Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Network Problems

Posted on 2009-05-06
13
Medium Priority
?
338 Views
Last Modified: 2012-06-27
I have a customer who is unabe to ping an IP address thru VPN tunnel  The VPN tunnel is up and running and shows traffic flowing between the two sites.  I have captured some packets with tcpdump on the internal interface of the FW.  I notice that there are arp reply error messages.  Does this seem to be a Layer 2 issue?


tcpdump: listening on eth1
10:49:14.330460 arcagent-adams > 10.1.30.254: icmp: arcagent-adams udp port syslog unreachable [tos 0xc0]
10:49:15.339944 arp reply 10.1.30.87 is-at 0:c:76:1b:b8:20
10:49:19.630313 arp reply 10.1.30.91 is-at 0:1b:d3:18:98:be
10:49:20.137804 arp who-has 10.1.30.254 tell 10.1.30.65
10:49:20.739895 arp reply 10.1.30.2 is-at 0:11:25:e8:6f:d9
10:49:25.170102 arp reply 10.1.30.65 is-at 0:d:56:f2:a4:14
10:49:26.580106 arp reply 10.1.30.70 is-at 0:d:61:5e:a2:5f
10:49:29.142056 arp who-has 10.1.30.254 tell 10.1.30.9
10:49:29.143180 arp who-has 10.1.30.254 tell 10.1.30.9
10:49:32.140139 arp reply 10.1.30.80 is-at 0:8:54:3:a3:1d
10:49:35.330048 arp reply 10.1.30.74 is-at 0:d:61:80:1a:7b
10:49:37.590327 arp reply 10.1.30.86 is-at 0:11:11:99:c4:64
10:49:39.580428 arp reply 10.1.30.92 is-at 0:1d:92:bc:7:be
10:49:39.780125 arp reply 10.1.30.71 is-at 0:c:f1:86:e5:2f
10:49:41.142391 arp who-has 10.1.30.254 tell 10.1.30.94
10:49:41.145515 arp who-has 10.1.30.254 tell 10.1.30.94
10:49:42.920047 arp reply 10.1.30.62 is-at 0:c:f1:b6:cd:97

17 packets received by filter
0 packets dropped by kernel
[Expert@fccgate1]#
0
Comment
Question by:hotrod_952
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
13 Comments
 
LVL 5

Expert Comment

by:louislietaer
ID: 24315182
It certainly due to a route problem. Could you tell me more about the entiere ip configurations
0
 

Author Comment

by:hotrod_952
ID: 24316060
Customer mention they can access the internet but can't access a particular server through the VPN tunnel.  Other machines within the network can access the server thru VPN tunnel.  Rules are setup to allow all 10.1.30.0 subnet access thru VPN tunnel.  I notice the machines that show "arp-whois" are the machines that having the issue.  I can ping the machines except 10.1.30.9 from the FW.  Should I add a route on the machine or FW?
0
 
LVL 8

Expert Comment

by:halejr1
ID: 24316619
what is 10.1.30.9 and did you mean arp who-has?

It looks like you may have some arp caching issues either on a router / firewall or other intermediate device, or on the local host.

machine a - can ping IP address of remote server
machine b - cannot ping IP address of remote server
machine b - is on the same subnet as machine a
machine b - has unique but same ip configuration for local network interface

is this a fair characterization of your problem?  

I am going to be out of pocket for a few hours, hopefully louis can help you but if not I will look at it when I return.

Cheers.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:louislietaer
ID: 24316628
Can the particular server ping the client thru vpn ?

have you tried the tracert or traceroute command from this particular server to vpn client ?
0
 
LVL 1

Accepted Solution

by:
alamow earned 1000 total points
ID: 24317200
From what I see you are actually saying that is not an issue in a single machine but multiple machines.  If this is the case, we already know it's not hardware because you can actually connect to the VPN.  It's not routing because those machines with the problem are able to connect to other services on the server.  If all machines are on the same network and some of then can ping the server I would suggest checking your firewall rules just in case you are not blocking ping for some machines, sometimes a lot of changes have been done on the FW and one forgets to remove things like that which drive you crazy later on.

If that is not the case, it sounds to me that you have some other FW blocking ping.  Check the server and make sure it does not has a FW and if it does disable it and test.  If the server is OK you may want to disable the FW on the machine just to test it; I really don't think the FW on the machine will do a different because the ping request is originated from that machine.

Just in case, to enable ping on your firewall you must allow this:

echo-reply
source-quench
unreachable
time-exceeded

This allows only the required status messages to traverse the FW, others may be malicious:

Check this info for the ASA/PIX CISCO FW:

http://cco.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
0
 

Author Comment

by:hotrod_952
ID: 24325344
Also, the customer mention that they are trying to download files from an internal site at a remote location thru their VPN tunnel.  All other VPN tunnel traffic is working great.  I ran the tcpdump from the internal interface of the FW.  This is where I see the arp-who is messages.  Whenever I ran the tcpdump on the external interface of FW there where no arp-who is messages.  Any suggestions are needed.
0
 

Author Comment

by:hotrod_952
ID: 24357507
This happen to be a DNS-related issue.  The DNS server needed an entry added.
0
 

Author Comment

by:hotrod_952
ID: 24357537
DNS issue
0
 
LVL 8

Expert Comment

by:halejr1
ID: 24360736
HR... glad you got it worked out... internal DNS?  

Congrats!
0
 

Author Comment

by:hotrod_952
ID: 24385180
Closing
0
 

Author Closing Comment

by:hotrod_952
ID: 31578468
DNS issue
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question