hotrod_952
asked on
Network Problems
I have a customer who is unabe to ping an IP address thru VPN tunnel The VPN tunnel is up and running and shows traffic flowing between the two sites. I have captured some packets with tcpdump on the internal interface of the FW. I notice that there are arp reply error messages. Does this seem to be a Layer 2 issue?
tcpdump: listening on eth1
10:49:14.330460 arcagent-adams > 10.1.30.254: icmp: arcagent-adams udp port syslog unreachable [tos 0xc0]
10:49:15.339944 arp reply 10.1.30.87 is-at 0:c:76:1b:b8:20
10:49:19.630313 arp reply 10.1.30.91 is-at 0:1b:d3:18:98:be
10:49:20.137804 arp who-has 10.1.30.254 tell 10.1.30.65
10:49:20.739895 arp reply 10.1.30.2 is-at 0:11:25:e8:6f:d9
10:49:25.170102 arp reply 10.1.30.65 is-at 0:d:56:f2:a4:14
10:49:26.580106 arp reply 10.1.30.70 is-at 0:d:61:5e:a2:5f
10:49:29.142056 arp who-has 10.1.30.254 tell 10.1.30.9
10:49:29.143180 arp who-has 10.1.30.254 tell 10.1.30.9
10:49:32.140139 arp reply 10.1.30.80 is-at 0:8:54:3:a3:1d
10:49:35.330048 arp reply 10.1.30.74 is-at 0:d:61:80:1a:7b
10:49:37.590327 arp reply 10.1.30.86 is-at 0:11:11:99:c4:64
10:49:39.580428 arp reply 10.1.30.92 is-at 0:1d:92:bc:7:be
10:49:39.780125 arp reply 10.1.30.71 is-at 0:c:f1:86:e5:2f
10:49:41.142391 arp who-has 10.1.30.254 tell 10.1.30.94
10:49:41.145515 arp who-has 10.1.30.254 tell 10.1.30.94
10:49:42.920047 arp reply 10.1.30.62 is-at 0:c:f1:b6:cd:97
17 packets received by filter
0 packets dropped by kernel
[Expert@fccgate1]#
tcpdump: listening on eth1
10:49:14.330460 arcagent-adams > 10.1.30.254: icmp: arcagent-adams udp port syslog unreachable [tos 0xc0]
10:49:15.339944 arp reply 10.1.30.87 is-at 0:c:76:1b:b8:20
10:49:19.630313 arp reply 10.1.30.91 is-at 0:1b:d3:18:98:be
10:49:20.137804 arp who-has 10.1.30.254 tell 10.1.30.65
10:49:20.739895 arp reply 10.1.30.2 is-at 0:11:25:e8:6f:d9
10:49:25.170102 arp reply 10.1.30.65 is-at 0:d:56:f2:a4:14
10:49:26.580106 arp reply 10.1.30.70 is-at 0:d:61:5e:a2:5f
10:49:29.142056 arp who-has 10.1.30.254 tell 10.1.30.9
10:49:29.143180 arp who-has 10.1.30.254 tell 10.1.30.9
10:49:32.140139 arp reply 10.1.30.80 is-at 0:8:54:3:a3:1d
10:49:35.330048 arp reply 10.1.30.74 is-at 0:d:61:80:1a:7b
10:49:37.590327 arp reply 10.1.30.86 is-at 0:11:11:99:c4:64
10:49:39.580428 arp reply 10.1.30.92 is-at 0:1d:92:bc:7:be
10:49:39.780125 arp reply 10.1.30.71 is-at 0:c:f1:86:e5:2f
10:49:41.142391 arp who-has 10.1.30.254 tell 10.1.30.94
10:49:41.145515 arp who-has 10.1.30.254 tell 10.1.30.94
10:49:42.920047 arp reply 10.1.30.62 is-at 0:c:f1:b6:cd:97
17 packets received by filter
0 packets dropped by kernel
[Expert@fccgate1]#
Louis LIETAER
It certainly due to a route problem. Could you tell me more about the entiere ip configurations
ASKER
Customer mention they can access the internet but can't access a particular server through the VPN tunnel. Other machines within the network can access the server thru VPN tunnel. Rules are setup to allow all 10.1.30.0 subnet access thru VPN tunnel. I notice the machines that show "arp-whois" are the machines that having the issue. I can ping the machines except 10.1.30.9 from the FW. Should I add a route on the machine or FW?
what is 10.1.30.9 and did you mean arp who-has?
It looks like you may have some arp caching issues either on a router / firewall or other intermediate device, or on the local host.
machine a - can ping IP address of remote server
machine b - cannot ping IP address of remote server
machine b - is on the same subnet as machine a
machine b - has unique but same ip configuration for local network interface
is this a fair characterization of your problem?
I am going to be out of pocket for a few hours, hopefully louis can help you but if not I will look at it when I return.
Cheers.
It looks like you may have some arp caching issues either on a router / firewall or other intermediate device, or on the local host.
machine a - can ping IP address of remote server
machine b - cannot ping IP address of remote server
machine b - is on the same subnet as machine a
machine b - has unique but same ip configuration for local network interface
is this a fair characterization of your problem?
I am going to be out of pocket for a few hours, hopefully louis can help you but if not I will look at it when I return.
Cheers.
Can the particular server ping the client thru vpn ?
have you tried the tracert or traceroute command from this particular server to vpn client ?
have you tried the tracert or traceroute command from this particular server to vpn client ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also, the customer mention that they are trying to download files from an internal site at a remote location thru their VPN tunnel. All other VPN tunnel traffic is working great. I ran the tcpdump from the internal interface of the FW. This is where I see the arp-who is messages. Whenever I ran the tcpdump on the external interface of FW there where no arp-who is messages. Any suggestions are needed.
ASKER
This happen to be a DNS-related issue. The DNS server needed an entry added.
ASKER
DNS issue
HR... glad you got it worked out... internal DNS?
Congrats!
Congrats!
ASKER
Closing
ASKER
DNS issue