[c-nsp] asymmetric multihoming & nat

Adam Greene maillist at webjogger.net
Wed Jan 26 00:02:33 EST 2011 

Pete,

Thanks ... we ran some tests this evening, disabling NAT entirely, and 
saw the same results, so I think we can safely say that NAT is not 
causing the issue.

The situation we are facing is that the customer appears to be unable to 
route asymmetric traffic. At least that's what we think the problem is 
so far. They get full routes from two providers (one of them being us), 
and announce their IP block through both providers. When traffic comes 
in through us and goes out through their other provider, it's blocked. 
ICMP traffic doesn't seem to mind. But TCP traffic is definitely not 
working.

We allow their traffic through our network asymmetrically (we have ASA's 
at our edges but have enabled tcp-state-bypass on them). I am suspecting 
the customer's other upstream provider (or ours) may have some asymmetry 
block in place. But ... that also seems unlikely, since I assume most IP 
carriers do not.

So we're currently stumped.

Thanks,
Adam


On 1/24/2011 2:56 PM, Pete Lumbis wrote:
> Adam,
>
> I realized (with the help of an off-list post) I mis-read your
> original post. I thought this was on two different devices, instead of
> two connections on the same device.
>
> For a single box the NAT lookups are done when traffic arrives on any
> nat inside/outside interface*. If we create a translation for a packet
> exiting f0/0 (for example) and the response arrives on f0/1, we will
> see the packet arriving on a NAT outside interface, do the NAT lookup
> and match the existing translation that was created by the first
> outbound packet.
>
> What kind of problems are you seeing? Is traffic slow or not arriving at all?
>
> *based on NAT order of ops when traffic arrives on a NAT interface and
> is destined for a NAT interface
>
> -Pete
>
> On Fri, Jan 21, 2011 at 6:05 PM, Pete Lumbis<alumbis at gmail.com>  wrote:
>> NAT could definitely be causing issues. Generally you could use
>> something like Stateful NAT (SNAT) between the two BGP speakers to
>> make sure they sync their NAT tables, but this this feature has had a
>> number of challenges/issues and development and started moving it to
>> end of life.
>>
>>
>>
>> On Fri, Jan 21, 2011 at 4:09 PM, Adam Greene<maillist at webjogger.net>  wrote:
>>> Hi guys,
>>>
>>> I have a multihomed customer who receives full BGP routes from both us and
>>> another provider and load balances between the two connections. Things are
>>> working fine until the traffic becomes asymmetric (i.e. inbound through one
>>> provider, outbound through the other).
>>>
>>> The block they are announcing to their providers is NATed on their BGP
>>> router. In other words, all their internal hosts are on private IP space.
>>> The internal interface is designated "ip nat inside" and both WAN interfaces
>>> are designated "ip nat outside". The actual NAT configurations do not
>>> reference any interfaces, just pools.
>>>
>>> Could the NAT be prohibiting asymmetric traffic in this case? i.e. if the
>>> inbound traffic is NATed coming in on one interface, will the router refuse
>>> to NAT the outbound traffic through the other interface?
>>>
>>> If the NAT is the problem, I suppose they could do the NAT on a loopback
>>> interface instead ... but I understand that the traffic will all be
>>> process-switched if we do that, and performance will probably suffer.
>>>
>>> Thanks for your insight,
>>> Adam
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>

More information about the cisco-nsp mailing list