Can't Ping remote devices through P2P connection.
I have a P2P connection via Frame-Relay between two offices.
From the router on each end, I can ping everything on the LAN interface of the router. I can even ping the firewall interface for the LAN, but I can't ping an outside IP address.
But from those same routers and from the LAN those routers are connected, I can ping the LAN interface of the remote router, but I can't ping anything connected to the LAN interface on the remote router.
I've attached a rough topomap of the network with IP's. Notice the dividing line between the routers. That's an imaginary boundry of how far I can ping, with the exception of being able to ping the remote routers LAN interface, I can't ping anything beyond that.
I've also included pertinent router config regarding routing of data and IP setup of each interface. I only included the topo map for reference. I don't want the complexity of the network to confuse the issue, and I can't even ping the firewall interface directly connected to each router.
SKMBT-C30009121606340.pdf
router1.doc
router2.doc
From the router on each end, I can ping everything on the LAN interface of the router. I can even ping the firewall interface for the LAN, but I can't ping an outside IP address.
But from those same routers and from the LAN those routers are connected, I can ping the LAN interface of the remote router, but I can't ping anything connected to the LAN interface on the remote router.
I've attached a rough topomap of the network with IP's. Notice the dividing line between the routers. That's an imaginary boundry of how far I can ping, with the exception of being able to ping the remote routers LAN interface, I can't ping anything beyond that.
I've also included pertinent router config regarding routing of data and IP setup of each interface. I only included the topo map for reference. I don't want the complexity of the network to confuse the issue, and I can't even ping the firewall interface directly connected to each router.
SKMBT-C30009121606340.pdf
router1.doc
router2.doc
Let's see some traceroutes from the workstations on each LAN trying to a) reach the other router via the FR circuit; and b) get to 4.2.2.2 or some other persistent Internet resource. Let's not sweat the router's pinging behavior just yet, but find out where the packets are dropping from the workstations.
ASKER
That's easy. I've already done traceroutes. They all stop at the remote routers FR interface. In this example 10.10.100.1 and 10.10.100.2 depending on which side of the line you are coming from.
Here is a traceroute from my PC to the LAN interface of the remote router:
traceroute 176.30.20.130
traceroute to 176.30.20.130 (176.30.20.130), 64 hops max, 52 byte packets
1 172.30.20.1 (172.30.20.1) 1.123 ms 0.348 ms 0.206 ms
2 176.30.20.120 (176.30.20.120) 1.111 ms 0.769 ms 0.962 ms
3 176.30.20.130 (176.30.20.130) 17.354 ms 17.187 ms 17.465 ms
And here is a traceroute to the firewall the remote route is directly connected to:
traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
1 172.30.20.1 (172.30.20.1) 0.561 ms 0.284 ms 0.198 ms
2 176.30.20.120 (176.30.20.120) 0.835 ms 0.866 ms 1.017 ms
3 10.10.100.2 (10.10.100.2) 16.888 ms 16.704 ms 16.979 ms
4 *
It will look the same from the remote side...but the trace will stop at 10.10.100.1 which is the FR interface for the LAN where I'm located.
Here is a traceroute from my PC to the LAN interface of the remote router:
traceroute 176.30.20.130
traceroute to 176.30.20.130 (176.30.20.130), 64 hops max, 52 byte packets
1 172.30.20.1 (172.30.20.1) 1.123 ms 0.348 ms 0.206 ms
2 176.30.20.120 (176.30.20.120) 1.111 ms 0.769 ms 0.962 ms
3 176.30.20.130 (176.30.20.130) 17.354 ms 17.187 ms 17.465 ms
And here is a traceroute to the firewall the remote route is directly connected to:
traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
1 172.30.20.1 (172.30.20.1) 0.561 ms 0.284 ms 0.198 ms
2 176.30.20.120 (176.30.20.120) 0.835 ms 0.866 ms 1.017 ms
3 10.10.100.2 (10.10.100.2) 16.888 ms 16.704 ms 16.979 ms
4 *
It will look the same from the remote side...but the trace will stop at 10.10.100.1 which is the FR interface for the LAN where I'm located.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I realized I had the static route wrong in the 172.30.20.1 and 176.30.20.1 firewall. I also realized I did NOT have a static route in the 176.30.20.129 firewall at all. Here is what I've done.
I've created the static routes on the 176.30.20.129 firewall to the 172.30.20.0/25 network and fixed the route on the 172.30.20.1 that routes to 172.30.20.128/25 network.
The result is this. A PC on the 172.30.20.128/25 network can ping the remote firewall interface now:
tracert 176.30.20.1
Tracing route to 176.30.20.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.30.20.129
2 1 ms 1 ms 1 ms 176.30.20.130
3 17 ms 17 ms 17 ms 10.10.100.1
4 18 ms 18 ms 18 ms 176.30.20.1
Trace complete.
