Solved

persistent routes across WAN links

Posted on 2009-07-14
9
910 Views
Last Modified: 2012-05-07
Good Day,

I have an interesting one for you today.  Please pardon me if I am too cryptic in my explanation.  I will do my best to explain the problem without compromising any information since this is a highly sensitive area.  We have a relationship with a third party entity that requires us to connect to their system for the sharing of information.  This is a system that has been in place for several years without any problems.  Recent upgrade and application developments have required us to expand our side of the trust.  Previously, all devices resided on the same network segment and the new server does not.  

Here is the break down...

Site B has a Cisco 2811 router and is touching the Metro Ethernet
Network Interface - 192.168.111.x
WAN interface - 10.10.10.x
Behind the router at Site B is a switch that connects 5 workstations to the 111.x network.
Each workstation has a secondary IP address on the 10.42.x.x network.
Each workstation has a persistent route added to the routing table that looks like this
      172.193.0.0      255.255.0.0      10.42.x.x       1
The 172.193.0.0 is the third-party's network on the other side of a satellite uplink and the 10.42.x.x address is Server B on location at Site B that server as the gateway for the satellite uplink.  These two devices are not administered by us.  This setup is currently working.  Our problem begins when we try to add another workstation\server to the configuration.  


Site A has a Cisco 2821 router and is touching the Metro Ethernet
The network interface is 192.168.101.x
The WAN interface is 10.10.10.x
Behind the Router at Site A is Server A.
Server A is on the 101.x network
Server A also has a secondary IP address on the 10.42.x.x network.
Server A also has a persistent route added to the routing table that is identical to the workstation on Site B.

The problem:
The 10.42.x.x network does not exist anywhere else on our network except where detailed here.  The workstations on Site B are all able to talk to the satellite because they are all on the same network segment and they all have the persistent route to the satellite.  Nothing is ever routed, though there are two routes on the router at Site B that have been in place since before my time.

They are as follows:
ip route 170.193.x.x 255.255.255.255 10.42.x.x
ip route 170.193.x.x 255.255.255.255 10.42.x.x

I added the following route on both routers
ip route 10.42.x.x 255.255.255.255 192.168.101.x
Server A can now Ping Server B but cannot ping the Satellite

I added the following route to Router A
ip route 170.193.0.0 255.255.0.0 10.10.10.x (the WAN port on Router B)
Still cannot ping the Satellite from Either router or Server A

I am officially stuck.  Any thoughts?

Dozer.png
0
Comment
Question by:CityofKerrville
  • 4
  • 4
9 Comments
 
LVL 3

Expert Comment

by:bmeyer1908
ID: 24852961
Can router B ping the devices at 170.193.x.x/32?  If not, make sure there is a route in the routing table on router B for the 170.193.x.x devices.  If router B has the route you may be able to get rid of the persistant route in the worksatations.  I'm assuming that router b is the default gateway for the workstations.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24853491
>I am officially stuck.  Any thoughts?

This won't work.

You can not have the same network separated by a router.

Also, it's impossible to troubleshoot when you don't know the addresses on the devices. For example, the site B devices may be on the 10.42.1.0/35  network and server A server may have a 10.42.2.2/24 address. Which makes for a different solution.
0
 

Author Comment

by:CityofKerrville
ID: 24854441
This won't work.

You can not have the same network separated by a router.
Ok, so do you have any suggestions as to what will work?  And about the IP addresses, I masked those addresses on purpose for security reasons.  It is safe to assume that there is nothing tricky going on.  The 10.42.x.x network is the same on both sites.  As far as not having the same network separated by a router...I have been able to acomplish this with a simple static route
For example...
ip route 10.42.1.1 255.255.255.255 192.168.1.1
That route got me connectivity between Server A and Server B.  Now I need to get to the Satellite behind Server B on the 170.193.x.x network.  In short, with the execption of not being ablt to touch the Satellite on the 170.193.x.x network, this DOES work.

Dozer2.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24854667
You need to have a different IP network for site A. Using a host route (on every device) may work, but it's a pretty ugly work-around.

>ip route 10.42.1.1 255.255.255.255 192.168.1.1

Where was this route applied? What device is 10.42.1.1? What device is 192.168.1.1?

See what I mean? All I can do is guess what's wrong and how do correct it. I understand the need for security, but with the exception of the satellite uplink, these are all private addresses which aren't reachable from the outside world anyway.


