 3221CAE4 B9876EBA
  7ED815B6 E3D4D0AC 6B935D30 0D06092A 864886F7 0D010104 05000381 81004698
  2FE1009C AD7A8743 89FAB625 6DD76AC6 6DECD44A EA2A3B58 ADA3448E 9001FE59
  9C91FA12 AB483476 7EF1F957 B23BD00E 9994B8FB DA6B35DD 95E8DB7C EA2504C0
  9E25C3B9 93A44B73 33E413A6 DACA51E8 11AF8E34 AABE47C0 867F6F90 D5D13D8A
  72FE4DF8 5227AB5C DE415BB9 F6BCE180 17334FA2 7CFACD26 AA72FF7A F0B4
  quit
username admin privilege 15 secret 5 $1$uH5T$6GuYdAdYPzzkU5ML.TsmT/
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
!
!
!
interface Null0
 no ip unreachables
!
interface Loopback0
 ip address x.y.z.1 255.255.255.248
 ip access-group 199 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$
 ip address 192.168.1.50 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip load-sharing per-packet
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address d.e.f.130 255.255.255.248
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0/0:0
 description T1 202$FW_OUTSIDE$
 bandwidth 1536000
 ip address a.b.c.202 255.255.255.252
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
!
interface Serial0/0/1:0
 description T1 222$FW_OUTSIDE$
 bandwidth 1536000
 ip address a.b.c.222 255.255.255.252
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 permanent
ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0 permanent
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10 permanent name 
ip flow-top-talkers
 top 5
 sort-by bytes
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool x.y.z.1 38.99.187.6 netmask 255.255.255.248
ip nat pool pool2 d.e.f.130 d.e.f.130 netmask 255.255.255.248
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source list 3 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.96 25 x.y.z.1 25 extendable no-alias
ip nat inside source static tcp 192.168.1.96 80 x.y.z.1 80 extendable no-alias
ip nat inside source static tcp 192.168.1.96 110 x.y.z.1 110 extendable no-alias
ip nat inside source static tcp 192.168.1.96 443 x.y.z.1 443 extendable no-alias
ip nat inside source static tcp 192.168.1.96 3389 x.y.z.1 3389 extendable no-alias
ip nat inside source static tcp 192.168.1.96 25 d.e.f.130 25 extendable no-alias
ip nat inside source static tcp 192.168.1.96 80 d.e.f.130 80 extendable no-alias
ip nat inside source static tcp 192.168.1.96 110 d.e.f.130 110 extendable no-alias
ip nat inside source static tcp 192.168.1.96 443 d.e.f.130 443 extendable no-alias
ip nat inside source static tcp 192.168.1.96 25 d.e.f.130 587 extendable no-alias
ip nat inside source static tcp 192.168.1.96 3389 d.e.f.130 3389 extendable no-alias
!
logging trap debugging
logging server-arp
logging 192.168.1.250
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip a.b.c.200 0.0.0.7 any
access-list 100 deny   ip d.e.f.128 0.0.0.7 any
access-list 100 deny   ip a.b.c.216 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 permit icmp any host d.e.f.130 echo
access-list 101 permit tcp any host d.e.f.130 eq 3389
access-list 101 permit tcp any host d.e.f.130 eq 443
access-list 101 permit tcp any host d.e.f.130 eq pop3
access-list 101 permit tcp any host d.e.f.130 eq www
access-list 101 permit tcp any host d.e.f.130 eq smtp
access-list 101 permit udp any eq domain host d.e.f.130
access-list 101 permit udp any eq ntp host d.e.f.130
access-list 101 permit tcp any eq www host d.e.f.130
access-list 101 permit tcp any eq 443 host d.e.f.130
access-list 101 permit tcp any eq 3389 host d.e.f.130
access-list 101 permit tcp any eq 1494 host d.e.f.130
access-list 101 permit icmp any host d.e.f.130 echo-reply
access-list 101 permit icmp any host d.e.f.130 time-exceeded
access-list 101 permit icmp any host d.e.f.130 unreachable
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host x.y.z.1 eq 3389
access-list 102 permit tcp any host x.y.z.1 eq 443
access-list 102 permit tcp any host x.y.z.1 eq pop3
access-list 102 permit tcp any host x.y.z.1 eq www
access-list 102 permit tcp any host x.y.z.1 eq smtp
access-list 102 permit tcp any eq smtp host x.y.z.1
access-list 102 permit udp any eq domain host x.y.z.1
access-list 102 permit udp any eq ntp host x.y.z.1
access-list 102 permit tcp any eq www host x.y.z.1
access-list 102 permit tcp any eq 443 host x.y.z.1
access-list 102 permit tcp any eq 3389 host x.y.z.1
