Can't Ping remote devices through P2P connection.

I have a P2P connection via Frame-Relay between two offices.

From the router on each end, I can ping everything on the LAN interface of the router. I can even ping the firewall interface for the LAN, but I can't ping an outside IP address.

But from those same routers and from the LAN those routers are connected, I can ping the LAN interface of the remote router, but I can't ping anything connected to the LAN interface on the remote router.

I've attached a rough topomap of the network with IP's. Notice the dividing line between the routers. That's an imaginary boundry of how far I can ping, with the exception of being able to ping the remote routers LAN interface, I can't ping anything beyond that.

I've also included pertinent router config regarding routing of data and IP setup of each interface. I only included the topo map for reference. I don't want the complexity of the network to confuse the issue, and I can't even ping the firewall interface directly connected to each router.
SKMBT-C30009121606340.pdf
router1.doc
router2.doc
LVL 5
sardiskanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
rharland2009Commented:
Let's see some traceroutes from the workstations on each LAN trying to a) reach the other router via the FR circuit; and b) get to 4.2.2.2 or some other persistent Internet resource. Let's not sweat the router's pinging behavior just yet, but find out where the packets are dropping from the workstations.
0
 
sardiskanAuthor Commented:
That's easy. I've already done traceroutes. They all stop at the remote routers FR interface. In this example 10.10.100.1 and 10.10.100.2 depending on which side of the line you are coming from.

Here is a traceroute from my PC to the LAN interface of the remote router:
traceroute 176.30.20.130
traceroute to 176.30.20.130 (176.30.20.130), 64 hops max, 52 byte packets
 1  172.30.20.1 (172.30.20.1)  1.123 ms  0.348 ms  0.206 ms
 2  176.30.20.120 (176.30.20.120)  1.111 ms  0.769 ms  0.962 ms
 3  176.30.20.130 (176.30.20.130)  17.354 ms  17.187 ms  17.465 ms

And here is a traceroute to the firewall the remote route is directly connected to:
traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
 1  172.30.20.1 (172.30.20.1)  0.561 ms  0.284 ms  0.198 ms
 2  176.30.20.120 (176.30.20.120)  0.835 ms  0.866 ms  1.017 ms
 3  10.10.100.2 (10.10.100.2)  16.888 ms  16.704 ms  16.979 ms
 4  *

It will look the same from the remote side...but the trace will stop at 10.10.100.1 which is the FR interface for the LAN where I'm located.
0
 
Don JohnstonInstructorCommented:
The firewall at 176.30.20.129 is missing a route to the 172.30.20.0/25 network

and

The firewall at 176.30.20.172.30.20.1 is missing a route to the 172.30.20.128/25 network
 
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
sardiskanAuthor Commented:
Ok, I realized I had the static route wrong in the 172.30.20.1 and 176.30.20.1 firewall. I also realized I did NOT have a static route in the 176.30.20.129 firewall at all. Here is what I've done.

I've created the static routes on the 176.30.20.129 firewall to the 172.30.20.0/25 network and fixed the route on the 172.30.20.1 that routes to 172.30.20.128/25 network.

The result is this. A PC on the 172.30.20.128/25 network can ping the remote firewall interface now:

tracert 176.30.20.1

Tracing route to 176.30.20.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  172.30.20.129
  2     1 ms     1 ms     1 ms  176.30.20.130
  3    17 ms    17 ms    17 ms  10.10.100.1
  4    18 ms    18 ms    18 ms  176.30.20.1

Trace complete.

I still cannot ping from the 172.30.20.0/25 network to a device on the remote network.

traceroute 176.30.20.129
traceroute to 176.30.20.129 (176.30.20.129), 64 hops max, 52 byte packets
 1  172.30.20.1 (172.30.20.1)  2.600 ms  0.284 ms  0.250 ms
 2  176.30.20.120 (176.30.20.120)  0.892 ms  0.942 ms  0.970 ms
 3  10.10.100.2 (10.10.100.2)  16.912 ms  16.694 ms  16.980 ms
 4  *

Also, I still cannot ping from the router on either side to the firewall the remote router is connected to nor anything else on that network.
0
 
rharland2009Commented:
What are the static routes on the firewall at the 172.30.20.0/25 location?
0
 
sardiskanAuthor Commented:
Static Routes on Firewall 172.30.20.0/25:

172.30.20.128/25    176.30.20.120                  
176.30.20.128/25    176.30.20.120

Static Routes on Firewall 176.30.20.129

10.1.1.0/25                  176.30.20.130
172.30.20.0/25         176.30.20.130
176.30.20.0/25         176.30.20.130
0
 
rharland2009Commented:
Okay.

Your second trace is from the router. You want to make sure that you're emulating a packet originating from the LAN at that location and you can do that using extended functions of ping on the router.

Info here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml#correct_src

If you're already doing this, please disregard. If not, ping with source extension and post results.




0
 
rharland2009Commented:
Routes needed on FW1:

Default pointing to internet
172.30.20.128/25 via 176.30.20.120
176.30.20.128/25 via 176.30.20.120

Routes needed on RTR1:

172.30.20.128/25 via 10.10.100.2
172.30.20.0/25 via 176.30.20.1
176.30.20.128/25 via 10.10.100.2

Routes needed on FW2:

Default pointing to internet
172.30.20.0/25 via 176.30.20.130
176.30.20.0/25 via 176.30.20.130

Routes needed on RTR2:

172.30.20.0/25 via 10.10.100.1
172.30.20.128/25 via 176.30.20.129
176.30.20.0/25 via 10.10.100.1

This is based on a LAN at location #1 of 172.30.20.0/25 and a LAN at location #2 of 172.30.20.128/25.



0
 
sardiskanAuthor Commented:
The second trace is not from a router, but from a linux machine. That's why it's traceroute instead of tracert.

Ok, from router IP 176.30.20.130, I can ping the firewall the remote router is connected to using the extended ping and setting the source IP as 176.30.20.128 (firewall). But I still cannot ping from the 176.30.20.120 router to the LAN segment of the remote router at 176.30.20.130.

It's like the traffic is one way now. On the side with router 176.30.20.120, I can't ping anything on the remote side. But on the side with router 176.30.20.130, I can ping everything on the remote side. I just can't figure out what I'm missing. Anyone let me know if you need any output.

Also, as a side note, can you explain why, from the routers, I can't just do a straight ping to a remote device instead of having to set the source? Wouldn't the source be the interface it left out of? I mean, I can ping local IP's from the router fine...it's only when pinging accross the WAN to the remote router that I have to use extended ping.
0
 
sardiskanAuthor Commented:
OMG, there was a firewall rule in place on the interface of the remote router on network 172.30.20.128/25. Now I can ping from the 172.30.20.0/25 network all the way to the 172.30.20.128/25 network. Thanks to all the helped. My issue was a combination of incorrect routes in my firewall and firewall rules that were not suppose to be there. Jeepers!
0
 
sardiskanAuthor Commented:
Experts did very well to push me in the right direction.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.