?
Solved

IP VPN - One Way Ping

Posted on 2009-12-20
11
Medium Priority
?
796 Views
Last Modified: 2013-12-29
Hi,
I have two sites connected over IP VPN using 2811 routers. I can do ping as below:-

Using Public IPs:
ROUTER A CAN PING ROUTER B
ROUTER B CAN PING ROUTER A

Using Internal IPs:
ROUTER A CAN PING ROUTER B
ROUTER B CANNOT PING ROUTER A

ROUTER A: image is IPBASE
ROUTER B: Image is SPServicesK9
0
Comment
Question by:pkabbas
  • 5
  • 5
11 Comments
 
LVL 2

Expert Comment

by:gtdriver94
ID: 26090718
Need more information. Show a copy of the running config pls.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26090761
Are you saying you are using the internal address as the source of the ping with the destination of the other router's public IP? Check the route table on each router to confirm what routes each is seeing.  

Also make sure you don't have a firewall rule or ACL causing a block of this traffic in that direction.
0
 

Author Comment

by:pkabbas
ID: 26094592
Below is ROUTER A details
---------------------------------
NH_IP_VPN#show run
Building configuration...

Current configuration : 1504 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NH_IP_VPN
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$f3eV$dPVvvbp0KxnWmK.7bf8xk.
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
username admin password 7 00021F1F175A06075E781B19
!
!
!
interface FastEthernet0/0
 ip address 192.168.100.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.3.70 255.255.254.0
 duplex auto
 speed auto
!
interface Serial0/2/0
 no ip address
 shutdown
 clockrate 2000000
!
router ospf 1
 router-id 192.168.100.2
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 network 192.168.100.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 192.168.2.0 255.255.254.0 192.168.3.10
ip route 192.168.4.0 255.255.255.0 192.168.3.10
ip route 192.168.11.0 255.255.255.0 192.168.3.10
ip route 192.168.101.0 255.255.255.0 192.168.100.1
ip route 192.168.102.0 255.255.255.0 192.168.100.1
ip route 192.168.103.0 255.255.255.0 192.168.100.1
ip route 192.168.145.0 255.255.255.0 192.168.101.2
!
ip http server
!
!
control-plane
!
!
line con 0
 password 7 110F151C0413060D55737C73
 logging synchronous
 login local
line aux 0
line vty 0 4
 password 7 060003385F4F0418544E455C
 logging synchronous
 login local
!
end

NH_IP_VPN#show ver
Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(1c), RELEASE SO
FTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 26-Oct-05 08:42 by evmiller

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

NH_IP_VPN uptime is 1 day, 2 hours, 26 minutes
System returned to ROM by reload at 05:32:45 UTC Sun Dec 20 2009
System image file is "flash:c2801-ipbase-mz.124-1c.bin"

Cisco 2801 (revision 7.0) with 114688K/16384K bytes of memory.
Processor board ID FCZ111911MW
2 FastEthernet interfaces
1 Serial(sync/async) interface
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

NH_IP_VPN#
NH_IP_VPN#show hard
Cisco IOS Software, 2801 Software (C2801-IPBASE-M), Version 12.4(1c), RELEASE SO
FTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 26-Oct-05 08:42 by evmiller

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

NH_IP_VPN uptime is 1 day, 2 hours, 26 minutes
System returned to ROM by reload at 05:32:45 UTC Sun Dec 20 2009
System image file is "flash:c2801-ipbase-mz.124-1c.bin"

Cisco 2801 (revision 7.0) with 114688K/16384K bytes of memory.
Processor board ID FCZ111911MW
2 FastEthernet interfaces
1 Serial(sync/async) interface
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
-------------------------------------------------------------------------------------
BELOW IS ROUTER B
------------------------------------------------------------
show run
Building configuration...


Current configuration : 1479 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RO_2800
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$HLTn$uVjJiUVPBMssgO4S4Cj.K1
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
username cisco privilege 15 password 7 00171605165E1F475C731F
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.101.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.145.5 255.255.255.0
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
router ospf 1
 router-id 192.168.101.2
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 network 192.168.101.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ip route 192.168.2.0 255.255.254.0 192.168.101.1
ip route 192.168.100.0 255.255.255.0 192.168.101.1
ip route 192.168.102.0 255.255.255.0 192.168.101.1
ip route 192.168.103.0 255.255.255.0 192.168.101.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 06150A225E4B1D58564541
 logging synchronous
 login
line vty 5 15
 password 7 04480E051D24580F5A4B56
 logging synchronous
 login
!
scheduler allocate 20000 1000
!
end

RO_2800#        
RO_2800#show rin   inv
NAME: "2811 chassis", DESCR: "2811 chassis"
PID: CISCO2811         , VID: V07 , SN: FCZ134271C3

NAME: "WAN Interface Card - ATM (With ADSL module) on Slot 0 SubSlot 0", DESCR: "WAN Interface Card - ATM (With ADSL module)"
PID: WIC-1ADSL=        , VID: 2.3, SN: FOC13274721


RO_2800#
RO_2800#show hard
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 14:01 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

RO_2800 uptime is 10 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-spservicesk9-mz.124-15.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 53.50) with 251904K/10240K bytes of memory.
Processor board ID FCZ134271C3
2 FastEthernet interfaces
1 ATM interface
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:gtdriver94
ID: 26096629
Make sure you save your config.

