Users Cannot Access the Internet When One Link Fails (When AR G3 Uses Dual Links to Implement Load Sharing)

Publication Date:  2015-06-09 Views:  209 Downloads:  0
Issue Description
As shown in the following figure, the AR functions as an egress router and connects to two ISP networks through PPPoE dial-up. Traffic from the enterprise is load balanced on Link 1 and Link 2 using equal-cost routes. The bandwidth of Link 1 is 6 Mbit/s, while the bandwidth of Link 2 is 4 Mbit/s. NAT is configured on the AR to allow intranet users to access the Internet.

The configuration is as follows:

acl number 2000
rule 5 permit source
interface Dialer0
link-protocol ppp
ppp chap user 123
ppp chap password simple 123
ppp pap local-user 123456 password simple 123
tcp adjust-mss 1200
ip address ppp-negotiate
dialer user server         
dialer bundle 1      //This command associates the physical interface with the dialer interface. The number must be the same as the number in the pppoe-client dial-bundle-number command of the physical interface.
dialer timer idle 3600
dialer-group 1          //This command specifies the dialer group of the dialer interface, which must be the same as that configured by the dialer-rule command.
nat outbound 2000     //This command configures outbound NAT on the dialer interface to allow conversion between private and public IP addresses.
interface Dialer1
link-protocol ppp
ppp chap user 456
ppp chap password simple 456
ppp pap local-user 123456 password simple 456
tcp adjust-mss 1200
ip address ppp-negotiate
dialer user server
dialer bundle 2
dialer timer idle 3600
dialer-group 2
nat outbound 2000
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1 on-demand
interface GigabitEthernet2/0/0
pppoe-client dial-bundle-number 2 on-demand
dialer-rule 1 ip permit
dialer-rule 2 ip permit
ip route-static Dialer0
ip route-static Dialer1

When Link 1 fails, intranet users cannot open web pages when accessing the Internet.
Handling Process
1. Run the display nat session command to check whether NAT entries of the outbound interface of the primary link have aged out. If the NAT entries have not aged out, run the reset nat session command to delete them.

2. Add the dialer number 1 autodial command on Dialer0 and Dialer1 interfaces to configure automatic dialup. The protocol status of the interfaces will change to Down, and become Up again after successful dialup. If this command is not configured, the protocol of the interfaces will remain in Up state. In this case, routes in the routing table still exist, causing data traffic loss.
Root Cause
If users access the Internet through the AR, traffic is load balanced using equal-cost routes, and NAT entries are generated. NAT entries will not age out if there are users accessing the Internet. When Link 1 fails, NAT entries do not age out because some users are stilling accessing Internet services. However, users cannot access the Internet through Link 1. In addition, users access the Internet through PPPoE dialup, and the dialer interfaces are Up. Even when a link fails, routes in the routing table still exist and the specified next hop is, causing route unreachability. 
To modify current network configuration for users who are accessing the Internet, delete NAT session entries. Otherwise, users cannot access the Internet. In addition, virtual interfaces are always Up, so ensure configured routes are reachable.