Solved

Dual WAN router creates loop

Posted on 2013-01-31
14
521 Views
Last Modified: 2013-02-03
General network diagramHello,

I have an RV042 dual WAN router setup with two WAN connections, one is static and the other is dynamic.  I am trying to setup a VPN connection using the static IP, but I get no response.  When I Ping the static IP I get "TTL expired in transit", indicating some kind of loop.  Doing a tracert I get:

10    87 ms    86 ms    87 ms  cr1.n54ny.ip.att.net [12.122.80.226]
 11    89 ms    88 ms    92 ms  cr2.cgcil.ip.att.net [12.122.1.2]
 12    88 ms    90 ms    90 ms  cr1.cgcil.ip.att.net [12.122.2.53]
 13    88 ms    88 ms    86 ms  cr1.sffca.ip.att.net [12.122.4.121]
 14    87 ms    86 ms    91 ms  12.123.155.117
 15    88 ms    90 ms    88 ms  151.164.99.234
 16    88 ms    90 ms    88 ms  151.164.99.233
 17    88 ms    87 ms    87 ms  151.164.99.234
 18    90 ms    92 ms    89 ms  151.164.99.233
 19    88 ms    91 ms    87 ms  151.164.99.234
 20    90 ms    90 ms    87 ms  151.164.99.233
 21    89 ms    87 ms    87 ms  151.164.99.234
 22    87 ms    87 ms    87 ms  151.164.99.233
 23    87 ms    87 ms    87 ms  151.164.99.234
 24    89 ms    87 ms    87 ms  151.164.99.233
 25    86 ms    87 ms    87 ms  151.164.99.234
 26    87 ms    87 ms    91 ms  151.164.99.233
 27    88 ms    86 ms    87 ms  151.164.99.234
 28    91 ms    88 ms    86 ms  151.164.99.233
 29    88 ms    87 ms    87 ms  151.164.99.234
 30    96 ms    90 ms    87 ms  151.164.99.233

You can see the loop, it's not happening within my network, but external.

Any suggestions?

Thanks

lalto
0
Comment
Question by:laltobelli
  • 7
  • 5
  • 2
14 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38840744
What device(s) have the IP address:

 151.164.99.233
 151.164.99.234

What does the routing table look like on those devices?
0
 

Author Comment

by:laltobelli
ID: 38840767
Those devices are not on my network they are on the internet and are possibly owned by sbcglobal.net or ATT... via a couple of reverse IP lookups....
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38840859
Is AT&T your ISP?  If so you you need to contact AT&T.

If AT&T is not your ISP, you need to contact your ISP first and find out what is going on.
0
 

Author Comment

by:laltobelli
ID: 38842014
No my ISP is Charter (where I am pinging from) and the ISP at the dual WAN router is Verizon.   The packets had long left the Charter servers, between hop 6 and 7.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38842080
You will want to contact Verizon.  They are responsible for making sure AT&T has the correct routing entries for IP addresses they own.

Do you have the same problem when to a trace route to any/all of your IP addresses at the Verizon end?
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38842689
15    88 ms    90 ms    88 ms  151.164.99.234
 16    88 ms    90 ms    88 ms  151.164.99.233

this is not a loop ...you see this repetedly because of provider ..sometime provider blocks trace & ping because of it when you do trace you won't see all the hops..and your outputs results in this way..

show  this output to your provider.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38843230
guptasan26, I have to disagree with you. I have seen blocks and I have seen routing loops.  This looks like a routing loop to me.

If it were a simple block the traceroute to that hop would simply timeout and you would get no results for the hop that is blocking the ICMP.  

This is a case where it appears that 151.164.99.233 thinks the next hop should be 151.164.99.234 and thus forwards the request to it.  Then 151.164.99.234 thinks the next hop should be 151.164.99.233 and forwards it back.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38843443
what I mean from "not a loop" is that this is not a routing loop..it is the problem from provider and it apprears because providers blocks ping & trace sometimes.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38843516
I understand what you are saying and I am saying I disagree with your assessment of the situation based on my experience.  Not saying your wrong, just base on what I have experienced I think it is something different.

Typical when ICMP is blocked you would see request timeout on the hop blocking ICMP.  Not bouncing it back and forth between two routers.  Especially two routers in the "middle" of the network.  On the edge between the ISP and the customer, maybe, but the two routers that are going back and forth are AT&T and the customers ISP is Verizon.

If what you are saying is true that would mean that either AT&T is blocking ICMP in the middle of their network, on the edge between them and Verizon, or Verizon is blocking ICMP in between them and AT&T.  Although that is possible, I personally have never seen it with AT&T or Verizon and I have used both of them as ISP's for close to 15 years now.

I have seen routing loops also and they look just like the output from  laltobelli post.  Now, I will say normally when I encounter a routing loop it is due to a link being down and routers are trying to find a way to get to the next hop.
0
 

Author Comment

by:laltobelli
ID: 38849385
Ok, I tried this from a comcast account and got some interesting results.  The hops got to a Verizon server and then timed out.   Trace is below, I think it's time to call Verizon....

  5    10 ms    13 ms    11 ms  te-8-1-ur01.natick.ma.boston.comcast.net [68.87.144.197]
  6    16 ms    19 ms    15 ms  te-0-15-0-6-ar01.needham.ma.boston.comcast.net [68.85.69.94]
  7    38 ms    47 ms    47 ms  he-2-9-0-0-cr01.newyork.ny.ibone.comcast.net [68.86.90.57]
  8    36 ms    37 ms    37 ms  pos-0-4-0-0-pe01.111eighthave.ny.ibone.comcast.net [68.86.85.22]
  9     *       45 ms     *     Vlan569.icore1.NTO-NewYork.as6453.net [209.58.26.137]
 10    38 ms    37 ms    37 ms  Vlan590.icore1.NTO-NewYork.as6453.net [209.58.26.94]
 11    52 ms    53 ms    47 ms  0.ge-4-0-0.BOS-BB-RTR2.ALTER.NET [152.63.20.110]
 12    46 ms    56 ms    46 ms  so-7-1-0-0.BOS-CORE-RTR2.verizon-gni.net [130.81.20.87]
 13    47 ms    47 ms    47 ms  A4-0-0-1711.BOS-DSL-RTR1.verizon-gni.net [130.81.7.22]
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38849402
That indicates that whatever hops are after 139.81.7.22 are blocking/dropping ICMP requests.

The name of the last router that responded implies that it is a DSL device, in Boston perhaps.  Could this be the last Verizon device before hitting your work place router/firewall?

Does the rotuer/firewall at your work place allow ICMP through?
0
 

Author Comment

by:laltobelli
ID: 38849527
The router is an RV042, as I understand this model cannot filter on protocol.  I can ping the DHCP wan port without a problem.

This could be the last device before hitting my router, my router location is just outside of Boston.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38849642
Not sure about filtering on protocols, but but it can block ICMP.  

If you enable the firewall on it and you have enabled the "Block WAN Request" option it will block ICMP, along with other inbound TCP requests.

http://www.cisco.com/en/US/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf
0
 

Author Closing Comment

by:laltobelli
ID: 38849741
Hi giltjr,

You hit it.  Although I've used this router in the past and do not remember having to disable "Block WAN Request"

Anyways that appears to have resolved the issue and not only can I ping I can now access VPN>

Thanks,
laltobelli
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 78
Nic to NIC 5 47
Can you piggy back the WiFi on a second laptop via USB cable or blue tooth? 8 45
NSD FAIL 2 25
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now