• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1965
  • Last Modified:

Forefront TMG 2010 not routing through primary ISP

I have a virtual Windows 2008 R2 with TMG 2010 routing two ISP.

ISP1 - primary - dynamic IPv4 - current value (sample) 1.2.3.4 MASK 255.255.248.0
ISP2 - secondary - static IPv4 - static value (sample) 2.3.4.5 MASK 255.255.255.248

Both should resolve names through 8.8.8.8 and 8.8.4.4 (google public DNS).

I have done the initial configs and ROUTE PRINT command returns:

ROUTE PRINT

Interfaces:
14..00  (...)  Microsoft VM Adapter #4
12..00  (...)  Microsoft VM Adapter #2
11..00  (...)  Microsoft VM Adapter

IPV4 Routes

Persistent Routes:

ADDR       MASK                GW        METRIC
0.0.0.0    0.0.0.0            1.2.3.4     1
8.8.8.8    255.255.255.255    1.2.3.4     1
8.8.4.4    255.255.255.255    1.2.3.4     1
0.0.0.0    0.0.0.0            2.3.4.5     100
8.8.8.8    255.255.255.255    2.3.4.5     100
8.8.4.4    255.255.255.255    2.3.4.5     100

IPV6 Routes
(...)

Open in new window


Notes:
-- IPV6 is only available for LAN
-- There is no IPV6 persistent route

-- 1.2.3.4 is routed through interface 14. Triple-checked from the network adapter.
-- 2.3.4.5 is routed through interface 11. Triple-checked too.
-- Interface 12 is the LAN adapter.


The problem is that the TMG-VM routes it's own calls perfectly through the primary ISP but any request from another computer on the network get's routed through the secondary ISP.

If you browse both www.whatismyip.com or www.whatismyip.org on the router you'll get the same value: 1.2.3.4. Both sites on other computers over the LAN return 2.3.4.5.

It's not only this info that shows the routing problem:

The primary link it's a 20Mb SOHO link and the secondary is a dedicated 1Mb fiber.
The router has full-speed on the web. Testing and all shows speed near 20Mbps.
Every other computer is limited to something bellow 1Mbps.



Any help here?
0
LordALMMa
Asked:
LordALMMa
  • 4
  • 3
2 Solutions
 
djcanterCommented:
What do your NAT rules look like? I suspect you have the NAT outside interface configured for 2.3.4.5 GW.
0
 
LordALMMaAuthor Commented:
First of all, thanks for the reply.

From TMG tab Network Rules, I have:

#  Name                     Relation    Origin           Destiny      Network Address
1  Local host access        Route       Local Host       Everyone
2  VPN Clients              Route       VPN Clients      Internal

3  Internet access          NAT         VPN Clients      External     Default IP Address
                                        + Internal

Open in new window

Details from NAT rule:

Origin: VPN Clients + Internal
Destiny: External
NET Relation: NAT
Net Address Selection: Use default IP adress


Sorry if the names I provide aren't really equal to English names. My TMG is running on Brazilian Portuguese and I have to translate names here =)
0
 
djcanterCommented:
Please check the following:


If you want to bind specific user or group to go through specific link only,use the following logic
 
# First create user/ip/ip range entry in FIREWALL POLICY > TOOL BOX / NETWORK OBJECTS  >> computer / computer sets or address range
 
# Then goto  NETWORKING / NETWORK RULES and create new NETWORK RULE with following data
 
Network Name Rule : WAN2 Users
 FROM: Your Specific Computer IP / User / IP Range
 TO : External
 Network Relationship : Network Address Translator (NAT)
 NAT Address Selection : Use the Specified IP and then select your desired WAN link ip
 Click FINISH and APPLY.
 
reference:
 http://aacable.wordpress.com/2012/03/21/tmg-2010-isp-redundancy-fail-over-guide/
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LordALMMaAuthor Commented:
If you want to bind specific user or group to go through specific link only,use the following logic

I don't.
I need the TMG to behave as a Failover: it should route all connections through the primary ISP and only use the secondary if the first fails.

But checking the NAT configs I have:
- FROM Internal TO External Using Default IP, where Internal is set to every IP on the LAN here and changing it to use a specific IP (primary or secondary) has no effect at all.

