Cisco RV042 - Dual Wan Load Balancing - Secure Site (HTTPS) Trouble

Similar Messages

• RV320 - Dual WAN - Load Balance Problem

  Hi all,
  I've just bought a RV320 Dual WAN router an try to get it running. My network setup looks lice the picture attached.
  I have 2 WAN Connections:
  - Router 1 (16Mbit Down / 512kbit up) - no public WAN IP
  - Router 2 (3 Mbit Down / 512kbit up) - Fixed public IP
  Router 1 ist connected to WAN1 and router 2 to WAN2 port on the RV320.
  I have enabled load balancing mode.
  Qustions:
  1.
  I want WAN1 to be the primary line to be used until capacity reached.
  Currently for some reason I don't understand the cisco always uses WAN2.
  That's not good as all browsing and downloading is limited to 3mbit.
  When I switch to "fail-over" mode and set primry live to WAN1 that works, but WAN2 is not kept alive.
  2.
  I am using VOIP and need to route all VOIP traffic to WAN2 interface.
  The best would be to tell the router IP 192.168.177.9 (voip phone) should use WAN2. So far I didn't figure out how to do that.
  Can I put VOIP into one VLAN group and allocated VLAN to one specific WAN interface?
  Brgds

  So, you can hear the phone ringing and answer it? which means that SIP pakets are coming through WAN to LAN and well redirected to the phone IP, but you cannot hear after that, which means that there could be a problem with the RTP packets. 
  If you have problem only with the incoming calls and not the outgoing, than try enable/disable SIP ALG (Firewall). If that doesn't fix the issue, try to allow (or even forward) from WAN to LAN RDP -  UDP ports 16384-32767 to the phone IP.
  Regards,
  Kremena

• Cisco 1921 Dual ADSL Load Balancing/Failover?

