HomeSupportKnowledge base › Connectivity
  Bookmark and Share

Connectivity

 

Traffic seems to be passing through the Link LB but no statistics are reported for my GMAC interfaces.

You might have inverted the cabling for the inside and outside interface.  The GMAC in question could be a redundant router in HSRP. If this is the case you need to enter both physical MAC addresses (one per router) under the GMAC entry with the “gmac alias” command.

I installed a patch cord between my Link LB unit and a router/firewall and there is no activity (LEDs are off)?

Check that you have a crossover patch cable when plugging the Link LB directly into another appliance.

The eosupdate command displays a warning message "The authenticity of host '10.1.0.252 (10.1.0.252)' can't be established."

This message is displayed because you never connected to this machine before, and SSH doesn't have the concept of a trusted third party. If you answer "Yes, the fingerprint is correct", then your SSH client will continue logging in, allowing you to type your password, and let you complete the eosupdate procedure. Next time you access the same server, this message will not be displayed.

My cable modem link is not detected as active by the Link LB.

When your link only has one IP address and no router, it could be using DHCP. DHCP is supported in monomode. The multimode port can only have one DHCP link. Otherwise you need to install an entry level router and create a temporary network with the Elfiq LB, or simply use VLAN to separate multiple DHCP.

I'm using my ISP SMTP server for sending mails and they are rejected when the SMTP session is balanced on my second link?

For SMTP servers, source IP verification is often performed to prevent servers from being open mail relays. Therefore, if your SMTP server is hosted externally, you need to make sure that connections are accepted from the determined IP addresses of each of the links. You must contact your ISP that you use its SMTP server to relay mails.

My videoconferencing system sometimes have video without voice?

This could happen if the voice and video sessions have been balanced on two different links. If you allow some services like Netmeeting conferencing that use a wide range of unspecified ports, we recommend using the OPFA algorithm for the browsing IP address on your firewall and specify a list of balanced protocols in the configuration, each with an acl nat in statement. You should also use a persist trigger configured on the port number for the initiating session.

My access list statement seems to never be used.

Verify the priority order of your acl nat statements. The ACL entries are used in the order they are presented in the configuration and the priority is evaluated based on the ID number and the protocol type. Also verify the Virtual Forwarder Interface packet flow diagram in the EOS User Guide.

The Link LB sometimes disables my DSL or cable links for a few seconds.

This links sometimes have a variable response time and you should increase the polling timeout and threshold with the gmac probe command. For example to adjust the gmac ID 1, enter the following command: gmac probe 1 10 5

The interfaces (syst:sh int stat) show many errors.

Usually this is because the ports are connected to a hub or a bad speed/duplex negotiation. This could severely degrade performance. You should fix the port settings with the set int command. Ensure that you hard-code the speed and duplex settings on both the Link LB and the directly attached device on the problematic interface.

My DHCP cable modem link is not detected as active by the Link LB, the sh dhcp command displays the DHCP as INCOMPLETE.

Verify you are using the right cable, usually a crossover cable to connect the cable modem directly to a Link LB port.

Some cable modems keep in memory the MAC address of the device accessing the internet. If your cable modem was previously connected to another device, ensure to turn it off and then connect it to the Link LB before turning it on again.

The Link LB is able to actively load balance my web traffic but if primary link is down and my secondary link is up, I can’t navigate to the Internet.

When your primary link goes down, all the traffic will go trough the alternate link. This implies that your DNS requests will also go through the secondary link. Oftentimes, your primary link ISP will not answer your DNS requests in failover mode because you are going through an alternate link. Passing through a different ISP will change your source IP and the ISP DNS servers check for that. From that point you will have symptoms like being able to ping an IP but not a name like http://www.google.com.

Please check if:

  • Your firewall or DHCP server is configured with the DNS servers of your primary link ISP. You will have to change those server IPs to open DNS servers like 4.2.2.1 to 4.2.2.2 or 208.67.222.222/.220. Those DNS servers can usually be accessed by anyone and are typically considered "freely accessible".
  • Your internal DNS servers are configured with "forwaders" that will instruct them to relay any public DNS request to your primary link ISP's DNS servers. Ensure that the "Root Hints" are correctly configured then remove any forwarders configuration. This will enable your DNS server to be a true recursive DNS server, speed up the DNS query process and enable you to load balance or failover the DNS queries as required.

Can I use links from the same provider?

It is important to understand that using links from the same provider/technology will bring you additional bandwidth but no failover/redundancy because the chances are that both links can be down at the same time. Elfiq recommends using links from different providers and different technologies.