Here follows a complete output from ROUTE PRINT:
===========================================================================
Interfaces
 14...00 15 5d 37 52 03 ......Microsoft VM adapter #4
 12...00 15 5d 37 52 02 ......Microsoft VM adapter #2
 11...00 15 5d 37 52 04 ......Microsoft VM adapter
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Routes
===========================================================================
Active routes:
Network address          Mask       Gateway         Interface       Matric
          0.0.0.0          0.0.0.0      No bound     189.61.128.46      2
          0.0.0.0          0.0.0.0      No bound     201.57.59.210    200
          0.0.0.0          0.0.0.0     189.61.128.1    189.61.128.46      2
          0.0.0.0          0.0.0.0    201.57.59.209    201.57.59.210    200
          8.8.8.0    255.255.248.0    189.61.128.46    189.61.128.46      2
          8.8.8.8  255.255.255.248    201.57.59.210    201.57.59.210    200
          8.8.8.8  255.255.255.255    201.57.59.210    201.57.59.210    200
          8.8.8.8  255.255.255.255    189.61.128.46    189.61.128.46      2
        127.0.0.0        255.0.0.0      No bound         127.0.0.1    306
        127.0.0.1  255.255.255.255      No bound         127.0.0.1    306
  127.255.255.255  255.255.255.255      No bound         127.0.0.1    306
     189.61.128.0    255.255.248.0      No bound     189.61.128.46    257
     189.61.128.1  255.255.255.255      No bound     189.61.128.46      2
    189.61.128.46  255.255.255.255      No bound     189.61.128.46    257
   189.61.135.255  255.255.255.255      No bound     189.61.128.46    257
      192.168.0.0    255.255.255.0      No bound       192.168.0.1    261
      192.168.0.1  255.255.255.255      No bound       192.168.0.1    261
    192.168.0.255  255.255.255.255      No bound       192.168.0.1    261
    201.57.59.208  255.255.255.248      No bound     201.57.59.210    356
    201.57.59.209  255.255.255.255      No bound     201.57.59.210    200
    201.57.59.210  255.255.255.255      No bound     201.57.59.210    356
    201.57.59.215  255.255.255.255      No bound     201.57.59.210    356
        224.0.0.0        240.0.0.0      No bound         127.0.0.1    306
        224.0.0.0        240.0.0.0      No bound       192.168.0.1    261
        224.0.0.0        240.0.0.0      No bound     201.57.59.210    356
        224.0.0.0        240.0.0.0      No bound     189.61.128.46    257
  255.255.255.255  255.255.255.255      No bound         127.0.0.1    306
  255.255.255.255  255.255.255.255      No bound       192.168.0.1    261
  255.255.255.255  255.255.255.255      No bound     201.57.59.210    356
  255.255.255.255  255.255.255.255      No bound     189.61.128.46    257
===========================================================================
Persistent routes:
  Network address         Mask      Gateway        Metric
          8.8.8.8    255.255.248.0    189.61.128.46       1
          8.8.8.8  255.255.255.255    189.61.128.46       1
          8.8.8.8  255.255.255.248    201.57.59.210     100
          8.8.8.8  255.255.255.255    201.57.59.210     100
     189.61.128.1    255.255.248.0    189.61.128.46       1
     189.61.128.1  255.255.255.255    189.61.128.46       1
    201.57.59.209  255.255.255.248    201.57.59.210     100
    201.57.59.209  255.255.255.255    201.57.59.210     100
          0.0.0.0          0.0.0.0    189.61.128.46       1
          0.0.0.0          0.0.0.0    201.57.59.210     100
          0.0.0.0          0.0.0.0     189.61.128.1       1
          0.0.0.0          0.0.0.0    201.57.59.209     100
===========================================================================

IPv6 routes
===========================================================================
Active routes:
 If metric network destiny          Gateway
  1    306 ::1/128                  No bound
  1    306 ff00::/8                 No bound
===========================================================================
Persistent routes:
  None

Open in new window



Here are some details from TMG itself:
NETWORK ADAPTERS
Embratel - STATIC - 201.57.59.210/255.255.255.248    -> This should be the secondary ISP
Virtua   - DHCP   - 189.61.128.46/255.255.248.0      -> This should be the primary ISP
LAN      - STATIC - 192.168.0.1/255.255.255.0

ROUTING
Topology
	(empty)
Router_TMG_VM
	DESTINY		MASK		GW		METRIC
	0.0.0.0		0.0.0.0		Virtua		1
	0.0.0.0		0.0.0.0		189.61.128.1	1
	0.0.0.0		0.0.0.0		201.57.59.209	100
	127.0.0.0	255.0.0.0	Loopback	256
	127.0.0.1	255.255.255.255	Loopback	256
	127.255.255.255	255.255.255.255	Loopback	256

	189.61.128.0	255.255.248.0	Virtua		256
	189.61.128.1	255.255.255.255	Virtua		1
	189.61.128.46	255.255.255.255	Virtua		256
	189.61.135.255	255.255.255.255	Virtua		256