  Hello,
  We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
  I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
  I had a look at ppp multilink but I am unsure our ISP (BT) support this?
  This is my current config which I think only one ADSL line is being used. Some input would be appreciated
  Robbie
  ! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
  version 15.0
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname xxxxxx
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 xxxxx
  enable password xxxx
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  ip name-server 194.74.65.68
  ip name-server 194.72.0.114
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-xxxxxx
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
  revocation-check none
  rsakeypair TP-self-signed-xxxxx!
  crypto pki certificate chain TP-self-signed-xxxxxx
  certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
  license udi pid CISCO1921/K9 xxxxx
  username admin privilege 15 secret 5 xxxxxxxxxx/
  interface GigabitEthernet0/0
  description lan$ETH-LAN$
  ip address 10.0.8.1 255.255.248.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface ATM0/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  dsl operating-mode adsl2
  interface ATM0/0/0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  ip flow ingress
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface ATM0/1/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  dsl operating-mode adsl2
  interface ATM0/1/0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  ip flow ingress
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface Dialer0
  mtu 1483
  ip address negotiated
  ip access-group spalding in
  ip access-group spalding out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxx
  ppp chap password 0 xxxxx
  ppp multilink
  ppp multilink links minimum 2
  ppp multilink fragment disable
  ppp timeout multilink link add 2
  no cdp enable
  interface Dialer1
  mtu 1483
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxx
  ppp chap password 0 xxxxx
  ppp link reorders
  ppp multilink
  ppp multilink links minimum 2
  ppp multilink fragment disable
  ppp timeout multilink link add 2
  no cdp enable
  ip forward-protocol nd
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
  ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=GigabitEthernet0/0
  access-list 1 permit 10.0.0.0 0.254.255.255
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  login local
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  Hi,
  Can anyone help me with this config?  not very reliable.
  Building configuration...
  Current configuration : 17349 bytes
  ! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
  version 15.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
  aaa new-model
  aaa authentication login local_authen local
  aaa authorization exec local_author local
  aaa session-id common
  no ip source-route
  ip port-map user-protocol--8 port udp 3392
  ip port-map user-protocol--9 port tcp 3397
  ip port-map user-protocol--2 port udp 3391
  ip port-map user-protocol--3 port tcp 14000
  ip port-map user-protocol--1 port tcp 3391
  ip port-map user-protocol--6 port udp 3394
  ip port-map user-protocol--7 port tcp 3392
  ip port-map user-protocol--4 port udp 14100
  ip port-map user-protocol--5 port tcp 3394
  ip port-map user-protocol--10 port udp 3397
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 192.168.10.1 192.168.10.49
  ip dhcp pool DHCP_POOL1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 139.130.4.4 203.50.2.71
   default-router 192.168.1.1
   lease infinite
  ip dhcp pool ccp-pool1
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 139.130.4.4 203.50.2.71
   default-router 192.168.10.1
   lease infinite
  no ip bootp server
  ip host SHAWN-PC 192.168.1.10
  ip host DIAG 192.168.1.5
  ip host MSERV 192.168.1.13
  ip name-server 139.130.4.4
  ip name-server 203.50.2.71
  ip cef
  ip cef load-sharing algorithm include-ports source destination
  no ipv6 cef
  multilink bundle-name authenticated
  cts logging verbose
  crypto pki trustpoint TP-self-signed-1982477479
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1982477479
   revocation-check none
   rsakeypair TP-self-signed-1982477479
  license udi pid 
  license boot module c2900 technology-package securityk9
  license boot module c2900 technology-package datak9
  redundancy
  controller VDSL 0/0/0
   operating mode adsl2+
  controller VDSL 0/1/0
   operating mode adsl2+
  no cdp run
  track timer interface 5
  track 1 interface Dialer0 ip routing
   delay down 15 up 10
  track 2 interface Dialer1 ip routing
   delay down 15 up 10
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-all sdm-nat-user-protocol--7-1
   match access-group 104
   match protocol user-protocol--7
   match access-group 102
  class-map type inspect match-all sdm-nat-user-protocol--4-2
   match access-group 101
   match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--6-1
   match access-group 103
   match protocol user-protocol--6
  class-map type inspect match-all sdm-nat-user-protocol--5-1
   match access-group 103
   match protocol user-protocol--5
  class-map type inspect match-all sdm-nat-user-protocol--4-1
   match access-group 102
   match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--7-2
   match access-group 101
   match protocol user-protocol--7
  class-map type inspect match-all sdm-nat-user-protocol--3-1
   match access-group 102
   match protocol user-protocol--3
  class-map type inspect match-all sdm-nat-user-protocol--2-1
   match access-group 101
   match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-user-protocol--1-2
   match access-group 102
   match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--1-1
   match access-group 101
   match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--2-2
   match access-group 102
   match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-user-protocol--3-2
   match access-group 101
   match protocol user-protocol--3
  class-map type inspect match-all sdm-nat-user-protocol--8-2
   match access-group 101
   match protocol user-protocol--8
  class-map type inspect match-all sdm-nat-user-protocol--9-2
   match access-group 104
   match protocol user-protocol--9
  class-map type inspect match-any ccp-skinny-inspect
   match protocol skinny
  class-map type inspect match-all sdm-nat-user-protocol--9-1
   match access-group 101
   match protocol user-protocol--9
   match access-group 104
  class-map type inspect match-all sdm-nat-user-protocol--8-1
   match access-group 104
   match protocol user-protocol--8
   match access-group 102
  class-map type inspect match-any ccp-h323nxg-inspect
   match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
   match protocol icmp
   match protocol tcp
   match protocol udp
  class-map type inspect match-all sdm-nat-user-protocol--10-2
   match access-group 104
   match protocol user-protocol--10
  class-map type inspect match-all sdm-nat-user-protocol--10-1
   match access-group 101
   match protocol user-protocol--10
   match access-group 104
  class-map type inspect match-any ccp-h225ras-inspect
   match protocol h225ras
  class-map type inspect match-any ccp-h323annexe-inspect
   match protocol h323-annexe
  class-map type inspect match-any ccp-cls-insp-traffic
   match protocol pptp
   match protocol dns
   match protocol ftp
   match protocol https
   match protocol icmp
   match protocol imap
   match protocol pop3
   match protocol netshow
   match protocol shell
   match protocol realmedia
   match protocol rtsp
   match protocol smtp
   match protocol sql-net
   match protocol streamworks
   match protocol tftp
   match protocol vdolive
   match protocol tcp
   match protocol udp
  class-map type inspect match-all SDM_GRE
   match access-group name SDM_GRE
  class-map type inspect match-any ccp-h323-inspect
   match protocol h323
  class-map type inspect match-all ccp-invalid-src
   match access-group 100