In this case, you must be cautious before using entry-level single IP links (not having a dedicated IP segment/block and router) . Some provider configurations (especially cables but sometimes DSL and WI-FI) have the local modem bridging to a central router and all connected modems share the same central router. The onsite equipment is not a router and provides one or non-contiguous IP addresses. Two links of the same provider will connect to the same router and have the same MAC address. The link is shared and all cable modems are connected at the same network layer 2.

For example your subnet mask is 255.255.255.0, yous ISP gateway IP address ends with .1 but you are only allowed to use the IP address ending with .99. The C class is shared among numerous other ISP customers. This kind of service has the effect that both links have the same router MAC address.

In order to use these links with the Elfiq Link LB you will need to create the first GMAC as a standard GMAC and the second link to the same ISP will be a "child gmac". Please refer to the "configuration guide" for more details.

My router has multiple inside ports, which type of cable and which Link LB settings should I use?

Some routers have a small switch built-in, typically 4 to 8 ports. Some of the newer models also have MDI/MDX auto-detection. that will reverse the RX and TX pairs in the cable if you connect the wrong cable (ex: crossover cable instead of straight cable.). In theory you could use any type of cable and traffic should start flowing. Unfortunately experiences in the field prove otherwise. These routers should be connected to the Link LB with a straight cable.

If you experience problems such as traffic stops suddenly and you see errors such as : "Outside interface [eth2] carrier lost, [link down]", then you will need to force the speed and duplex settings of the offending interface on both ends (in the linkLB and in the router). Use the set int command in the system module to statically configure the speed and duplex of the interface and disable auto-negotiation.

Since the installation of a Wireless link in my Link LB some of my users are complaining about performance issues. The ISP claims that the bandwidth is good and there is no MTU problem. What could be the problem?

Not all providers and technologies are equal when connecting to the Internet. Most of the time ISPs will show their link bandwidth when you ask them about the speed of their links. This is a common misconception in the data world. Bandwidth is an expression of capacity whereas latency (or ping time) reflects the "speed" of your link.

The size of the pipe is not directly related to the speed of the connection. Imagine a train full of people (lets says 500 passengers) and a small car with only two passengers travel over the same distance at the same speed. Once they get to the destination, the bandwidth of the train, or it's capacity is 250 times bigger than the small car, did it go 250 times faster? Of course not. Whichever one of these two means of transportation you use to travel on this distance will take you there at the same speed. What if you needed to get there faster? You could use a F1 racing car, the capacity (bandwidth) is really low (only one person) but the latency is really good! Speed and capacity are not the same.

All of this to say, some links can have a good capacity and have a bad speed at the same time. You can check the speed (latency) of your links with several different complementary tools. One widely known way to check a link latency is the ping command, keep in mind that some routers on the internet will potentially slow down the ICMP packets by routing them last (or even dropping them). The Link LB has a built-in method to verify the RTT (round-trip time) from the Link LB to your GMAC polling destinations, you can see this value using the sh gmac command. The RTT calculated by the Link LB is not sensitive to ICMP packet delaying because it doesn't rely on ICMP packets to do the polling of your links. You can also use the http://traceroute.org website and test your own IP address or the IP address of your GMAC from different points of the globe.

Unfortunately, there is no remedy for bad latency, you should think about getting a different link, use it for latency insensitive protocols (like SMTP and FTP) or as a failover link.

Which precautions should I do in a multi-homed network for the Maximum Transmission Unit (MTU)

Link routers usually have an MTU of 1500 on their inside port. It is usually the role of the link router to handle the MTU of its link specific technology. We have seen some DSL implementations where the MTU is smaller than 1500 (for example 1492) because of the PPoE overhead. The firewall MTU should be compatible for all youR links or this will cause problems, fragmented packets and very bad performance.

With version 3.1.70 and higher, the LinkLB can do MSS clamping for TCP sessions on a specific link. The command is gmac mtu. For example: gmac mtu 1 1492 mss

How to discover the MTU of your internet connections?

You can discover the Maximum Transmission Unit of your internet links in this example using a Windows XP computer.

Connect your computer directly to the router of the ISP using a crossover cable.

Configure your network interface so it has a valid IP, Netmask, Default Gateway and DNS information.

Open the "Start" menu and select "Run..."

Type "cmd" in the Open: field. Hit the Enter key or click on OK A DOS prompt will open.

At the DOS prompt, ping a public service. For example type ping www.google.com -f -l 1473 and hit the Enter key. The -f option sets the Don't Fragment (DF) flag in the IP protocol header and the -l 1473 tell the ping program to fill the ICMP packet with 1493 bytes of data. If you add the 28 bytes of header for ICMP and IP to the 1473 bytes of data you will get the total size of the packet sent over the wire: 1501 bytes.

NOTE: The "Packet needs to be fragmented but DF set." output means that the 1501 bytes packet we sent over the wire was too big for the connection. It needed to be fragmented but since we had specified the "Don't fragment" bit, the router informs us that it can't send our packet to the destination.

