Routing Problems on a hosted MPLS network 1 site.

I'll break this down briefly.

1 Corporate site(Main Hub/Internet), 17 Sites All communicating fine on an SBC Legacy network.
Cisco 1700s
1 Site in Hawaii with a VPN Tunnel to our corporate site.
TZ 180 Wireless Standard (Hawaii) <-----> PRO 2040 Standard (Corporate)

We swapped over to a new AT&T MPLS network since our old one was getting disconnected.
1 Corporate site, 18 Sites communicating fine
Cisco 1800's
Hawaii site, I can ping the router. I can ping the sonicwall. No other devices show up.
I re-configured the VPN Tunnel to use local IP addresses as a temporary fix. I need to get this fixed.

The sonicwall in Hawaii looks like this -
TWC (Cable modem) Coming into the Wan, Lan port going to main switch
Cisco 1800 going into the same switch with all the other devices.

I'd immediately think routes on the sonicwall.
but.. I tried unplugging the sonicwall from the network and only using the AT&T router and was only able to communicate with it.

I had AT&T double check the routes on the router to match all the sites, they re-confirmed that it was 100% functional and on our side.
I double checked the LAN routes
I double checked the firewall rules to make sure nothing was getting blocked (unless i'm missing anything)

Static routes LAN  (Corporate)  (Hawaii)

Both sides show up in the routing table
Nothing is showing up on the firwall to block the traffic on the Hawaii side.

I'm stumped.
Who is Participating?
HydroscapeAuthor Commented:
I ended up figuring out a way to fix this, I tried giving Jmegger points for the effort and attempt.

I bypassed the sonicwall like I tried before and plugged the cisco 1800 directly into the switch. I then powered off the switch and back on and all the devices started to show up.. seems it was holding some data even after I swapped off of the firewall/sonicwall.
John MeggersNetwork ArchitectCommented:
I have a bunch of questions which may help to clarify your situation.  

First, I'm interpreting that the VPN tunnel is active, and you can ping some devices on the other end of the tunnel, correct?  Are you actually advertising routes over the tunnel, or using statics and techniques like reverse-route injection?  If you're advertising routes, what protocol, is an adjacency being formed, etc.?  

What devices terminate the VPN tunnel?  Is it the Sonicwall in Hawaii, or the Cisco 1800?  It sounds a bit like the tunnel is passing through the Sonicwall and terminating on the Cisco.

I'm not sure I'm understanding the static routes you posted.  Is the subnet located at the corporate network, and located in Hawaii?   Are you saying you have a static route at corporate that says to get to Hawaii (.90.x), use .1.99 as the next-hop IP?  

Routing across IPSec tunnels typically doesn't work with dynamic protocols unless you use GRE tunnels or something like that to encapsulate the multicast traffic.  That's part of the reason techniques like RRI were developed.  
HydroscapeAuthor Commented:
I am able to ping all devices across the VPN.
Operating on the MVPN, I am only able to ping the sonicwall, and the router.
I am unsure if I am specifically advertising the routes, I just added static routes to the sonic wall. I saw the options to do so.. and didn't mess with it.

Time warner Cable (Internet) into the WAN on the sonicwall
Ethernet cable to a switch from the LAN of the sonicwall
Switch also has the cisco 1800 on the same switch

Bonded T1's into a switchA outside the firewall
(Phone system has to be outside of the firewall)
Single ethernet cable from switch A into the WAN on the sonicwall.
Single Ethernet cable from the sonicwall into Switch B (Behind the firewall)
Switch B also has the Cisco 2800 plugged into it that should be operating as the MVPN Is hawaii is Corporate

Yes, I added a static route to try to direct traffic.

I'm not too familiar with GRE, IPSec, RRI. Only what I can learn from google.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

John MeggersNetwork ArchitectCommented:
If the VPN is terminating on the Cisco devices (passing through the firewalls while still encrypted), you should be able to look in the Cisco configuration to see if it's doing RRI.  The command will look like:

crypto map mymap 1 ipsec-isakmp
   set peer a.b.c.d
   set transform-set esp-3des-sha
   match address xxx

I've never set up a VPN like that.  I expect it could work, but does introduce a question about where routes are being advertised.  Typically the firewall is the gateway, and hosts on the inside LAN are configured to point to that gateway.  I now the Cisco ASA will not do a redirect (can't speak to the Sonicwall) so if traffic arrives at the ASA but the ASA doesn't terminate the VPN, traffic won't get redirected back to the router that does terminate the VPN.  Again, I don't know how the Sonicwall operates.  Is there a reason you chose to use something other than the Sonicwalls to create the VPN tunnel?
HydroscapeAuthor Commented:
I've tried removing the sonicwall from the equation in Hawaii and still can only hit the router.

AT&T Offers an mpls/mvpn type network that removes the need for another piece of equipment. Gives it a dedicated line as opposed to using the internet lines to keep the VPN stable. We've been using that type of network for our other sites, with the new network we decided to add the last branch
John MeggersNetwork ArchitectCommented:
>> I've tried removing the sonicwall from the equation in Hawaii and still can only hit the router.

By this I assume you mean you can reach the 1800 which is on the other side of the Sonicwall. But you can't reach anything else on that subnet?  What default gateway are the other devices using?  Are they pointing at the Sonicwall?  If so, you may be running into the redirect issue I mentioned above.
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.