[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can't Ping remote devices through P2P connection.

Posted on 2009-12-17
11
Medium Priority
?
797 Views
Last Modified: 2013-12-12
I have a P2P connection via Frame-Relay between two offices.

From the router on each end, I can ping everything on the LAN interface of the router. I can even ping the firewall interface for the LAN, but I can't ping an outside IP address.

But from those same routers and from the LAN those routers are connected, I can ping the LAN interface of the remote router, but I can't ping anything connected to the LAN interface on the remote router.

I've attached a rough topomap of the network with IP's. Notice the dividing line between the routers. That's an imaginary boundry of how far I can ping, with the exception of being able to ping the remote routers LAN interface, I can't ping anything beyond that.

I've also included pertinent router config regarding routing of data and IP setup of each interface. I only included the topo map for reference. I don't want the complexity of the network to confuse the issue, and I can't even ping the firewall interface directly connected to each router.
SKMBT-C30009121606340.pdf
router1.doc
router2.doc
0
Comment
Question by:sardiskan
  • 6
  • 4
11 Comments
 
LVL 11

Expert Comment

by:rharland2009
ID: 26072570
Let's see some traceroutes from the workstations on each LAN trying to a) reach the other router via the FR circuit; and b) get to 4.2.2.2 or some other persistent Internet resource. Let's not sweat the router's pinging behavior just yet, but find out where the packets are dropping from the workstations.
0
 
LVL 5

Author Comment

by:sardiskan
ID: 26072647
That's easy. I've already done traceroutes. They all stop at the remote routers FR interface. In this example 10.10.100.1 and 10.10.100.2 depending on which side of the line you are coming from.

Here is a traceroute from my PC to the LAN interface of the remote router:
traceroute 176.30.20.130
traceroute to 176.30.20.130 (176.30.20.130), 64 hops max, 52 byte packets
 1  172.30.20.1 (172.30.20.1)  1.123 ms  0.348 ms  0.206 ms
 2  176.30.20.120 (176.30.20.120)  1.111 ms  0.769 ms  0.962 ms
 3  176.30.20.130 (176.30.20.130)  17.354 ms  17.187 ms  17.465 ms

And here is a traceroute to the firewall the remote route is directly connected to:
traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
 1  172.30.20.1 (172.30.20.1)  0.561 ms  0.284 ms  0.198 ms
 2  176.30.20.120 (176.30.20.120)  0.835 ms  0.866 ms  1.017 ms
 3  10.10.100.2 (10.10.100.2)  16.888 ms  16.704 ms  16.979 ms
 4  *

It will look the same from the remote side...but the trace will stop at 10.10.100.1 which is the FR interface for the LAN where I'm located.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1800 total points
ID: 26072817
The firewall at 176.30.20.129 is missing a route to the 172.30.20.0/25 network

and

The firewall at 176.30.20.172.30.20.1 is missing a route to the 172.30.20.128/25 network
 
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 5

Author Comment

by:sardiskan
ID: 26073399
Ok, I realized I had the static route wrong in the 172.30.20.1 and 176.30.20.1 firewall. I also realized I did NOT have a static route in the 176.30.20.129 firewall at all. Here is what I've done.

I've created the static routes on the 176.30.20.129 firewall to the 172.30.20.0/25 network and fixed the route on the 172.30.20.1 that routes to 172.30.20.128/25 network.

The result is this. A PC on the 172.30.20.128/25 network can ping the remote firewall interface now:

tracert 176.30.20.1

Tracing route to 176.30.20.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.30.20.129
  2     1 ms     1 ms     1 ms  176.30.20.130
  3    17 ms    17 ms    17 ms  10.10.100.1
  4    18 ms    18 ms    18 ms  176.30.20.1

Trace complete.

I still cannot ping from the 172.30.20.0/25 network to a device on the remote network.

traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
 1  172.30.20.1 (172.30.20.1)  2.600 ms  0.284 ms  0.250 ms
 2  176.30.20.120 (176.30.20.120)  0.892 ms  0.942 ms  0.970 ms
 3  10.10.100.2 (10.10.100.2)  16.912 ms  16.694 ms  16.980 ms
 4  *

Also, I still cannot ping from the router on either side to the firewall the remote router is connected to nor anything else on that network.
0
 
LVL 11

Expert Comment

by:rharland2009
ID: 26073463
What are the static routes on the firewall at the 172.30.20.0/25 location?
0
 
LVL 5

Author Comment

by:sardiskan
ID: 26073595
Static Routes on Firewall 172.30.20.0/25:

172.30.20.128/25    176.30.20.120                  
176.30.20.128/25    176.30.20.120

Static Routes on Firewall 176.30.20.129

10.1.1.0/25                  176.30.20.130
172.30.20.0/25         176.30.20.130
176.30.20.0/25         176.30.20.130
0
 
LVL 11

Expert Comment

by:rharland2009
ID: 26073885
Okay.

Your second trace is from the router. You want to make sure that you're emulating a packet originating from the LAN at that location and you can do that using extended functions of ping on the router.

Info here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#correct_src

If you're already doing this, please disregard. If not, ping with source extension and post results.




0
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 200 total points
ID: 26074177
Routes needed on FW1:

Default pointing to internet
172.30.20.128/25 via 176.30.20.120
176.30.20.128/25 via 176.30.20.120

Routes needed on RTR1:

172.30.20.128/25 via 10.10.100.2
172.30.20.0/25 via 176.30.20.1
176.30.20.128/25 via 10.10.100.2

Routes needed on FW2:

Default pointing to internet
172.30.20.0/25 via 176.30.20.130
176.30.20.0/25 via 176.30.20.130

Routes needed on RTR2:

172.30.20.0/25 via 10.10.100.1
172.30.20.128/25 via 176.30.20.129
176.30.20.0/25 via 10.10.100.1

This is based on a LAN at location #1 of 172.30.20.0/25 and a LAN at location #2 of 172.30.20.128/25.



0
 
LVL 5

Author Comment

by:sardiskan
ID: 26074249
The second trace is not from a router, but from a linux machine. That's why it's traceroute instead of tracert.

Ok, from router IP 176.30.20.130, I can ping the firewall the remote router is connected to using the extended ping and setting the source IP as 176.30.20.128 (firewall). But I still cannot ping from the 176.30.20.120 router to the LAN segment of the remote router at 176.30.20.130.

It's like the traffic is one way now. On the side with router 176.30.20.120, I can't ping anything on the remote side. But on the side with router 176.30.20.130, I can ping everything on the remote side. I just can't figure out what I'm missing. Anyone let me know if you need any output.

Also, as a side note, can you explain why, from the routers, I can't just do a straight ping to a remote device instead of having to set the source? Wouldn't the source be the interface it left out of? I mean, I can ping local IP's from the router fine...it's only when pinging accross the WAN to the remote router that I have to use extended ping.
0
 
LVL 5

Author Comment

by:sardiskan
ID: 26074689
OMG, there was a firewall rule in place on the interface of the remote router on network 172.30.20.128/25. Now I can ping from the 172.30.20.0/25 network all the way to the 172.30.20.128/25 network. Thanks to all the helped. My issue was a combination of incorrect routes in my firewall and firewall rules that were not suppose to be there. Jeepers!
0
 
LVL 5

Author Closing Comment

by:sardiskan
ID: 31667323
Experts did very well to push me in the right direction.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question