Solved

Problem with network connectivity in one direction (pings one way not the other)

Posted on 2009-04-10
13
397 Views
Last Modified: 2012-05-06
Can't seem to nail this issue down. Have a fairly simple setup

Internet-----R1-----R2------R3

R1 and R2 are Cisco 3550 EMI (L3) switches 12.2.
R3 is Cisco 3660 Enterprise 12.3

R1 is in BGP AS 100
R2 & R3 are in BGP AS 200 adn EIGRP AS 300

R1 & R2 Running BGP
R2 & R3 Running EIGRP

Can ping between all routers (R1>R2, R1>R3, R2>R1, R2>R3in all directions except R3 to R1. It appears that the packets are getting routed properly to R2, but no response is getting back to R3.

I'm pulling my hair out. Nothing fancy in the configs is going on. Any ideas for a cause?
0
Comment
Question by:1gtx
  • 6
  • 6
13 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24114105
A ping is bidirectional. Simply put, if R1 can ping R3, then R3 can ping R1.

The only thing that will cause the behavior you're describing is either a firewall or an access-list blocking the request in one direction or blocking reply in the other direction. Since there's no firewall between the two, it must be an ACL on one of the three routers. If you look, you'll probably find an ACL that is denying ICMP echo-requests or echo-replies somewhere.
0
 

Author Comment

by:1gtx
ID: 24116404
No ACLs used.

It appears to be some kind of routing problem, where the inbound packets for R3 are getting lost between R1 and R2. Can successfully ping from R3 to the inside interface of R1, but not to the outside one (a point to point link).

Maybe it's involves the transition from BGP to EIGRP and 0.0.0.0?
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 500 total points
ID: 24117881
No.

Think about it like this:

R1 pings R3; Successful, right?

Step 1: R1 sends an ICMP echo-request. That packet arrives at R3.

Step 2: R3 creates and ICMP echo-reply. It checks it's routing table for R1's IP address. Matches it to an entry and sends the packet out.

Now R3 pings R1: The first thing R3 does is the exact same thing it did in step 2 above but it uses an ICMP echo-request instead of an echo-reply.

Now the ONLY way this could be a routing protocol is if you're pinging the far-side IP address as opposed to the near-side IP address of the router.
0
 

Author Comment

by:1gtx
ID: 24118517
You're right--I was pinging the far side IP address not the inside one.

That leaves a routing problem.

I can ping R1, R2, and R3 from the internet.

I can ping the internet from R1 and R2, but not R3.

This seems to lead to a possible issue with the 0.0.0.0 route not propagating properly from BGP to EIGRP. Correct?

 
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24119360
Going to have to see the routing table of R3 to go any further.
0
 

Expert Comment

by:lifepro
ID: 24119480
Have you tried to trace route R3 to R1??
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:1gtx
ID: 24119680
Trace route from R3 to R1 makes the first hop to R2 but then gets lost (stars)
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 500 total points
ID: 24119754
Going to have to see the routing table of R3 to go any further.
0
 

Author Comment

by:1gtx
ID: 24120304
Show ip route for R3:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.127.127.178 to network 0.0.0.0

     X.X.0.0/32 is subnetted, 2 subnets
C       X.X.140.253 is directly connected, Loopback0
D       X.X.140.254
           [90/156160] via 10.127.127.178, 01:31:36, FastEthernet0/1
     10.0.0.0/30 is subnetted, 2 subnets
D       10.1.1.4 [90/30720] via 10.127.127.178, 01:31:36, FastEthernet0/1
C       10.127.127.176 is directly connected, FastEthernet0/1
D*EX 0.0.0.0/0 [170/258816] via 10.127.127.178, 00:01:33, FastEthernet0/1

X.X.140.253 is loopback for R3
X.X.140.254 is loopback for R2
10.1.1.4 is PTP addr for R2 to R1
10.127.127.176 is PTP addr for R2 to R3
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24120428
Unfortunately, it's going to be rather difficult to troubleshoot without knowing the IP address you're trying to ping and what the routing table looks like.

0
 

Author Comment

by:1gtx
ID: 24120535
Pinging any address on the internet will fail for R3.

Interesting enough I did a debug ip packet and noticed that the IP being used as the source was the outbound interface IP of R3 (10.127.127.178) and not the loopback address for R3 (which I thought was normal?!).

Lo and behold if you change the source IP for ping command on R3 to X.X.140.253 (the loopback addr for R3) pinging the internet from R3 works!

So I guess a quick and dirty approach would be to change the default source address for R3 to the loopback address. Though I'm not sure how to do that.

0
 

Accepted Solution

by:
1gtx earned 0 total points
ID: 24120673
The quickest solution was to change the PTP network address for R2 to R3 to a subnet under X.X.140.X instead of 10.127.127.176. That worked!

Though I still don't really understand why this was a problem I'll take a viable fix anyday. I'm awarding the point for the help.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24121788
Once again... Impossible to say anything without knowing the addresses.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now