Solved

Branch office cannot ping HQ's computers?

Posted on 2013-01-23
4
700 Views
Last Modified: 2013-02-11
We have two small LANs (HQ and branch office) in different subnet connected by MPLS. Both have an IAD with two ports -- one connecting to ASA for interent, the other to internal switch for MPLS. (Note the site-to-site traffic doesn't go through ASA.)

We just noticed that HQ can ping all computers/devices in branch while the branch can only ping HQ's two gateways but can NOT ping all other computers/devices in HQ.  What could be wrong?
 
Below is the tracert info I got: (Note the tracert timed out on #3.)

C:\>tracert 10.10.10.2    && the HQ gateway to Internet
Tracing route to 10.10.10.2 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.10.50.3
  2     9 ms     9 ms    10 ms  192.168.255.5
  3    45 ms    42 ms    42 ms  192.168.255.1
  4    51 ms    52 ms    51 ms  10.10.10.2
Trace complete.

C:\>tracert 10.10.10.3   && the HQ gateway to MPLS
Tracing route to 10.10.10.3 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.10.50.3
  2     9 ms    10 ms     9 ms  192.168.255.5
  3    42 ms    42 ms    42 ms  192.168.255.1
  4    52 ms    51 ms    52 ms  10.10.10.3
Trace complete.

C:\>tracert 10.10.10.46   && a computer in HQ
Tracing route to 10.10.10.46 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  10.10.50.3
  2     9 ms     9 ms    10 ms  192.168.255.5
  3    52 ms    50 ms    52 ms  192.168.255.1
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.
24     *        *        *     Request timed out.
25     *        *        *     Request timed out.
26     *        *        *     Request timed out.
27     *        *        *     Request timed out.
28     *        *        *     Request timed out.
29     *        *        *     Request timed out.
30     *        *        *     Request timed out.
Trace complete.
0
Comment
Question by:Castlewood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 38812127
What do the devices to which you cannot ping have as their default gateway?  To ping a remote device the return route must be in their routing table or accessible through the default gateway.
0
 
LVL 20

Expert Comment

by:edster9999
ID: 38812131
The item on 192.168.255.1 does not have a route to 10.10.10.*
The things on 10.10.10.2 and .3 may be directly connected (ie another network card in the same machine) but you need to add another route to this machine or router to tell it how to get to the next network
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 250 total points
ID: 38812665
In my own words, more or less the same thing:

Packet launched from 10.10.50.xxx
10.10.50.3 is the next hop
192.168.255.5 appears to be the MPLS side of the router with 10.10.50.3??
(it seems a bit odd that a traceroute would return the WAN side of the same router)
192.168.255.1 appears to be the MPLS side of the MPLS rouer on 10.10.10.0.
From here, presumably the packet hits 10.10.10.46
So, we'll assume that all is good so far.

But now the return packets have to get back to complete the tracert.
From 10.10.10.46, the return packets go to its local gateway 10.10.10.2 (because the destination is NOT in the local subnet).

A few things can go wrong at this point:

1) 10.10.10.2 is not the gateway entry at 10.10.10.46.

2) The gateway 10.10.10.2 doesn't have a route from 10.10.10.0 to 10.10.50.0 that points to the MPLS router 10.10.10.3.  Although somehow it appears from your tests that it *should*.

3) The gateway 10.10.10.2 does packet inspection and SYN packets aren't forwarded *back* out onto the LAN.  Such packets would be part of the communication back to the originator of the tracert (and other comm's).  So you have to turn off this kind of packet inspection / dropping.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 38813490
As stated above this most likely is a routing problem, the 10.10.10.x machines don't have a route to the 10.10.50.x network through the 10.10.10.3 gateway.
Could you post a route print from one of the machines (for example that 10.10.10.46)?
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ARP not working as expected 11 80
VPN connect issues 2 58
Cisco SPA525G2 - Stuck on Cisco Screen 3 49
upgrade Cisco Aironet AP 3 43
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question