	192.168.0.0	255.255.255.0	LanAGG	256
	192.168.0.1	255.255.255.255	LanAGG	256
	192.168.0.255	255.255.255.255	LanAGG	256

	201.57.59.208	255.255.255.248	Embratel	256
	201.57.59.209	255.255.255.255 Embratel	100
	201.57.59.210	255.255.255.255	Embratel	256
	201.57.59.215	255.255.255.255	Embratel	256

	224.0.0.0	240.0.0.0	Loopback	256
	255.255.255.255	255.255.255.255	Loopback	256
	
	8.8.8.0		255.255.248.0	189.61.128.46	1
	8.8.8.8		255.255.255.248	201.57.59.210	100
	8.8.8.8		255.255.255.255	189.61.128.46	1
	8.8.8.8		255.255.255.255	201.57.59.210	100

ISP REDUNDANCY
ISP Connection    Gateway	    Mask	    Detection	Function
Primary - Virtua	189.61.128.1	255.255.248.0	Enabled		Primary
Secondary - Embratel	201.57.59.209	255.255.255.248	Enabled		Secondary

Open in new window




What I have tested:

1. Both primary and secondary ISP adapters ON


Router (TMG) uses the primary ISP link.
Every other computer on the LAN uses the secondary ISP link.

2. Primary link is OFF / Secondary is ON


Router (TMG) looses connectivity.
Every other computer on the LAN keeps using the secondary ISP link.

2. Primary link is ON / Secondary is OFF


Router has connectivity through the primary link.
Every other computer on the LAN start using the primary ISP link.


I simply have no other clue here.
I've tested changing the persistent routes, adding or removing, but nothing seems to make any effect.

It's as if the TMG had a static predefined route to access internet only through the primary ISP and as if the link was set opposite (as if the primary was set to secondary and vice-versa).

I just have no clue here.
I have already followed this website from your link. It's based on this post that the TMG was configured and yet this is the behavior I have.


Any other tip/suggestion?
0
 
djcanterCommented:
You have several routes listed that are erroneous.
      8.8.8.0            255.255.248.0      189.61.128.46      1
      8.8.8.8            255.255.255.248      201.57.59.210      100
But also 2 of these are likely wrong.
         0.0.0.0          0.0.0.0    189.61.128.46       1
          0.0.0.0          0.0.0.0    201.57.59.210     100
          0.0.0.0          0.0.0.0     189.61.128.1       1
          0.0.0.0          0.0.0.0    201.57.59.209     100
0
 
LordALMMaAuthor Commented:
Thanks for the tip.
I'm a bit lost here though.

This TMG box was installed by me actually but I'm still learning to use it.
I have no clue on how to set the routes correctly and every help is much appreciated.

You said:
But also 2 of these are likely wrong.

My IP's (isp provided) are:
189.61.128.46 (primary, dynamic IP)
201.57.59.210 (secondary, static IP)

These are the gateways provided by each ISP:
189.61.128.1 (for the primary link)
201.57.59.209 (for the secondary link)

What should I put in the static routing for 0.0.0.0, the external interfaces IP or the gateway from each external link?



-- Update:

I've just removed the two items you marked as mistaken and removed the routings for 0.0.0.0 from the interface IP (kept the ones for interfaces' external gateways).

The router kept using the primary ISP and desktops are still using the secondary ISP.
But now if I remove the secondary ISP every LAN computer looses connectivity (just the router remains online).

Also, before any change and still now, the TMG is marking the primary link as offline.
It's online and I'm pretty sure of that, I have disconnected the secondary and TMG keeps online so it's working but it's marked as offline.

Might be that the problem here.
The TMG box is staticly routing itself to the primary ISP and that's not OK -- and -- TMG is detecting the primary link as OFF and is routing every request to the secondary.

The link is up but it's as if it is not accessible by TMG.
If I disable the secondary TMG won't route through the primary because it's marked as off.

On the interface properties both interfaces are marked as Auto-detect.
0
 
LordALMMaAuthor Commented:
The problem was related to routing but not only that.

After a day of learning i finally figured what were the causes for this problem.

1) The routing table wasn't up-to-date and I didn't know how to fix that. After a few attempts I just "broke" it completely to the point of no routing at all. Done a full restore and some updates and it was 50% done.

2) The connectivity tests were running and the last one, responsible for pinging the google's public DNS-A (8.8.8.8) have been blacklisted (probably because of dynamic ip being used by someone else). Disabling the test resulted in a full restore.

The TMG is now a full failover system again.
I'm still a newbie on TMG and thanks for your answers!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now