  class-map type inspect match-any ccp-sip-inspect
   match protocol sip
  class-map type inspect match-all ccp-protocol-http
   match protocol http
  class-map type inspect match-any CCP_PPTP
   match class-map SDM_GRE
  class-map type inspect match-all ccp-insp-traffic
   match class-map ccp-cls-insp-traffic
  class-map type inspect match-all ccp-icmp-access
   match class-map ccp-cls-icmp-access
  policy-map type inspect ccp-inspect
   class type inspect ccp-invalid-src
    drop log
   class type inspect ccp-protocol-http
    inspect
   class type inspect ccp-insp-traffic
    inspect
   class type inspect ccp-sip-inspect
    inspect
   class type inspect ccp-h323-inspect
    inspect
   class type inspect ccp-h323annexe-inspect
    inspect
   class type inspect ccp-h225ras-inspect
    inspect
   class type inspect ccp-h323nxg-inspect
    inspect
   class type inspect ccp-skinny-inspect
    inspect
   class class-default
    drop
  policy-map type inspect sdm-pol-NATOutsideToInside-1
   class type inspect sdm-nat-user-protocol--1-1
    inspect
   class type inspect sdm-nat-user-protocol--2-1
    inspect
   class type inspect sdm-nat-user-protocol--3-1
    inspect
   class type inspect sdm-nat-user-protocol--4-1
    inspect
   class type inspect sdm-nat-user-protocol--5-1
    inspect
   class type inspect sdm-nat-user-protocol--6-1
    inspect
   class type inspect sdm-nat-user-protocol--7-1
    inspect
   class type inspect sdm-nat-user-protocol--8-1
    inspect
   class type inspect sdm-nat-user-protocol--9-1
    inspect
   class type inspect sdm-nat-user-protocol--10-1
    inspect
   class type inspect CCP_PPTP
    pass
   class type inspect sdm-nat-user-protocol--7-2
    inspect
   class type inspect sdm-nat-user-protocol--8-2
    inspect
   class type inspect sdm-nat-user-protocol--1-2
    inspect
   class type inspect sdm-nat-user-protocol--2-2
    inspect
   class type inspect sdm-nat-user-protocol--9-2
    inspect
   class type inspect sdm-nat-user-protocol--10-2
    inspect
   class type inspect sdm-nat-user-protocol--3-2
    inspect
   class type inspect sdm-nat-user-protocol--4-2
    inspect
   class class-default
    drop log
  policy-map type inspect ccp-permit
   class class-default
    drop
  policy-map type inspect ccp-permit-icmpreply
   class type inspect ccp-icmp-access
    inspect
   class class-default
    pass
  zone security in-zone
  zone security out-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
   service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
   service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
   service-policy type inspect ccp-permit
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
   service-policy type inspect sdm-pol-NATOutsideToInside-1
  interface Null0
   no ip unreachables
  interface Embedded-Service-Engine0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$
   ip address 192.168.10.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   duplex auto
   speed auto
   no mop enabled
  interface GigabitEthernet0/1
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   duplex auto
   speed auto
   no mop enabled
  interface ATM0/0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   no atm ilmi-keepalive
  interface ATM0/0/0.1 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface ATM0/0/0.2 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
  interface Ethernet0/0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   no mop enabled
  interface ATM0/1/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   no atm ilmi-keepalive
  interface ATM0/1/0.1 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 2
  interface Ethernet0/1/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   no mop enabled
  interface GigabitEthernet0/3/0
   no ip address
  interface GigabitEthernet0/3/1
   no ip address
  interface GigabitEthernet0/3/2
   no ip address
  interface GigabitEthernet0/3/3
   no ip address
  interface GigabitEthernet0/3/4
   no ip address
  interface GigabitEthernet0/3/5
   no ip address
  interface GigabitEthernet0/3/6
   no ip address
  interface GigabitEthernet0/3/7
   no ip address
  interface Vlan1
   description $FW_INSIDE$
   ip address 192.168.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat inside
   ip virtual-reassembly in
   zone-member security in-zone
  interface Dialer0
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname [email protected]
   ppp chap password 7 1444405858557A
   ppp pap sent-username [email protected] password 7 135645415F5D54
   ppp multilink
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   dialer pool 2
   dialer-group 2
   ppp authentication chap pap callin
   ppp chap hostname [email protected]
   ppp chap password 7 01475E540E5D55
   ppp pap sent-username [email protected] password 7 055F5E5F741A1D
   ppp multilink
  router eigrp as#
  router eigrp 10
   network 192.168.1.1 0.0.0.0
  router rip
   version 2
   network 192.168.1.0
   no auto-summary
  ip forward-protocol nd
  ip http server
  ip http access-class 3
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
  ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
  ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
  ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
  ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
  ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
  ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
  ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
  ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
  ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
  ip nat inside source route-map ADSL0 interface Dialer0 overload
  ip nat inside source route-map ADSL1 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
  ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
  ip access-list extended NAT
   remark CCP_ACL Category=18
   permit ip 192.0.0.0 0.255.255.255 any
  ip access-list extended SDM_GRE
   remark CCP_ACL Category=1
   permit gre any any
   remark CCP_ACL Category=1
  ip access-list extended STATIC-NAT-SERVICES
   permit ip host 192.168.1.35 any
   permit ip host 192.168.1.5 any
   permit ip host 192.168.1.10 any
   permit ip host 192.168.1.17 any
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  route-map ADSL0 permit 10
   match ip address NAT
   match interface Dialer0
  route-map ADSL1 permit 10
   match ip address NAT
   match interface Dialer1
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 2 remark HTTP Access-class list
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.1.0 0.0.0.255
  access-list 2 deny   any
  access-list 2 remark HTTP Access-class list
  access-list 2 remark CCP_ACL Category=1
  access-list 3 remark HTTP Access-class list
  access-list 3 remark CCP_ACL Category=1
  access-list 3 permit 192.168.1.0 0.0.0.255
  access-list 3 deny   any
  access-list 10 remark INSIDE_IF=NAT
  access-list 10 remark CCP_ACL Category=2
  access-list 10 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip 139.130.227.0 0.0.0.255 any
  access-list 100 permit ip 203.45.106.0 0.0.0.255 any
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.10
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.35
  access-list 101 permit tcp any any eq www
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.1.35
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.1.10
  access-list 103 remark CCP_ACL Category=0
  access-list 103 permit ip any host 192.168.1.5
  access-list 104 remark CCP_ACL Category=0
  access-list 104 permit ip any host 192.168.1.17
  control-plane
  banner login ^CCE-Rescue Systems^C
  line con 0
   login authentication local_authen
   transport output telnet
  line aux 0
   login authentication local_authen
   transport output telnet
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   authorization exec local_author
   login authentication local_authen
   transport input telnet ssh
  line vty 5 15
   authorization exec local_author
   login authentication local_authen
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  Thanks
  Shawn

