Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Routing Problems on a hosted MPLS network 1 site.

Posted on 2011-05-04
10
Medium Priority
?
646 Views
Last Modified: 2012-05-11
I'll break this down briefly.

1 Corporate site(Main Hub/Internet), 17 Sites All communicating fine on an SBC Legacy network.
Cisco 1700s
1 Site in Hawaii with a VPN Tunnel to our corporate site.
TZ 180 Wireless Standard (Hawaii) <-----> PRO 2040 Standard (Corporate)

We swapped over to a new AT&T MPLS network since our old one was getting disconnected.
1 Corporate site, 18 Sites communicating fine
Cisco 1800's
Hawaii site, I can ping the router. I can ping the sonicwall. No other devices show up.
I re-configured the VPN Tunnel to use local IP addresses as a temporary fix. I need to get this fixed.

The sonicwall in Hawaii looks like this -
TWC (Cable modem) Coming into the Wan, Lan port going to main switch
Cisco 1800 going into the same switch with all the other devices.

I'd immediately think routes on the sonicwall.
but.. I tried unplugging the sonicwall from the network and only using the AT&T router and was only able to communicate with it.

I had AT&T double check the routes on the router to match all the sites, they re-confirmed that it was 100% functional and on our side.
I double checked the LAN routes
I double checked the firewall rules to make sure nothing was getting blocked (unless i'm missing anything)

Static routes
192.168.1.0 255.255.255.0 192.168.90.98 LAN  (Corporate)
192.168.90.0 255.255.255.0 192.168.1.99  (Hawaii)

Both sides show up in the routing table
Nothing is showing up on the firwall to block the traffic on the Hawaii side.

I'm stumped.
0
Comment
Question by:Hydroscape
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35699861
I have a bunch of questions which may help to clarify your situation.  

First, I'm interpreting that the VPN tunnel is active, and you can ping some devices on the other end of the tunnel, correct?  Are you actually advertising routes over the tunnel, or using statics and techniques like reverse-route injection?  If you're advertising routes, what protocol, is an adjacency being formed, etc.?  

What devices terminate the VPN tunnel?  Is it the Sonicwall in Hawaii, or the Cisco 1800?  It sounds a bit like the tunnel is passing through the Sonicwall and terminating on the Cisco.

I'm not sure I'm understanding the static routes you posted.  Is the 192.168.1.0 subnet located at the corporate network, and 192.168.90.0 located in Hawaii?   Are you saying you have a static route at corporate that says to get to Hawaii (.90.x), use .1.99 as the next-hop IP?  

Routing across IPSec tunnels typically doesn't work with dynamic protocols unless you use GRE tunnels or something like that to encapsulate the multicast traffic.  That's part of the reason techniques like RRI were developed.  
0
 
LVL 1

Author Comment

by:Hydroscape
ID: 35700229
I am able to ping all devices across the VPN.
Operating on the MVPN, I am only able to ping the sonicwall, and the router.
I am unsure if I am specifically advertising the routes, I just added static routes to the sonic wall. I saw the options to do so.. and didn't mess with it.

Hawaii
Time warner Cable (Internet) into the WAN on the sonicwall
Ethernet cable to a switch from the LAN of the sonicwall
Switch also has the cisco 1800 on the same switch

Corporate
Bonded T1's into a switchA outside the firewall
(Phone system has to be outside of the firewall)
Single ethernet cable from switch A into the WAN on the sonicwall.
Single Ethernet cable from the sonicwall into Switch B (Behind the firewall)
Switch B also has the Cisco 2800 plugged into it that should be operating as the MVPN

192.168.1.0 Is hawaii
192.168.90.0 is Corporate

Yes, I added a static route to try to direct traffic.

I'm not too familiar with GRE, IPSec, RRI. Only what I can learn from google.

0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35706209
If the VPN is terminating on the Cisco devices (passing through the firewalls while still encrypted), you should be able to look in the Cisco configuration to see if it's doing RRI.  The command will look like:

crypto map mymap 1 ipsec-isakmp
   set peer a.b.c.d
   reverse-route
   set transform-set esp-3des-sha
   match address xxx

I've never set up a VPN like that.  I expect it could work, but does introduce a question about where routes are being advertised.  Typically the firewall is the gateway, and hosts on the inside LAN are configured to point to that gateway.  I now the Cisco ASA will not do a redirect (can't speak to the Sonicwall) so if traffic arrives at the ASA but the ASA doesn't terminate the VPN, traffic won't get redirected back to the router that does terminate the VPN.  Again, I don't know how the Sonicwall operates.  Is there a reason you chose to use something other than the Sonicwalls to create the VPN tunnel?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 1

Author Comment

by:Hydroscape
ID: 35706282
I've tried removing the sonicwall from the equation in Hawaii and still can only hit the router.

AT&T Offers an mpls/mvpn type network that removes the need for another piece of equipment. Gives it a dedicated line as opposed to using the internet lines to keep the VPN stable. We've been using that type of network for our other sites, with the new network we decided to add the last branch
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35708531
>> I've tried removing the sonicwall from the equation in Hawaii and still can only hit the router.

By this I assume you mean you can reach the 1800 which is on the other side of the Sonicwall. But you can't reach anything else on that subnet?  What default gateway are the other devices using?  Are they pointing at the Sonicwall?  If so, you may be running into the redirect issue I mentioned above.
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 35927936
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 1

Accepted Solution

by:
Hydroscape earned 2000 total points
ID: 35927937
I ended up figuring out a way to fix this, I tried giving Jmegger points for the effort and attempt.

I bypassed the sonicwall like I tried before and plugged the cisco 1800 directly into the switch. I then powered off the switch and back on and all the devices started to show up.. seems it was holding some data even after I swapped off of the firewall/sonicwall.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question