Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Internal routing issue (related to EIGRP?)

Posted on 2009-04-23
5
Medium Priority
?
454 Views
Last Modified: 2013-12-12
Good morning,
I have a bit of a baffling issue that perhaps a Cisco professional can assist me with. I work for a bank that has a data center and DR site set up for VM replication across a dedicated 3MBps IPSEC tunnel link with ASA5505 at each endpoint. This tunnel is supposed to be exclusive to a certain range of private IP addresses (within two distinct subnets) to exchange data back and forth across the tunnel (using synchronization and/or replication technologies). These two sites are also supported by frame relay for normal business/production traffic (DR site is also a branch office). Normally we pass traffic across the frame using our internal Cisco 2600 routers and this works fine. However, we have also set up an IPSEC (site to site) tunnel between the firewalls at both sites to exclusively tunnel traffic originating from a specified range in one subnet (10.246.52.140-149)  whose destination is within a different subnet (10.246.55.146-148). The local subnets for both of these sites are 10.246.52.0/24 and 10.246.55.0/24.

So here is our problem. We are experiencing some sort of internal routing issue whereby local hosts on the 52.x subnet can contact (ping, rdp, etc) all hosts contained within there local subnet, including those defined as source addresses for the IPSEC tunnel; they can also properly route traffic originating from the source to destination addresses through the tunnel. These are both desirable and working on the 52.x subnet.
However, when we move over to hosts on the 55.x subnet, they cannot contact any IP addresses which are defined as destination hosts routed through the tunnel (in otherwords outside of the frame). Therefore, a local host on the 55.x subnet, say with an IP address of 10.246.55.16 cannot contact a host specified as a destination host tunneled by a static route on the 52.x source router, EVEN THOUGH the 2 hosts attempting to contact each other in testing are essentially on the same local subnet (55.16 ---> 55.148).

Both routers are using EIGRP 1 with redistribute static and redistribute connected to learn its neighbors routes.  I have attached the configs of both internal frame routers where I believe the internal routing issue exists. Please keep in mind that the IPSEC tunnel has been verified and tested and does pass traffic correctly routed to it through the tunnel.

PLEASE HELP, any guidance is appreciated.
mohawk2600.txt
utica2600.txt
0
Comment
Question by:dfaz
  • 3
  • 2
5 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24214946
They are not on the same subnet.  The traffic will follow some routed path, even if it goes over the VPN.

What is the result of a traceroute?
0
 

Author Comment

by:dfaz
ID: 24215211
Traceroute for the hosts on the 52.x subnet to any other host on the 55.x subnet exclusive of those that are supposed to be routed down the VPN tunnel are to the frame routers as they should be. Traceroute to the specified destinations on the 55.x subnet that are supposed to be routed through the IPSEC tunnel are over the ASA firewall as they should be.
However, on the 55.x subnet, traceroutes to other 55.x hosts are locally connected and correct. The problem is when you traceroute to the IP addresses (10.246.55.148) defined as static routes on the 52.x router (to route traffic to those destinations through the IPSEC tunnel, the route any local host (55.x) connecting to that address (55.148) which should also be local connected, is through the frame relay back to the 55.2 router where it is passed by static route into the firewall. Shouldn't it be treating it as a locally connected address (just like other 55.x hosts). Why is it routing traffic on the same subnet just because this IP address is defined in a static route on a remote router to have traffic passed TO it.

       (on same sn)          (internal if           (frame if of
        as workstation)     frame router)      52.x router)
ping 10.246.55.148 ---> 10.246.55.1 --> 10.247.251.133 --> into the ASA FW (no reply)
0
 
LVL 28

Expert Comment

by:asavener
ID: 24215803
Disable proxy arp on the frame routers.
0
 

Author Comment

by:dfaz
ID: 24216381
Excellent call asavener!! Now as a bit of knowledge transfer could you briefly explain to me what was happening and why. I appreciate it.
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 24216779
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question