• WAN load balancing

  Hello
   I have the following issue with a Cisco 2811 router. I have two WAN connection ( fiber and ADSL ) and I want to make WAN load balancing
  so I add two route : 0.0.0.0 0.0.0.0 dialer1 and 0.0.0.0 0.0.0.0 fa1 the problem is with fiber connection (fa1) in this configuration I can't ping WAN 
  from outside or use NAT on this connection. If I change default route's like this it's working but is not WAN load balancing : 0.0.0.0 0.0.0.0 dialer 150
  0.0.0.0 0.0.0.0 fa1. Any idea.

  Hi Richard
  I come back with more details:
  First I try to setup router with WAN failover like this:
  route-map SDM_RMAP_1 permit 1
   match ip address 101
   match interface FastEthernet0/0
  route-map SDM_RMAP_2 permit 1
   match ip address 102
   match interface Dialer1
  access-list 101 permit ip 10.0.0.0 0.255.255.255 any
  access-list 101 permit ip 172.26.60.0 0.0.0.255 any
  access-list 102 permit ip 10.0.0.0 0.255.255.255 any
  dialer-list 102 protocol ip permit
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
  ip nat inside source route-map SDM_RMAP_2 interface Dialer1 overload
  ip nat inside source static tcp 10.0.0.1 25 x.x.x.x 25 route-map SDM_RMAP_1 extendable
  ip route 0.0.0.0 0.0.0.0 x.x.x.x 150
  ip route 0.0.0.0 0.0.0.0 y.y.y.y track 1 
  interface FastEthernet0/0
   ip address x.x.x.x 
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no cdp enable
   crypto map SDM_CMAP_1
  interface FastEthernet0/1
   no ip address
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 1
  interface Dialer1
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname ...............
   ppp chap password 7 010109085702121F33434A0014524343
   ppp pap sent-username .......... password 7 0614002D40471D091718160201537E7A
   no cdp enable
   crypto map SDM_CMAP_1
  track timer interface 5
  track 1 ip sla 1 reachability
   delay down 15 up 10
  ip sla 1
   icmp-echo a.b.c.d source-interface y.y.y.y
   timeout 5000
   threshold 40
   frequency 6000
  ip sla schedule 1 life forever start-time now
  And I want to achive the following results:
  All computers from LAN use for internet connection y.y.y.y and if this failed use x.x.x.x and when come back y.y.y.y use this connection.
  And I have one server with few services ( DNS, WWW, MAIL...)  which must use just x.x.x.x connection if this failed dosen't matter if this services not working.
  But with this configuration one thing not working i can't access from outside Mail server , DNS, WWW  with x.x.x.x connection ( IP ) if I change default route like :
  ip route 0.0.0.0 0.0.0.0 x.x.x.x  track 1
  ip route 0.0.0.0 0.0.0.0 y.y.y.y  150
  it's working

