1. Home
  2. Cisco Systems
  3. Routing Problem

Routing Problem

This is a wierd one... I have a Cisco 1720 and I cannot pass traffic over the serial interface (T1 WIC) while logged on to the router.

#ping

formatting link
Translating "
formatting link
"...domain server (192.168.1.254) [OK]

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.94.230.35, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

But when I do the extended ping and specify the source address it works...

#ping Protocol [ip]: Target IP address:

formatting link
Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: xxx.xxx.xxx.xxx Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: \\ % No such option - "\\"Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.94.230.35, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/61/64 ms

Has anyone run into this before? I do not have NAT enabled and there are no access lists.

Adam

Reply to
amalseed
Loading thread data ...

Hi Adam,

Based on the brief information in your email, it likely seems to be a routing setup issue. One of the quick things that come to my mind is the reverse route setup from the destination device to the source router. You may want to check if the destination is capable of routing the packets back to all the addresses/networks on the source router.

Hope this helps!

-Sachin

formatting link

Reply to
Sachin

[...]

When you do standard ping the router will use IP of the interface closest to the destination as source address. Your DNS is on private IP, so looks like you do have private network and NAT somewhere. If route to 66.94.230.35

formatting link
points over an interface with private address, which is not NAT'ed that's the reason of having no replies. Without seeing your routing table (at least 'sh ip route 0.0.0.0.0') it's rather hard to guess what causes connectivity problem exactly. Configuration of the interface over which this route points will also help (strip IP address, but state whether it's public or private).

Kind regards, iLya

Reply to
Charlie Root

Here is the current cunning config:

Current configuration : 1399 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname atlvpn ! no logging rate-limit enable secret 5 xxxxxxxxxxxxx ! ip subnet-zero ! ! no ip finger no ip domain-lookup ! ip audit notify log ip audit po max-events 1 ip cef no ip dhcp-client network-discovery ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxx address xx.xx.xx.x crypto isakmp keepalive 60 ! ! crypto ipsec transform-set CMAP esp-3des esp-md5-hmac mode transport ! ! ! interface Tunnel1 ip address 172.17.3.5 255.255.255.252 ip mtu 1440 load-interval 30 tunnel source xxx.xx.x.x tunnel destination xxx.x.xx.xxx ! interface Ethernet0 ip address xxx.xx.x.xxx 255.255.255.248 ip route-cache flow half-duplex no cdp enable ! interface FastEthernet0 description connected to EthernetLAN ip address 192.168.1.3 255.255.255.0 speed auto full-duplex ! interface Serial0 description connected to Internet ip address xx.x.x.xxx 255.255.255.252 service-module t1 timeslots 1-24 ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ip route 192.168.8.0 255.255.255.0 Tunnel1 no ip http server ! ! ! ! line con 0 exec-timeout 0 0 password 7 xxxxxxxxxxxxxxxxxxx login transport input none line aux 0 line vty 0 4 password 7 xxxxxxxxxxxxxxxxxxxxxxx login ! end

I do not have NAT turned on.

Adam

Charlie Root wrote:

Reply to
amalseed

If possilbe, use the next-hop IP address form of static route

so change " ip route 0.0.0.0 0.0.0.0 Serial0" to

ip route 0.0.0.0 0.0.0.0

Reply to
Merv

Yep, tried that already before posting here. It is a very odd problem....

Merv wrote:

Reply to
amalseed

turn on debug icmp to see what source address is being used with normal ping from the router

also please post show version

Reply to
Merv

1) When you used extended ping, IP of which interface did you specify as a source? 2) is IP of Serial0 public or private? 3) are you sure that remote side is actually configured with the same subnet? Since you're routing over the interface it may well work for transit traffic but won't for IP of your serial0 4) what does traceroute say?

Kind regards, iLya

Reply to
Charlie Root

I have just verified in the lab - this looks like good candidate for possible cause. Setting default route over serial interface on CPE, and on remote side routing either over "proper" next hop or over serial interface (both produce the same result), then deliberately changing IP on serial interface of CPE to a wrong one. I could ping remote location using source IP from ethernet interface (via extended ping), but not using simple ping (wich gets source from serial). You can see what happens here:

formatting link
Kind regards, iLya

Reply to
Charlie Root

Here is the show ver

#sh ver Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-K2O3SY7-M), Version 12.1(5)YB4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support:

formatting link
(c) 1986-2001 by cisco Systems, Inc. Compiled Tue 03-Jul-01 18:54 by ealyon Image text-base: 0x800080E0, data-base: 0x80B7C358

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1) ROM: C1700 Software (C1700-K2O3SY7-M), Version 12.1(5)YB4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

atlvpn uptime is 1 day, 8 hours, 17 minutes System returned to ROM by power-on System image file is "flash:c1700-k2o3sy7-mz.121-5.YB4"

cisco 1720 (MPC860) processor (revision 0x601) with 29492K/3276K bytes of memory. Processor board ID JAD05300DSB (3943506213), with hardware revision

0000 M860 processor: part number 0, mask 32 Bridging software. X.25 software, Version 3.0.0. 1 Ethernet/IEEE 802.3 interface(s) 1 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 1 Virtual Private Network (VPN) Module(s) WIC T1-DSU 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

The seiral interface is a public IP and if I turn nat on for the LAN (inside) and the serial (outside) it will pass traffic over the internet via NAT. I am trying to setup a very basic IPSec tunnel but from the router itself, it will not pass traffic....

Adam

Reply to
amalseed

From your configuration is does not look like IPsec is activated as it's not applied to any interface. Is it complete config that you've posted? Have you verified Serial interface address with upstream (see my previous post)?

Kind regards, iLya

Reply to
Charlie Root

Your IOS version is stale; not listed on CCO other more.

Suggest upgrading to 12.1(27b) or 12.2(34) and retest

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.