Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Symmetric return with ECMP not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Symmetric return with ECMP not working

L2 Linker

Hi All,

 

We have dual ISP setup, and to load-balance the traffic we are using ECMP with static routes, and it works fine for the internet bound connections and traffic gets load-balanced.

 

We however face issues with connection to our VPN servers in the DMZ. They are used by remote users to create a RA-VPN tunnel with the VPN servers from internet. The users have to try atleast 4-5 times before they get a successful connection with the VPN servers. We suspect it is because the VPN server have a public IP published on internet, which is a ISP2 public range. The return packet is getting load balanced too , towards ISP1 and cause assymmetric routing and ISP2 doesnt like it.

 

Is there a way to ensure the return packet goes through ISP2 only? We ahve tried PBF but doesnt seem to work. We ahve also enabled symmetric return option in ECMP, and confused why it doesn't seem to work.

 

We have a TAC case open, but no engineer has any idea or shown any willingness to go deeper.

 

Below is the topology.

 

VarunRao_0-1614133551857.png

 

 



Thanks & Regards,
Varun Rao
5 REPLIES 5

Cyber Elite
Cyber Elite

@VarunRao,

Do you actually have logs showing return traffic is attempting to route via ISP1 instead of ISP2 with symmetric return enabled? If so, then that's all TAC should need to actually start digging into the issue and making sure you have it configured correctly, that it's being identified as server to client return traffic, ect. Usually issues like this is because it's not being identified as server to client traffic properly like it should, or that it's simply been misconfigured.

 

Also just to throw it out there, have you checked the release notes for 9.1 and verified that you aren't hitting any of the ECMP issues addressed in later releases? I know that there's been a few addressed issues in later builds related to ECMP, and 9.1.3 is pretty early in the 9.1 release. 

L0 Member

Hi,

The configuration for ECMP was all fine and TAC did take captures, where we did see issues caused by ecmp, it tried to sdn reply packets through the load-balancing. TAC although doesn't know why it is happening. Still under investigation.

 

We are using version 9.0.11.



Thanks & Regards,
Varun Rao

L0 Member

The configuration for ECMP was all fine and TAC did take captures, where we did see issues caused by ecmp, it tried to sdn reply packets through the load-balancing. TAC although doesn't know why it is happening. Still under investigation 

 

We are using version 9.0.11.

Hi there. Was there ever a resolution to this? We are seeing this behavior with many applications, especially ones that are setting cookies. Some vendors we had to inform of the 2nd ISP subnet range to make sure that traffic is being allowed. Please let me know.

 

  • 5813 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!