No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


Load Balancing Failed When the USG5160 Is Connected to Two Upstream Routers at the Egress

Publication Date:  2015-10-31 Views:  112 Downloads:  0
Issue Description
Routers AR2 and AR3 are deployed as the egress gateways. VRRP multi-gateway load balancing is configured on both routers. Some traffic from the Internet is forwarded by AR2 to the intranet, and some by AR3, but all return traffic from intranet PCs to the Internet is forwarded by the firewall to AR3. The customer requires that the return traffic be shared by AR2 and AR3.

The AR2 configurations are as follows:

interface GigabitEthernet0/0/0 
ip address 
vrrp vrid 1 virtual-ip 
vrrp vrid 1 priority 120 
vrrp vrid 1 preempt-mode timer delay 20 
vrrp vrid 3 virtual-ip

The AR3 configurations are as follows:

interface GigabitEthernet0/0/0 
ip address 
vrrp vrid 1 virtual-ip 
vrrp vrid 1 preempt-mode timer delay 3 
vrrp vrid 3 virtual-ip 
vrrp vrid 3 priority 120

The swicth transparently forwards packets.

The firewall configurations are as follows:

interface GigabitEthernet0/0/0  
ip address

Two default ECMP routes are configured on the firewall pointing to the two routers:

ip route-static  
ip route-static
Handling Process
Step 1 Configure sticky load balancing on the firewall.

If the firewall has two upstream links to the Internet, you can configure sticky load balancing. However, in this networking, the firewall connects to an upstream switch, and traffic is splitted on the switch to two routers. Therefore, even if sticky load balancing is configured, the fault still exists.

Step 2 Modify the default routes on the firewall.

ip route-static preference 50  
ip route-static preference 60

After the modification, all traffic is forwarded to AR3 at

Step 3 Change the firewall forwarding mode to per-packet forwarding. The problem is resolved.

Root Cause
By default, the device uses the hash algorithm (the source and destination IP addresses are hashed) for per-flow load balancing.

Per-flow load balancing is implemented based on the hash of parameters, such as the source IP addresses, destination IP addresses, source ports, and destination ports of packets. Packets with the same hash value are forwarded by the same link. The weight of an interface determines the volume of the traffic distributed to the interface. The interface with a larger weight forwards more traffic.

However, in the example, the firewall has only one egress interface. Therefore, the default per-flow forwarding method cannot implement load balancing.
Change per-flow forwarding to per-packet forwarding. The routers can share traffic (but there is a problem, traffic is forwarded randomly to either router. The forward and return packets may not be forwarded by the same router).

1. Run the system-view command to access the system view.

2. Run the load-balance packet command to configure per-packet load balancing.
Check the following configurations when configuring load balancing:

1. Default ECMP routes

2. Sticky load balancing

3. Load balancing mode