0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:CityofKerrville
ID: 24859014
This was just an example...so I will loosen the reigns a bit
ip route 10.42.34.72.1 255.255.255.255 192.168.101.231
10.42.34.72 is the secondary IP address on Server A and 192.168.101.231 is the Primary IP address on Server A.
So we can see that the route below (which is in the config for BOTH routers)...
ip route 10.42.34.72.1 255.255.255.255 192.168.101.231  
serves as nothing more than a direct route and sort of like a NAT, that routes all traffic destined for the 10.42.34.72 to the device at 192.168.101.231.  They are the same device.  
The problem is simple.  We have a happy little 10.42.34.0 network that works fine.  I now have an additional device that needs to talk on the 10.42.34.0 network, and there happens to be 2 routers between them.  I am close, but not quite close enough.  See the cmd snippet from Server A.

C:\>ipconfig
 

Windows IP Configuration
 
 

Ethernet adapter Local Area Connection:
 

   Media State . . . . . . . . . . . : Media disconnected
 

Ethernet adapter Local Area Connection 2:
 

   Connection-specific DNS Suffix  . :

   IP Address. . . . . . . . . . . . : 10.42.34.72

   Subnet Mask . . . . . . . . . . . : 255.255.255.224

   IP Address. . . . . . . . . . . . : 192.168.101.231

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.101.5
 

C:\>ping 10.42.34.65
 

Pinging 10.42.34.65 with 32 bytes of data:
 

Reply from 10.42.34.65: bytes=32 time=1ms TTL=62

Reply from 10.42.34.65: bytes=32 time=1ms TTL=62

Reply from 10.42.34.65: bytes=32 time=1ms TTL=62

Reply from 10.42.34.65: bytes=32 time=1ms TTL=62
 

Ping statistics for 10.42.34.65:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms
 

C:\>ping 170.193.x.x
 

Pinging 170.193.x.x with 32 bytes of data:
 

Request timed out.

Request timed out.

Request timed out.

Request timed out.
 

Ping statistics for 170.193.x.x:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 

C:\>
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

snippet from on of the existing workstations
 

Pinging 170.193.x.x with 32 bytes of data:
 

Reply from 170.193.x.x: bytes=32 time=1615ms TTL=124

Reply from 170.193.x.x: bytes=32 time=960ms TTL=124

Reply from 170.193.x.x: bytes=32 time=945ms TTL=124

Reply from 170.193.x.x: bytes=32 time=995ms TTL=124
 

Ping statistics for 170.193.x.x:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 945ms, Maximum = 1615ms, Average = 1128ms

Open in new window

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24859150
I'm guessing that 170.193.x.x is the satellite uplink?

Does it have a route to 10.42.34.72?

Does Server B have a route to 10.42.34.72?

Once again, what you're doing is... just plain wrong. Routers separate networks. The whole reason for having them is to connect different networks. You're trying to make the same network appear in two different places with routers in between.

Bad design.
0
 

Author Comment

by:CityofKerrville
ID: 24859397
I understand what you are saying..
Poor Design - YES
Bad Practice - YES
Do I have a choice - NO
Now that we have cleared that up...Can it work...I guess the better question is can it be rigged?
>Does it have a route to 10.42.34.72?
This should be taken care of in the Static route I put in both of the routers, but does not work.  Server A cannot ping the Satellite Uplink (170.193.x.x)
>Does Server B have a route to 10.42.34.72
YES, the statice route made this work.  Server A can ping Server B
The Satellite Uplink and Server B are not my equipment so there is very little I know about either of them, nor can I administer them.  I am well aware of how messy this whole setup is but I do not have a choice.  I have a Server at SITE A that needs to be a part of the 10.42.34.0 network at SITE B and still be a part of the primary network at SITE A.  What options do I have.  How can I make this work.  Moving the server is not an option.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 24860236
Here's the problem: One of the first things a device does when communicating with another device is to perform an "adjacency check" where it determines it's own network and the network of the destination device. If the two devices are on the same network, it will ARP that device. If it determines the other device is on a different network, it will direct the packet it's default gateway (router) since ARP requests do not go through a router.

You've found a work-around by creating a host route on the originating device that will override the adjacency check. But if you can't create one of these on every single device that participating in this excursion then it will fail. Also, it's possible that some platforms/OS's won't be fooled by this trick.

Having been in the situation of "you have to make this work", I understand your position. But you're still trying to put a large egg in a square hole... A bigger hammer won't work. :-)
0
 

Author Closing Comment

by:CityofKerrville
ID: 31603423
The bigger Hammer did not work.  Exploring other options.  Thanks for the help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now