Routing Problems on a hosted MPLS network 1 site.

Posted on 2011-05-04
Last Modified: 2012-05-11
I'll break this down briefly.

1 Corporate site(Main Hub/Internet), 17 Sites All communicating fine on an SBC Legacy network.
Cisco 1700s
1 Site in Hawaii with a VPN Tunnel to our corporate site.
TZ 180 Wireless Standard (Hawaii) <-----> PRO 2040 Standard (Corporate)

We swapped over to a new AT&T MPLS network since our old one was getting disconnected.
1 Corporate site, 18 Sites communicating fine
Cisco 1800's
Hawaii site, I can ping the router. I can ping the sonicwall. No other devices show up.
I re-configured the VPN Tunnel to use local IP addresses as a temporary fix. I need to get this fixed.

The sonicwall in Hawaii looks like this -
TWC (Cable modem) Coming into the Wan, Lan port going to main switch
Cisco 1800 going into the same switch with all the other devices.

I'd immediately think routes on the sonicwall.
but.. I tried unplugging the sonicwall from the network and only using the AT&T router and was only able to communicate with it.

I had AT&T double check the routes on the router to match all the sites, they re-confirmed that it was 100% functional and on our side.
I double checked the LAN routes
I double checked the firewall rules to make sure nothing was getting blocked (unless i'm missing anything)

Static routes LAN  (Corporate)  (Hawaii)

Both sides show up in the routing table
Nothing is showing up on the firwall to block the traffic on the Hawaii side.

I'm stumped.
Question by:Hydroscape
    LVL 18

    Expert Comment

    I have a bunch of questions which may help to clarify your situation.  

    First, I'm interpreting that the VPN tunnel is active, and you can ping some devices on the other end of the tunnel, correct?  Are you actually advertising routes over the tunnel, or using statics and techniques like reverse-route injection?  If you're advertising routes, what protocol, is an adjacency being formed, etc.?  

    What devices terminate the VPN tunnel?  Is it the Sonicwall in Hawaii, or the Cisco 1800?  It sounds a bit like the tunnel is passing through the Sonicwall and terminating on the Cisco.

    I'm not sure I'm understanding the static routes you posted.  Is the subnet located at the corporate network, and located in Hawaii?   Are you saying you have a static route at corporate that says to get to Hawaii (.90.x), use .1.99 as the next-hop IP?  

    Routing across IPSec tunnels typically doesn't work with dynamic protocols unless you use GRE tunnels or something like that to encapsulate the multicast traffic.  That's part of the reason techniques like RRI were developed.  
    LVL 1

    Author Comment

    I am able to ping all devices across the VPN.
    Operating on the MVPN, I am only able to ping the sonicwall, and the router.
    I am unsure if I am specifically advertising the routes, I just added static routes to the sonic wall. I saw the options to do so.. and didn't mess with it.

    Time warner Cable (Internet) into the WAN on the sonicwall
    Ethernet cable to a switch from the LAN of the sonicwall
    Switch also has the cisco 1800 on the same switch

    Bonded T1's into a switchA outside the firewall
    (Phone system has to be outside of the firewall)
    Single ethernet cable from switch A into the WAN on the sonicwall.
    Single Ethernet cable from the sonicwall into Switch B (Behind the firewall)
    Switch B also has the Cisco 2800 plugged into it that should be operating as the MVPN Is hawaii is Corporate

    Yes, I added a static route to try to direct traffic.

    I'm not too familiar with GRE, IPSec, RRI. Only what I can learn from google.

    LVL 18

    Expert Comment

    If the VPN is terminating on the Cisco devices (passing through the firewalls while still encrypted), you should be able to look in the Cisco configuration to see if it's doing RRI.  The command will look like:

    crypto map mymap 1 ipsec-isakmp
       set peer a.b.c.d
       set transform-set esp-3des-sha
       match address xxx

    I've never set up a VPN like that.  I expect it could work, but does introduce a question about where routes are being advertised.  Typically the firewall is the gateway, and hosts on the inside LAN are configured to point to that gateway.  I now the Cisco ASA will not do a redirect (can't speak to the Sonicwall) so if traffic arrives at the ASA but the ASA doesn't terminate the VPN, traffic won't get redirected back to the router that does terminate the VPN.  Again, I don't know how the Sonicwall operates.  Is there a reason you chose to use something other than the Sonicwalls to create the VPN tunnel?
    LVL 1

    Author Comment

    I've tried removing the sonicwall from the equation in Hawaii and still can only hit the router.

    AT&T Offers an mpls/mvpn type network that removes the need for another piece of equipment. Gives it a dedicated line as opposed to using the internet lines to keep the VPN stable. We've been using that type of network for our other sites, with the new network we decided to add the last branch
    LVL 18

    Expert Comment

    >> I've tried removing the sonicwall from the equation in Hawaii and still can only hit the router.

    By this I assume you mean you can reach the 1800 which is on the other side of the Sonicwall. But you can't reach anything else on that subnet?  What default gateway are the other devices using?  Are they pointing at the Sonicwall?  If so, you may be running into the redirect issue I mentioned above.
    LVL 67

    Expert Comment

    I've requested that this question be deleted for the following reason:

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
    LVL 1

    Accepted Solution

    I ended up figuring out a way to fix this, I tried giving Jmegger points for the effort and attempt.

    I bypassed the sonicwall like I tried before and plugged the cisco 1800 directly into the switch. I then powered off the switch and back on and all the devices started to show up.. seems it was holding some data even after I swapped off of the firewall/sonicwall.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    Policy Base Routing Cisco 6500 Switch 10 53
    IKEv2 VS  SSTP 4 45
    when should we use PVST or RPVST 11 55
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now