The usual MTU settings for internet links are 1500 bytes or 1492 bytes. The goal of these tests are to find the highest possible value for you MTU. To test for 1500 bytes, try the same ping command as above but send 1472 bytes of data in the packet. The command to achieve this is : ping www.google.com -f -l 1472

NOTE: Any output that differs from "Packet needs to be fragmented but DF set." means that this packet was sent over the wire successfully.

If this attempt (1472 bytes) was successful, it means the MTU for this link is 1500 bytes (1472 bytes of data + 28 bytes of headers) If this attempt was unsuccessful, it means the MTU for this link is lower than 1500 bytes and this can cause fragmentation which will degrade the performance. Try again this time with 1444 bytes of data in your ping. If it still need to be fragmented, lower the size of the packet until you find a value that does not need to be fragmented.

Remember that the value you have in the ping command is the data inside the ping packet. Add 28 to this value to account for the size of the ICMP and IP headers to find the optimal MTU setting. Once you have found the optimal MTU for all your links you can configure your Link LB to use MSS clamping. This will make sure that no TCP/IP fragmentation occurs on your links. The command to configure the Link LB is:

gmac mtu [mac address|gmac id] [mtu] [mss|nomss]

example with a MTU of 1492: gmac mtu 1 1492 mss

Some protocols, like UDP are able to pass through the Link Load Balancer without any problems, but others, such as IPSEC are not able to.

This can occur when some network interfaces have problems negotiating proper link speed and duplex with switches and routers. Please force both the Link LB and the end point device (switch, hub, router, etc) at the same link speed and duplex, such as 100 full for a 100mbps full duplex link. The speed of the Link LB can be set with the set int command. Please consult the documentation of your other devices for instructions on setting these parameters.

Traffic seems to be passing through very slowly in the Link LB, and there are a lot of errors on the network interfaces.

There are good changes that this could be related to either bad cabling or bad link negotiation. Please force the proper speed of both the Link LB and the end point device (switch, hub, router, etc) at the same link speed and duplex, such as 100 full for a 100mbps full duplex link. The speed of the Link LB can be set with the set int command.

Which Link LB models support LAN Failsafe?

The following models support LAN Failsafe :

Hardware failsafe means that the bypass can not be turned off and failsafe will initiate as soon the device is powered-off. Software programmable failsafe means that the bypass can be turned off with the Elfiq Operating System (EOS).

Is there a performance cost to the LAN Failsafe feature?

There is no performance cost to the LAN Failsafe feature. In fact, recent tests have demonstrated device performance in failsafe mode.

The test was conducted by first establishing a performance reference by connecting two data-streaming servers with a simple network cable. An Elfiq unit was then placed between the data streaming servers.

After placing an LB-1500E between the data streaming servers, we were able to see a total data rate of 98.43Mbps out of the 98.45Mbps reference. The same test was conducted on an LB-4000E at gigabit speeds. That test concluded with a sustained speed of 851.12Mbps out of the 852.47Mbps reference.
 

Which precautions should be taken with speed negotiation and duplex in a LAN failsafe configuration ?

In order to keep the same speed/duplex negotiation in case the Elfiq LAN Failsafe ports are activated, it is important to verify that all the following ports have the same interface spedd and duplex negotiation:

Which Link LB models support auto-sensing MDI and MDI-X?

The following models support auto-sensing of MDI and MDI-X :

However, Elfiq recommends the following guidelines in order to ensure better port negotiation and failsafe connectivity: Use a straight cable between Elfiq and a switch or hub Use a crossover cable between Elfiq and another network device (firewall, router) or server.

The following models do NOT support auto-sensing of MDI and MDI-X :

Which precautions should be taken with very fast links (more than 100 MBps) or carrying large number of sessions (more than 200 000 concurrent sessions) ?

Bad speed and duplex negotiation could severely degrade performance. You should set the port settings with the set int command. Ensure that you hardcode the speed and duplex settings on both the Link LB and the directly attached device. If it's not possible to configure the interface settings on both, then you should leave both to auto negotiation, as having only one side hardcoded and the other side automatic is usually worse.

EOS version 3.2.1 and higher has some loadopt options to define at loading the optimization mode in order to handle additionnal sessions in NAT or TAG balancing. The number of handled sessions is also dependant of the number of loaded VFIs.

 

Why do I get VPN tunnel errors over alternate link?

When using an Elfiq unit for VPN redundancy, pay special attention to the ID payload chosen for the IKE (Internet Key Exchange). The ID should not be the IP address of the peers because there will be a mismatch between the packet headers and the ID payload. More detail on this can be found in RFC 4945, specifically in point 3.1.1 (ID_IPV4_ADDR and ID_IPV6_ADDR).