I still cannot ping from the 172.30.20.0/25 network to a device on the remote network.
traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
1 172.30.20.1 (172.30.20.1) 2.600 ms 0.284 ms 0.250 ms
2 176.30.20.120 (176.30.20.120) 0.892 ms 0.942 ms 0.970 ms
3 10.10.100.2 (10.10.100.2) 16.912 ms 16.694 ms 16.980 ms
4 *
Also, I still cannot ping from the router on either side to the firewall the remote router is connected to nor anything else on that network.
I've created the static routes on the 176.30.20.129 firewall to the 172.30.20.0/25 network and fixed the route on the 172.30.20.1 that routes to 172.30.20.128/25 network.
The result is this. A PC on the 172.30.20.128/25 network can ping the remote firewall interface now:
tracert 176.30.20.1
Tracing route to 176.30.20.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.30.20.129
2 1 ms 1 ms 1 ms 176.30.20.130
3 17 ms 17 ms 17 ms 10.10.100.1
4 18 ms 18 ms 18 ms 176.30.20.1
Trace complete.
I still cannot ping from the 172.30.20.0/25 network to a device on the remote network.
traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
1 172.30.20.1 (172.30.20.1) 2.600 ms 0.284 ms 0.250 ms
2 176.30.20.120 (176.30.20.120) 0.892 ms 0.942 ms 0.970 ms
3 10.10.100.2 (10.10.100.2) 16.912 ms 16.694 ms 16.980 ms
4 *
Also, I still cannot ping from the router on either side to the firewall the remote router is connected to nor anything else on that network.
What are the static routes on the firewall at the 172.30.20.0/25 location?
ASKER
Static Routes on Firewall 172.30.20.0/25:
172.30.20.128/25 176.30.20.120
176.30.20.128/25 176.30.20.120
Static Routes on Firewall 176.30.20.129
10.1.1.0/25 176.30.20.130
172.30.20.0/25 176.30.20.130
176.30.20.0/25 176.30.20.130
172.30.20.128/25 176.30.20.120
176.30.20.128/25 176.30.20.120
Static Routes on Firewall 176.30.20.129
10.1.1.0/25 176.30.20.130
172.30.20.0/25 176.30.20.130
176.30.20.0/25 176.30.20.130
Okay.
Your second trace is from the router. You want to make sure that you're emulating a packet originating from the LAN at that location and you can do that using extended functions of ping on the router.
Info here:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#correct_src
If you're already doing this, please disregard. If not, ping with source extension and post results.
Your second trace is from the router. You want to make sure that you're emulating a packet originating from the LAN at that location and you can do that using extended functions of ping on the router.
Info here:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#correct_src
If you're already doing this, please disregard. If not, ping with source extension and post results.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The second trace is not from a router, but from a linux machine. That's why it's traceroute instead of tracert.
Ok, from router IP 176.30.20.130, I can ping the firewall the remote router is connected to using the extended ping and setting the source IP as 176.30.20.128 (firewall). But I still cannot ping from the 176.30.20.120 router to the LAN segment of the remote router at 176.30.20.130.
It's like the traffic is one way now. On the side with router 176.30.20.120, I can't ping anything on the remote side. But on the side with router 176.30.20.130, I can ping everything on the remote side. I just can't figure out what I'm missing. Anyone let me know if you need any output.
Also, as a side note, can you explain why, from the routers, I can't just do a straight ping to a remote device instead of having to set the source? Wouldn't the source be the interface it left out of? I mean, I can ping local IP's from the router fine...it's only when pinging accross the WAN to the remote router that I have to use extended ping.
Ok, from router IP 176.30.20.130, I can ping the firewall the remote router is connected to using the extended ping and setting the source IP as 176.30.20.128 (firewall). But I still cannot ping from the 176.30.20.120 router to the LAN segment of the remote router at 176.30.20.130.
It's like the traffic is one way now. On the side with router 176.30.20.120, I can't ping anything on the remote side. But on the side with router 176.30.20.130, I can ping everything on the remote side. I just can't figure out what I'm missing. Anyone let me know if you need any output.
Also, as a side note, can you explain why, from the routers, I can't just do a straight ping to a remote device instead of having to set the source? Wouldn't the source be the interface it left out of? I mean, I can ping local IP's from the router fine...it's only when pinging accross the WAN to the remote router that I have to use extended ping.
ASKER
OMG, there was a firewall rule in place on the interface of the remote router on network 172.30.20.128/25. Now I can ping from the 172.30.20.0/25 network all the way to the 172.30.20.128/25 network. Thanks to all the helped. My issue was a combination of incorrect routes in my firewall and firewall rules that were not suppose to be there. Jeepers!
ASKER
Experts did very well to push me in the right direction.