• Cisco RV320 DUAL WAN router USB setup with Telstra 4G MF823

  I am trying to setup Cisco RV320 DUAL WAN router to work with my prepaid Telstra 4G MF823 device. Could you please assist. My settings are as follows: InterfaceUSB2Connection Type:3G/4G PIN Code:Confirm PIN Code:USB Connection Status:3G/4G modem is not available.Access Point Name:telstra.internetDial Number:Username:Password:Enable DNSDNS Server (Required): 8.8.8.8DNS Server (Optional): 8.8.4.4MTU:AutoManualB

  Hi oz000,
  Unfortunately we don't have anyone here to assist with this particular issue. Our team here provides assistance for the device standalone, we ensure that the 4G device connects to the network and functions correctly on its own.
  -Matt W
   

• Rv042 dual-wan threshold based load balance?

  I have an RV042 (it's old, silver/dark grey plastic front one) w/ firmware 1.3.13.02-tm.
  The reason we bought this (long ago) was to balance two WAN connections, one with unlimited data and one capped monthly.  It did that once, but for a couple years both connections have been unmetered so it's just been balancing them 50/50.  As of today one WAN connection (the new much faster one) is back to being metered but I can't figure out how to configure the RV042 as it once was to prefer sending traffic over the slow, unmetered connection first, and only use the faster metered connection when necessary.
  It's been a long time and honestly I only vaguely remember the ability to prioritize a connection based on % of bandwidth used so that all traffic would go over the unlimited connection 1st until it was flooded, and only then fall over to the metered connection.  This is totally different than the weighted round robin, or smart link backup.
  I found this 3rdparty pforum post that supports that vauge memory and suggests this was eliminated netweem firmware 1.23 and 1.3:
  http://www.linksysinfo.org/index.php?threads/rv042-load-balancing-options-from-the-manual-where-to-find.15512/#post-69948
  So I humlbly ask...  Is it possible to replicate this functionality with the current firmware? if so how?  If not, how to do roll back to firmware 1.23?
  It sounded like perhaps I could assigned WAN1 a bandwidth of 100000 (even though it's really 1500) and then assign WAN2 a bandwidth of 1 (even though it's really 20000) and the result might be the prioritization I'm looking to achieve...  but I feel like I'm stumbling in the dark at the point.
  Just FYI, I'm not at all opposed to buying new hardware to acheive this if it's not terribly expensive (ie. <$200).  I'd rather not, but I've got to solve this quick.

  Hi Jon,
  I Also have one of these routers.
  On the bottom mine says (v02) which means its hardware version is 2.
  I just got this one brand new for home as I have been using them for a very long time now. However I have been using them for VPN and now I am needing the same functionality as you.
  I am currently running Firmware Version: 1.3.12.19-tm
  If you login to the web management (eg 192.168.1.1) and go to System Management > Dual-WAN
  Down the bottom you will see "Protocol Binding".
  This is all I know of to send specific ports or applications via a specific WAN.
  I'll give you an example of how I am using it currently.. (BTW it seems to be working OK, But you are on a higher firmware)
  eg: WAN1 is more reliable than WAN2 which is a cheap unlimited service.
  So I bind port 5060 (sip), port 80 (http) and port 443 (https) to WAN1 so that my VOIP phone is on the good service and so is all web traffic.
  so all the other stuff can use the unlimited connection.
  Also, My current bandwidth settings are
  WAN          UPSTREAM          DOWNSTREAM
  1                384                       8000
  2                384                       10000
  And Under: System Management > Bandwidth Management you can also prioritize those ports.
  This may help you in some way, So maybe you can help me..
  Your post has made me not want to upgrade the firmware.. Can you please confirm that this functionality exists still?
  Thanks