access-list 102 permit tcp any eq 1494 host x.y.z.1
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 permit udp any eq ntp host a.b.c.202
access-list 102 remark 2967 Symantec AV
access-list 102 permit tcp any host a.b.c.202 eq 2967
access-list 102 permit tcp any host a.b.c.202 eq smtp
access-list 102 permit tcp any eq smtp host a.b.c.202
access-list 102 permit tcp any eq 1494 host a.b.c.202
access-list 102 permit tcp any host a.b.c.202 eq 443
access-list 102 permit tcp any eq 443 host a.b.c.202
access-list 102 permit tcp any host a.b.c.202 eq www
access-list 102 permit tcp any eq www host a.b.c.202
access-list 102 permit udp any eq domain host a.b.c.202
access-list 102 permit icmp 66.28.3.0 0.0.0.255 host a.b.c.202 echo
access-list 102 permit icmp 66.250.0.0 0.0.254.255 host a.b.c.202 echo
access-list 102 permit icmp any host a.b.c.202 echo-reply
access-list 102 permit icmp any host a.b.c.202 time-exceeded
access-list 102 permit icmp any host a.b.c.202 unreachable
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any host x.y.z.1 eq 3389
access-list 103 permit tcp any host x.y.z.1 eq 443
access-list 103 permit tcp any host x.y.z.1 eq pop3
access-list 103 permit tcp any host x.y.z.1 eq www
access-list 103 permit tcp any host x.y.z.1 eq smtp
access-list 103 permit tcp any eq smtp host x.y.z.1
access-list 103 permit udp any eq domain host x.y.z.1
access-list 103 permit udp any eq ntp host x.y.z.1
access-list 103 permit tcp any eq www host x.y.z.1
access-list 103 permit tcp any eq 443 host x.y.z.1
access-list 103 permit tcp any eq 3389 host x.y.z.1
access-list 103 permit tcp any eq 1494 host x.y.z.1
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 permit udp any eq ntp host a.b.c.222
access-list 103 permit tcp any eq 3389 host a.b.c.222
access-list 103 permit tcp any host a.b.c.222 eq 3389
access-list 103 permit tcp any eq smtp host a.b.c.222
access-list 103 permit tcp any eq 1494 host a.b.c.222
access-list 103 permit tcp any host a.b.c.222 eq 443
access-list 103 permit tcp any eq 443 host a.b.c.222
access-list 103 permit tcp any host a.b.c.222 eq www
access-list 103 permit tcp any eq www host a.b.c.222
access-list 103 permit udp any eq domain host a.b.c.222
access-list 103 permit icmp 66.28.3.0 0.0.0.255 host a.b.c.222 echo
access-list 103 permit icmp 66.250.0.0 0.0.254.255 host a.b.c.222 echo
access-list 103 permit icmp any host a.b.c.222 echo-reply
access-list 103 permit icmp any host a.b.c.222 time-exceeded
access-list 103 permit icmp any host a.b.c.222 unreachable
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 199 remark auto generated by SDM firewall configuration
access-list 199 remark SDM_ACL Category=1
access-list 199 permit tcp any host x.y.z.1 eq 3389
access-list 199 permit tcp any host x.y.z.1 eq 443
access-list 199 permit tcp any host x.y.z.1 eq pop3
access-list 199 permit tcp any host x.y.z.1 eq www
access-list 199 permit tcp any host x.y.z.1 eq smtp
access-list 199 permit udp any eq domain host x.y.z.1
access-list 199 permit udp any eq ntp host x.y.z.1
access-list 199 permit tcp any eq www host x.y.z.1
access-list 199 permit tcp any eq 443 host x.y.z.1
access-list 199 permit tcp any eq 3389 host x.y.z.1
access-list 199 permit tcp any eq 1494 host x.y.z.1
access-list 199 deny   ip 10.0.0.0 0.255.255.255 any
access-list 199 deny   ip 172.16.0.0 0.15.255.255 any
access-list 199 deny   ip 192.168.0.0 0.0.255.255 any
access-list 199 deny   ip 127.0.0.0 0.255.255.255 any
access-list 199 deny   ip host 255.255.255.255 any
access-list 199 deny   ip host 0.0.0.0 any
access-list 199 permit icmp 66.28.3.0 0.0.0.255 host a.b.c.222 echo
access-list 199 permit icmp 66.250.0.0 0.0.254.255 host a.b.c.222 echo
access-list 199 permit icmp any host a.b.c.222 echo-reply
access-list 199 permit icmp any host a.b.c.222 time-exceeded
access-list 199 permit icmp any host a.b.c.222 unreachable
access-list 199 deny   ip any any log
snmp-server community company RW
snmp-server community public RO
snmp-server location HO
snmp-server host 192.168.1.250 100153
no cdp run
!
!
control-plane
!
!
banner login ^CAccess Strictly Prohibited^C
banner motd ^C ^C
alias exec s show ip interface brief
!
line con 0
 logging synchronous
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
 
