matt_l
asked on
Bad routes to certain hosts
Hello,
Here's what we're dealing with. We just finished moving our office to a new building across town. The office utilizes a T1 for data, a T1 for voice and a dedicated P2P T1 connected to our office on the east coast.
Everything is working normally with the exception of being unable to reach a few external hosts. These hosts include sites like www.linksys.com | www.dogpile.com | www.symantecstore.com | There's probably 3 dozen of them all together, but despite our best efforts, we're unable to get to them. Traces fall off just outside our network. Our ISP says they're not having any routing problems and it's something with our equipment.
We're setup with a Cisco 2600 as an inside router. This is everyones default gateway and maintains the P2P network to our East Coast Office. We have a PIX 515e setup in front of the 2600 and finally a Cisco 2509 setup as our Perimeter router. The default route for the PIX is the 2509.
Facts:
We can ping hosts like google.com
We can tracert to hosts like google.com
We have cleared our routing tables, rebooted equipment and verified that no machines (unix/windows) are running any kind of routing services.
What we have tried and how it works:
- Plugging a laptop right into the 5-port switch that sits between the e0 interface of the perimeter router and the outside interfaces of our PIX and VPN Concentrators and re-attempting to get to the remote hosts yield no success.
- Replacing the 2509 with our cold spare and re-loading the configuration - stripped down, no access-lists except to permit all traffic. No Success.
-Trying a traceroute or ping from the s0 interface on our perimeter router to these unavailable hosts yields no success. They drop immediately.
- HOWEVER - If we add a static route to a remote host (in the perimeter router) and tell it to use the default route, we can get to the remote host. Gah!
This raises the question: Why isn't the router using it's default route to try and get to these hosts? There's nothing in the config telling it to use something else. Why is traffic destined for certain hosts not using the default route on the perimeter router?
When I take a look at the routes in the perimeter router it showes the following:
#sh ip route
Gateway of last resort is AA.BBB.CC.9 to network 0.0.0.0
AA.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C AA.BBB.XXX.0/24 is directly connected, Ethernet0
C AA.BBB.CC.9/32 is directly connected, Serial0
C AA.BBB.CC.8/30 is directly connected, Serial0
S* 0.0.0.0/0 [1/0] via AA.BBB.CC.9
#
AA.BBB.XXX.1 is the address assigned to the e0 interface on the internet router
AA.BBB.CC.10 is the address assigned to the s0 interface on the internet router.
AA.BBB.CC.9 is configured as the default route for the internet router
Why is AA.BBB.CC.8 shown as directly connected? Our ISP says that's normal, but I'm not so sure. If I change the default route to .8 everything still works as before. Internet traffic as normal with the exception of the same certain hosts.
I'm open to suggestions :)
Here's what we're dealing with. We just finished moving our office to a new building across town. The office utilizes a T1 for data, a T1 for voice and a dedicated P2P T1 connected to our office on the east coast.
Everything is working normally with the exception of being unable to reach a few external hosts. These hosts include sites like www.linksys.com | www.dogpile.com | www.symantecstore.com | There's probably 3 dozen of them all together, but despite our best efforts, we're unable to get to them. Traces fall off just outside our network. Our ISP says they're not having any routing problems and it's something with our equipment.
We're setup with a Cisco 2600 as an inside router. This is everyones default gateway and maintains the P2P network to our East Coast Office. We have a PIX 515e setup in front of the 2600 and finally a Cisco 2509 setup as our Perimeter router. The default route for the PIX is the 2509.
Facts:
We can ping hosts like google.com
We can tracert to hosts like google.com
We have cleared our routing tables, rebooted equipment and verified that no machines (unix/windows) are running any kind of routing services.
What we have tried and how it works:
- Plugging a laptop right into the 5-port switch that sits between the e0 interface of the perimeter router and the outside interfaces of our PIX and VPN Concentrators and re-attempting to get to the remote hosts yield no success.
- Replacing the 2509 with our cold spare and re-loading the configuration - stripped down, no access-lists except to permit all traffic. No Success.
-Trying a traceroute or ping from the s0 interface on our perimeter router to these unavailable hosts yields no success. They drop immediately.
- HOWEVER - If we add a static route to a remote host (in the perimeter router) and tell it to use the default route, we can get to the remote host. Gah!
This raises the question: Why isn't the router using it's default route to try and get to these hosts? There's nothing in the config telling it to use something else. Why is traffic destined for certain hosts not using the default route on the perimeter router?
When I take a look at the routes in the perimeter router it showes the following:
#sh ip route
Gateway of last resort is AA.BBB.CC.9 to network 0.0.0.0
AA.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C AA.BBB.XXX.0/24 is directly connected, Ethernet0
C AA.BBB.CC.9/32 is directly connected, Serial0
C AA.BBB.CC.8/30 is directly connected, Serial0
S* 0.0.0.0/0 [1/0] via AA.BBB.CC.9
#
AA.BBB.XXX.1 is the address assigned to the e0 interface on the internet router
AA.BBB.CC.10 is the address assigned to the s0 interface on the internet router.
AA.BBB.CC.9 is configured as the default route for the internet router
Why is AA.BBB.CC.8 shown as directly connected? Our ISP says that's normal, but I'm not so sure. If I change the default route to .8 everything still works as before. Internet traffic as normal with the exception of the same certain hosts.
I'm open to suggestions :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you have "sysopt noproxyarp" enabled on the PIX?
Do you have "no proxy arp" entered on the Ethernet port of the perimeter router?
I suspect that you have the /32 IP addresses inversed on the serial interface..
aa.bb.cc.8 / 30 = network ID
aa.bb.cc.9 /32 = host ID
aa.bb.cc.10 /32 = host ID
I suspect that you have .9 assigned to your interface, subnet mask 255.255.255.252
and your default route points to your own ip?
interface ser 0
ip address aa.bb.cc.9 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 aa.bb.cc.9
Do you have "no proxy arp" entered on the Ethernet port of the perimeter router?
I suspect that you have the /32 IP addresses inversed on the serial interface..
aa.bb.cc.8 / 30 = network ID
aa.bb.cc.9 /32 = host ID
aa.bb.cc.10 /32 = host ID
I suspect that you have .9 assigned to your interface, subnet mask 255.255.255.252
and your default route points to your own ip?
interface ser 0
ip address aa.bb.cc.9 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 aa.bb.cc.9
That little bugger gets all of us at one time or another..
Real bear to troubleshoot, too....
Glad you're working now!
- Cheers!
Real bear to troubleshoot, too....
Glad you're working now!
- Cheers!
ASKER
I'm going to go kill myself now.
Thanks! :)