• SRP541W WAN Load Balancing and NAT

  Hello All,
  New to the forums. Thanks for taking the time to read my post. I recently switched my office over from a RV042 to SRP541W. We have 2 DSL lines and have used the Load Balance feature on the RV42 to make the best of the connecton speeds. When setting up the SRP541W when i select load balancing it tells me NAT should be disabled. Why is that? I see a place to input static routes but Im not entirly sure what needs to be done here to set this up correctly. Any input would be appriciated. Also right off the bat we had some issues with access to Google Docs and Mail. I think its becuase those sites dont like seeing access from multiple IPs (fromt the Dual WAN) so I set up a entry in Policy Routing directing all traffic from port 443 to go through one WAN, is this the right way to do this?
  Thanks!
  Mike-

  Dear Mike,
  Thank you and welcome to the Small Business Support Community.
  It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
  The Policy Routing setting you setup is exactly what I would do in your case.
  I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• New ASA5512- 5515: content filter and WAN load balancing

  Hi,
  it's possible to make the content filter with the new models of asa?
  One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
  It' s possible also make the load balancing between 2 WAN?
  Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
  Thanks in advance,
  Paolo.

  I saw that you can add CX feature:
  CX - Context Aware Security Feature:
  Cisco  ASA CX Context-Aware Security is a modular security service that  extends the ASA platform with next-generation capabilities. It is  available with SSD purchase for model such as 5512-X, 5515-X, 5525-X,  55545-X and 5555-X.
  Application Visibility Control (AVC):
  This  is additional feature in CX. Activation of this feature require  seperate license. This is the feature that do deep packet inspection for  Application recognition. provide context-aware firewall security.
  Web Security Essentials (WSE):
  This  is additional feature in CX. Activation of this feature require  seperate license. It deliver features like "URL Filtering" and "Global  Threat Intelligence".
  Can somebody confirm that?
  Have somebody already used and configured this features?
  Thank you,
  Paolo.

• RV042 won't load balance

  Good morning everyone,
  I've had the RV042 router for some time. I currently have it setup with two internet connections. One from Speakeasy.net and the other from comcast. My problem is that, even though I have "weighted round robin" load balancing turned on, the only connection that ever works for downloading or uploading stuff is the speakeasy connection. The only time the comcast connection turns on is when there's a problem with the speakeasy connection.
  I tried configuring it to prefer the comcast connection by setting the maximum download speed at 50Mb/s and the speakeasy max at 15Mb/s and I get nothing. I have it set to load balancing mode and it is not simply set to the fail over mode. Is there a way to get both of my connections working in an alternating fashion? I would like the router to know that if it's downloading movies of a *sensitive type* on the speakeasy connection, to use my comcast connection to continue my work because it has no load on it at the time.

  Hello,
  Many thanks for the screen shots and updates.  A couple of thoughts.
  The load balancing ought to load balance by sending more out of the one link than the other.
  If I understand you correctly, it is not using the second connection except only when the primary is down. It appears you have this configured correctly.
  For outgoing traffic I would expect to see some load balancing, although load balancing is not usually a perfect ratio ... but in your case you are not seeing anything.
  For incoming traffic, this should depend based on the outgoing address.  For example, if the WAN 1 interface was used, then the packets would be using the NAT'ed address of WAN1 and as such these packets should return via this interface.
  Do you have any 1-to-1 NAT configured?  I am wondering if this could skew the results by favoring one outgoing port and not the other. 
  Can you please check again to verify that there is in fact no load balancing what-so-ever?  Many thanks in advance for your efforts.
  For the failover however, you should probably use the other option which is to 'remove the connection' when down.  The setting you have now will not remove the connection.
  As for preferring one interface over another for downloads and the like, you can try protocol bindings.  Example, lets say that your downloads occur on port 80.  If you do not use port 80 for your work, you can bind these to the alternate WAN connection.  Just a thought ... and this might allow you to 'direct' some traffic for recreational and the others for biz.
  When using port binding, failover will still work.
  I noticed a newer version of code, dated July 30 2009.  This has a different date but appears to be the same version #.  The link to the downloads is here:
  http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=282413304
  Have a good night, Happy Thanksgiving too.
  Andrew Lee Lissitz