LVL 17

Expert Comment

by:mikecr
ID: 22851259
When you ping, are you pinging from the router or through the router? If you do an extended ping from the gigabit interface to the 4.2.2.2 address, do you get a reply?
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 1

Author Comment

by:Posthumous
ID: 22851328
Negative, with the T1's shutdown and the routes removed, Firewall disabled and ACL's removed.
Pinging from the router.
I could ping the d.e.f.129  (default gateway of the cable connection)
I could NOT ping 4.2.2.2
I could NOT Trace to 4.2.2.2
Extended Ping/Traces tied specifically to the gigabitethernet 0/1 interface also failed.

However I can still (even now with everything up and working during the day) send RDP/telnet traffic from an offsite location to that d.e.f.130 address and get connected to the server behind it and all the traffic going back to site uses the T1's to get where it needs to go.  Is it possible for the traffic to be routed across the T1's to the d.e.f.130 interface?  Doesn't seem likely to me but perhaps I'm going crazy.

Rather confusing honestly whey I can get traffic in and nothing out on that connection.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 22851575
Can you ping the outside IP address of your GI0/1 interface from a remote computer? Just make sure that you only have one default route going out that interface when you do it. Keep in mind that if you put multiple default routes on a router, you can get asynchronous routing. This means that you will come in one interface but exit another. In other words internally, if you go out the GI0/1 interface when you open a browser on your desktop you'll come back the same way due to NAT. However if your a computer on the internet coming into the router from the outside its return traffic may not go back out the same way it came in such as coming in Gi0/1 and going back out s0/0/0.
0
 
LVL 17

Expert Comment

by:mikecr
ID: 22851736
Two things I just noticed in your configuration are the following:
ip load-sharing per-packet
First off, this only works if the destination router is the same over multiple links. This means if you have three different ISP circuits and you use per-packet load balancing, you're sending a packet out each one. Guess what, you aren't going anywhere because the packets can't be assembled on the other side because 3 different ISP's have them.

Next is:
ip route-cache flow

If you're using IP route-cache flow to do netflow statistics, this means CEF is turned off. CEF is a requirement for the ip load-sharing command. This means load balancing is not working the command will need removed from the interface.
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22852106
Hi Mike,
Thanks for the Answers, will clear up what I can first.

When the gig0/1 interface is the only one active and all the other routes are down I can ping the outside of the gig0/1 from one of the remote sites, however I can't make a connection as no return traffic seems to be able to get beyond the .130 port or at most the .129.  However I have disabled all extranious items at that time (Firewalls ACL's and actually delete the static routes to the T1s).

CEF shouldn't be enabled on the gig0/1 interface I will check the router now and verify that it is disabled and disable ip route-cache flow on the two CEF interfaces (T1's are same provider same route etc).
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22852181
I've updated the interfaces as you've recommended (I think)

Removed CEF from Gig0/1 and gig 0/0 (think the ip cef command enables all interfaces it seems)
Removed route cache flow from both t1 interfaces.
interface Loopback0
 ip address x.y.z.1 255.255.255.248
 ip access-group 199 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$
 ip address 192.168.1.50 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address d.e.f.130 255.255.255.248
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0/0:0
 description T1 202$FW_OUTSIDE$
 bandwidth 1536000
 ip address a.b.c.202 255.255.255.252
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
!
interface Serial0/0/1:0
 description T1 222$FW_OUTSIDE$
 bandwidth 1536000
 ip address a.b.c.222 255.255.255.252
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip load-sharing per-packet
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp

Open in new window

0
 
LVL 17

Accepted Solution

by:
mikecr earned 500 total points
ID: 22852300
Netflow and CEF are two different layer two forwarding services. To use CEF, you need to turn of Netflow. That means "no ip route-cache flow" needs run on each interface that has it enabled. Turn on CEF on the interface use "ip route-cache cef". To turn it on globally use "ip cef".
Change your ip load-sharing per-packet to ip load-sharing per-destination. This way each session will go out a different ISP instead of each packet.