Try changing your static route on router B from
ip route 192.168.2.0 255.255.254.0 192.168.101.1
to
ip route 192.168.2.0 255.255.254.0 192.168.100.2

That should get the ping over to router A.
0
 

Author Comment

by:pkabbas
ID: 26102156
I tried that. It did not help. I did tracert and found that packet is being droppe at 192.168.101.1 (ISP Gateway) from Router B.

Regards,
0
 
LVL 2

Expert Comment

by:gtdriver94
ID: 26105546
Based on your tests it appears they have allowed traffic from 192.168.101.0 (Router B external) to 192.168.100.0(Router A external).
Can you ping 192.168.3.70 (Router A internal) from 192.168.101.2(Router B external)?

It appears then that the router with IP 192.168.101.1 may be blocking your ping. Keep in mind that most access-lists have implicit denies - meaning that if there is not an entry in the access-list specifically allowing certain traffic then it will be dropped. Contact the administrator responsible for configuring that router and verify traffic from 192.168.145.0 can communicate with 192.168.2.0.
0
 

Author Comment

by:pkabbas
ID: 26110228
I was checking with local ISP here and they are saying there is no access list for your traffic. They said,, " It seems you have some issue with OSPF configuration"

So can you please look at the OSPF configuration and if there is anything seems missing?

Regards,
0
 
LVL 2

Expert Comment

by:gtdriver94
ID: 26114073
You have OSPF enabled but you also have static routes defined. Lets see what the routers see.

Please do a "show ip route" on each router and post results.
0
 

Author Comment

by:pkabbas
ID: 26117798
Hi,

I did remove some routes and changed internal IPs. trying different things but nothing work. At the end I hav posted config from both:-

ROUTER B
---------------:
!
interface FastEthernet0/0
 description **to IP_VPN **
 ip address 192.168.101.2 255.255.255.252
 ip ospf mtu-ignore
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ***Connected-To-FWDMZ***
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
router ospf 1
 router-id 192.168.101.2
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 network 10.10.10.0 0.0.0.255 area 0
 network 192.168.92.0 0.0.0.255 area 0
 network 192.168.101.0 0.0.0.3 area 0
!
ip forward-protocol nd
ip route 192.168.93.0 255.255.255.0 192.168.92.2
ip route 192.168.94.0 255.255.255.0 192.168.92.2
ip route 192.168.95.0 255.255.255.0 192.168.92.2
!




ROUTER B#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.102.0/30 is subnetted, 1 subnets
O E2    192.168.102.0 [110/1] via 192.168.101.1, 21:41:18, FastEthernet0/0
     192.168.103.0/30 is subnetted, 1 subnets
O       192.168.103.0 [110/51] via 192.168.101.1, 21:41:18, FastEthernet0/0
     192.168.100.0/30 is subnetted, 1 subnets
O       192.168.100.0 [110/51] via 192.168.101.1, 21:41:18, FastEthernet0/0
     192.168.101.0/30 is subnetted, 1 subnets
C       192.168.101.0 is directly connected, FastEthernet0/0




Router A:
-------------------
!
interface FastEthernet0/0
 ip address 192.168.100.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf mtu-ignore
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.17.1.1 255.255.0.0
 duplex auto
 speed auto
!
interface Serial0/2/0
 no ip address
 shutdown
 clockrate 2000000
!
router ospf 1
 router-id 192.168.100.2
 log-adjacency-changes
 redistribute connected subnets
 redistribute static subnets
 network 172.17.0.0 0.0.255.255 area 0
 network 192.168.3.70 0.0.0.0 area 0
 network 192.168.100.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 192.168.2.0 255.255.254.0 192.168.3.10
ip route 192.168.4.0 255.255.255.0 192.168.3.10
ip route 192.168.11.0 255.255.255.0 192.168.3.10
ip route 192.168.101.0 255.255.255.0 192.168.100.1
ip route 192.168.102.0 255.255.255.0 192.168.100.1
ip route 192.168.103.0 255.255.255.0 192.168.100.1
ip route 192.168.145.0 255.255.255.0 192.168.101.2
!
ip http server
!


ROUTER A#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.100.1 to network 0.0.0.0

S    192.168.145.0/24 [1/0] via 192.168.101.2
C    172.17.0.0/16 is directly connected, FastEthernet0/1
S    192.168.102.0/24 [1/0] via 192.168.100.1
S    192.168.103.0/24 [1/0] via 192.168.100.1
     192.168.100.0/30 is subnetted, 1 subnets
C       192.168.100.0 is directly connected, FastEthernet0/0
S    192.168.101.0/24 [1/0] via 192.168.100.1
S*   0.0.0.0/0 [1/0] via 192.168.100.1



0
 

Accepted Solution

by:
pkabbas earned 0 total points
ID: 26164853
Hi,

issue have been fixed after resetting the devices and configuring from the scratch. Well,,, dont know what was the issue. but somehow it worked.
0
 
LVL 2

Expert Comment

by:gtdriver94
ID: 26173384
You reconfigured from scratch and don't know what resolved your issue?

You also said that you had the routers connected "IP VPN" , yet there are no VPN tunnels setup on these routers. Can you ask the person who configured the routers if they know what the issue was?

thanks a bunch
0

Featured Post

Reclaim your office - Try the MB 660 headset now!

High level of background noise often makes it difficult for employees to concentrate fully on their jobs – or to communicate clearly on calls. The MB 660 headset helps you create a disruption free workspace.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Not everyone has adapted to a rapid advancement in technology; there are people who are reluctant or afraid to delve into this brave new world of IT. If you have a friend or a family member who suffers from the so-called technophobia, here is how yo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question