• WAN Load-Balancing and multi VLAN design

  Hello,
  I need some help to define the design of a specifi LAN-WAN network.
  1) There are 2 independant WAN entries (they have their own ISP-managed router)
  2) I need to load-balanced the requests over the 2 WAN
  3) If possible, the load-balancer must be redundant (GLBP ?)
  4) On the LAN itself, there must be 15 different VLAN
  5) We also need a DHCP solution (also redundant if possible) to provide IP to these VLAN, with unique gateway (the load-balancer)
  What do I need to implement this configuration ?
  And is it possible to configure with as much GUI as possible ?
  Thanks in advance for your help.

  Dear Mike,
  Thank you and welcome to the Small Business Support Community.
  It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
  The Policy Routing setting you setup is exactly what I would do in your case.
  I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Cisco CSS 11503 Arrowpoint/Load Balance question

  I am troubleshooting an issue with my 11503.  I am running version 07.40.0.04. I have it configured as follows:
    content upcadtoa-rule
      add service cadtoa-wls1-e0
      add service cadtoa-wls1-e1
      add service cadtoa-wls2-e0
      add service cadtoa-wls2-e1
      add service cadtoa-wls3-e0
      add service cadtoa-wls3-e1
      add service cadtoa-wls4-e0
      add service cadtoa-wls4-e1
      add service cadtoa-wls5-e0
      add service cadtoa-wls5-e1
      add service cadtoa-wls6-e0
      add service cadtoa-wls6-e1
      arrowpoint-cookie expiration 00:00:15:00
      protocol tcp
      port 8001
      advanced-balance arrowpoint-cookie
      redundant-index 2
      vip address 172.30.194.195 range 2
      arrowpoint-cookie name TOA
      active
  However, the load-balancing across the servers does not seem to be doing much balancing.  One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all.  With the cookie expiration set, one would think that this would all balance out over time.
  I just came across this information from Cisco and I am wondering if it is relevant:
  If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
  In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
  content testing
  vip address 192.168.128.131
  add service s1
  balance url
  active
  The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
  In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
  content testing
  vip address 192.168.128.131
  add service s1
  advanced-balance arrowpoint-cookie
  active
  The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
  Thanks in advance for any help you can give.  The thing is not down, it is just balancing strangely causing application performance issues.
  James

  Hey James,
  You will need to suspend the content rule in order to add the url statement.  This will cause a quick downtime until the content rule is activated again.  I have shown below the commands to add the statement.  Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
    content MY-SITE
      vip address 10.201.130.140
      port 80
      protocol tcp
      add service MY-SERVER
      active
  CSS11503# config t
  CSS11503(config)# owner TEST
  CSS11503(config-owner[TEST])# content MY-SITE
  CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
  %% Attribute may not be modified on active rule
  CSS11503(config-owner-content[TEST-MY-SITE])# suspend
  CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
  CSS11503(config-owner-content[TEST-MY-SITE])# active
  CSS11503(config-owner-content[TEST-MY-SITE])# exit
  CSS11503(config-owner[TEST])# exit
  CSS11503(config)# exit
  CSS11503# show run
    content MY-SITE
      vip address 10.201.130.140
      add service MY-SERVER
      port 80
      protocol tcp
     url "/*"       <--------
      active
  Hope this helps,
  Sean

• RV042 Dual WAN NSD Failback

  Running a RV042 in Smart Link with NSD Mode
  WAN1: Cable Internet to ISP
  WAN2: DSL Internet to backup ISP
  WAN1 is set as the primary WAN.
  With both links up, when I pull the plug on WAN1, it failsover to WAN2 in the expected amount of time and resumes internet traffic.
  When I plug WAN1 back in though, the service doesn't automatically fail back to the Preferred WAN1 Connection, no matter how long I wait.
  Advice?
  Thanks!