Once you make these changes, shut down all interfaces again, remove all firewall and access lists configurations and then give me just the config for the GI0/1 interface to make sure it is correct and do a "show ip route" and paste it here.
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22852454
Hi mike,
Won't be able to do that till after business hours as the T1's are currently active.
However as soon as I can get it done I will.

0
 
LVL 17

Expert Comment

by:mikecr
ID: 22852485
No problem, take your time.
0
 
LVL 1

Author Comment

by:Posthumous
ID: 22853317
here's the interface settings with the changes (hopefully correct this time!)
after 5pm EST i'll bring downt he T1's and go through the steps you have outlined and post results.
Haven't changed the packet balance yet just because I don't know how it will affect current utilization will change that after 5pm.

Thanks

GigabitEthernet0/0 is up, line protocol is up
  Internet address is 192.168.1.50/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 100
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 208.97.67.130/29
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 101
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Outgoing inspection rule is SDM_LOW
  Inbound inspection rule is SDM_LOW
Serial0/0/0:0 is up, line protocol is up
  Internet address is a.b.c.202/30
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  Peer address is a.b.c.201
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 102
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Outgoing inspection rule is SDM_LOW
  Inbound inspection rule is SDM_LOW
Serial0/0/1:0 is up, line protocol is up
  Internet address is a.b.c.222/30
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  Peer address is a.b.c.221
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 103
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Outgoing inspection rule is SDM_LOW
  Inbound inspection rule is SDM_LOW
NVI0 is up, line protocol is up
  Internet protocol processing disabled
Loopback0 is up, line protocol is up
  Internet address is x.y.z.1/29
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1514 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 199
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Outgoing inspection rule is SDM_LOW
  Inbound inspection rule is SDM_LOW

Open in new window

0
 
LVL 1

Author Comment

by:Posthumous
ID: 22854842
Well i had a big post all preped for you, however i managed to blow it up.
Suffice to say i got traffic going out on the Cable connection!
had to put a hardgateway into the 0.0.0.0 route to that interface and traffic started passing properly.
Tracked a couple other issues back to NAT at this point, seems that if I enable both NAT pass throughs on the cable and T1 interfaces there's some issues going out to the internet for internal pc's.
Guessing here, but I think that the packets are getting all confused some are getting NAT translated to the gig0 ip but being passed to the t1's and vice versa and its obviously screwing with delivery outbound.  
Seems that the T1's get all the priority for packets which I guess is fine except if the T1's go down and the NAT tags continue but traffic gets passed to the gigs? Not sure if that makes any sense.
Here's some more data and am awarding you the points for the question if you don't continue to help no problem you got me this far!

Heres my current ip route
Gateway of last resort is d.e.f.129 to network 0.0.0.0

     a.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C       a.b.c.221/32 is directly connected, Serial0/0/1:0
C       a.b.c.220/30 is directly connected, Serial0/0/1:0
C       a.b.c.201/32 is directly connected, Serial0/0/0:0
C       a.b.c.200/30 is directly connected, Serial0/0/0:0
C       x.y.z.0/29 is directly connected, Loopback0
     d.e.f.0/29 is subnetted, 1 subnets
C       d.e.f128 is directly connected, GigabitEthernet0/1
C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [1/0] via d.e.f.129, GigabitEthernet0/1
               is directly connected, Serial0/0/0:0
               is directly connected, Serial0/0/1:0

IF I remove ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 208.97.67.129 permanent - everythings good
OR
IF I remove ip nat inside source list ECCL1 interface Loopback0 overload ip nat - Everythings good

So guess it's just a matter of getting that fixed and I'll probably be a free man!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 208.97.67.129 permanent
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0 permanent
ip route 0.0.0.0 0.0.0.0 Serial0/0/1:0 permanent
 
ip nat inside source list ECCL1 interface Loopback0 overload ip nat inside source list ECCL2 interface GigabitEthernet0/1 overload
 
ip access-list standard ECCL1
 remark Eccl - Cogent
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255
ip access-list standard ECCL2
 remark Eccl - Rogers
 remark SDM_ACL Category=2
 permit 192.168.1.0 0.0.0.255

Open in new window

0
 
LVL 17

Expert Comment

by:mikecr
ID: 22858295
I think you're on the right track now and should be okay.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question