  I've used it for two different ASNs all the time.  Yes, you will have problems with SSL logins or any logins that check the source IP, but that can be easily fixed with some entries under the protocol binding.
  There's no real protocol being used for the load balance.  Just a weighted round-robin based on the bandwidth information you enter for each of the WANs.
  Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

• ACE LOAD BALANCER - secure tls renegotiation

  I have a cisco ace loadbalancer and a server farm behind it.
  We have implemented sll-to-ssl termination, but we are facing certain problems with opera browser and android mobiles.
  On both we get "The server does not support secure TLS renegoriation...."
  Running the following:  openssl s_client -connect aaa.bbb.ccc.ddd:443
  On the load balancer we get:
  New, TLSv1/SSLv3, Cipher is AES256-SHA
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : AES256-SHA
      Session-ID:
      Session-ID-ctx:
      Master-Key: xxxxxxxxx
      Key-Arg   : None
      Krb5 Principal: None
      Start Time: 1323349587
      Timeout   : 300 (sec)
      Verify return code: 21 (unable to verify the first certificate)
  On one of the servers from the farm we get:
  ew, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
  Server public key is 1024 bit
  Secure Renegotiation IS supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : DHE-RSA-AES256-SHA
      Session-ID: yyyyyyy
      Session-ID-ctx:
      Master-Key: xxxxxxxx
      Key-Arg   : None
      Krb5 Principal: None
      Start Time: 1323349689
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
  Is there any connection to our problem with this outputs ?
  Does anyone have any idea on how to solve this problem ?
  Thanks in advance

  Hi Thanassis,
  TLS renegotiation was disabled in all Cisco devices due to a vulnerability of the protocol. Check
  http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml for more details
  Since the renegotiation was disabled for security reasons, there is no way to enable it back, so you should rather be looking for a way to force your browsers not to require this option to be enabled. I would suggest you to contact the Opera support team.
  Regards
  Daniel

• Access to load balanced web site

  I have a wierd problem where browsers on one subnet in my company cannot access any web sites that are load balanced in our data center.
  Other subnets can access the load balanced sites fine.
  Browsers on the subnet in question CAN access other non-loadbalanced sites within the same dc.
  Any thoughts on how to go about troublshooting?

  HI,
  have a look at the routing table of the servers.
  Is the return traffic (towards the clients) forwarded towards the loadbalancer from the servers or bypassing=
  Are you using source limitation on the loadbalancer?
  Are you using source nat?
  Please paste the config of the loadbalancer, the routing table of the servers and the source-address that gives you a hard time and we can have a look at it.
  Kind Regards,
  Joerg
  PS
  IN case of any doubts take a sniffer trace in front of the loadbalancer and behind the load balancer. If necessary additional ones at the client and at the server

• Using CSM to load-balance two sites

  Hi there,
  I currently use CSS11500's at two of my sites and I'm able to use source-groups to achieve site load-balancing behind a single VIP.  So basically I have a VIP that has servers in both the local site and remote site.   Is something like this possible with the CSM? I suppose there's the nat server or nat client commands, but I'd like to be able to maintain original client IP address if possible, or at least maintain the original client IP for connections that stay local to the site.
  Thanks,
  Brandon

  Hello Brandon-
  It is not directly possible to pick and choose what servers are natted on the CSM like the CSS and ACE can do.
  In the CSM, you configure nat under the serverfarm specifically.
  Ex.
  serverfarm Client_Nat_Example
  nat server
  nat client REMOTENAT
  real 10.10.10.1
    inservice
  natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0
  If you were to devide up the traffic prior to hitting a serverfarm (maybe use a policy that matches specific subnets for your clients), then you could nat to only certain servers.
  Ex.
  access-list 2 permit 5.5.0.0 0.0.255.255
  serverfarm Client-Nat-Example
  nat server
  nat client REMOTENAT
  real 10.10.10.1
    inservice
  serverfarm No_Nat
  nat server
  no nat client
  real 20.20.20.1
    inservice
  natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0
  policy client_remote
  serverfarm Client_Nat_Example
  client-group 2
  vserver HTTP
    virtual  172.16.35.7 tcp www
    slb-policy client_remote
    serverfarm No_Nat
    persistent rebalance
    inservice
  With this config, the CSM checks global access list 2, anything that matches a source of 5.5.x.x subnet would go to the serverfarm with the remote servers. Anything that does not match 5.5.x.x would use the default serverfarm under the vip (No_Nat serverfarm).  This is not optimal, but there is no parity between CSM and CSS when it comes to per-server NAT.