Solved

Need Help fixing an IP communications problem between offices

Posted on 2013-07-01
5
328 Views
Last Modified: 2013-07-02
Dear experts:

I think this should be an easy one. I am having trouble getting one network to ping from one office to another having an office in between.

 I manage to get LAN network to work well but the other the Voice network is not.

Lets call them Office A, B & C. Office is A is the main office and connects directly with office B via AT&T fiber optic IP flex. While office C connects to the Office A via VPN tunnel. From there it needs to connect to office B. The LAN network for office C connects no problems with Office B passing through office A. That is not the case for the Voice Network coming from office C to office B.

I am having one way voice communications between office C to B. From office C they can hear you but from office C you do not hear a thing.

Here is a trace-route example from office C to office B:

Office C Voice router#traceroute 172.16.8.240 <--LAN address for office B

Type escape sequence to abort.
Tracing the route to Server office B(172.16.8.240)

  1 10.255.255.9 32 msec 52 msec 32 msec <-- office A VPN router
  2 172.16.102.3 32 msec 32 msec 32 msec <-- office A Voice Router
  3 10.255.254.2 36 msec 32 msec 32 msec <--- AT&T router
  4 12.113.178.145 32 msec 28 msec 32 msec< --- from here AT&T network until time out
  5 cr2.hs1tx.ip.att.net (12.122.103.234) 44 msec 44 msec 44 msec
  6 cr1.dlstx.ip.att.net (12.122.28.157) 44 msec 48 msec 52 msec
  7 cr81.ocyok.ip.att.net (12.122.155.6) 48 msec 48 msec 64 msec
  8 12.115.203.189 68 msec 44 msec 56 msec
  9 12.115.203.190 44 msec 44 msec 48 msec
 10  *  *

Office C voice router#traceroute 172.16.12.1 <-- Office B voice gateway

Type escape sequence to abort.
Tracing the route to 172.16.12.1

  1 10.255.255.9 32 msec 36 msec 32 msec
  2 172.16.102.3 36 msec 32 msec 32 msec
  3 10.255.254.2 32 msec 32 msec 28 msec
  4 12.113.178.145 32 msec 32 msec 36 msec
  5 cr2.hs1tx.ip.att.net (12.122.103.234) 48 msec 48 msec 88 msec
  6 cr1.dlstx.ip.att.net (12.122.28.157) 48 msec 48 msec 48 msec

Office C voice router#ping 172.16.18.240 <-- to office B LAN address

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.18.240, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

A ping from Office C to Office B from a desktop:

U:\>ping 172.16.8.240

Pinging 172.16.8.240 with 32 bytes of data:

Reply from 172.16.8.240: bytes=32 time=43ms TTL=117
Reply from 172.16.8.240: bytes=32 time=42ms TTL=117
Reply from 172.16.8.240: bytes=32 time=44ms TTL=117
Reply from 172.16.8.240: bytes=32 time=42ms TTL=117

Ping statistics for 172.16.8.240:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 42ms, Maximum = 44ms, Average = 42ms
 

So you see LAN IP communications no problems. The problem is pinging from office C to office B in the Voice network.

I attached a diagram to help.
ntwrktopology3.jpg
0
Comment
Question by:marceloNYC
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39290589
I would guess that you are either missing a subnet(s) in the vpn crypto map, or you are missing a route on one side. If you could post your configs from the three sites as well as a show ip route at each site that would be helpful.
0
 

Author Comment

by:marceloNYC
ID: 39290841
I clean the configs the best possible way for what we need.

Here are the results of 3 show ip route:

Office C voice router#sh ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resorxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


     172.16.0.0/16 is variably subnetted, 8 subnets, 3 masks
C       172.16.16.0/24 is directly connected, FastEthernet0/1.900
D       172.16.16.0/23 is a summary, 4d10h, Null0 <-- voice network traffic
C       172.16.17.0/24 is directly connected, FastEthernet0/1.108 <-- LAN Network traffic
D       172.16.19.0/24 [90/2292224] via 10.255.255.9, 4d10h, Tunnel50

D EX    172.16.12.0/24 [170/2038784] via 10.255.255.9, 4d10h, Tunnel50 <-- this is the Voice network for office B the 10.255.255.9 address is for the Office A VPN router

D       172.16.8.0/22 [90/2038784] via 10.255.255.9, 4d10h, Tunnel50
D       172.16.104.0/24 [90/2036224] via 10.255.255.9, 4d10h, Tunnel50
D       172.16.100.0/22 [90/2036224] via 10.255.255.9, 4d10h, Tunnel50
     172.31.0.0/30 is subnetted, 4 subnets

C       10.255.255.8/30 is directly connected, Tunnel50
D EX    10.255.254.0/30 [170/2038784] via 10.255.255.9, 4d10h, Tunnel50
D EX    10.255.254.4/30 [170/2038784] via 10.255.255.9, 4d10h, Tunnel50
D       10.255.255.16/30 [90/2289664] via 10.255.255.9, 4d10h, Tunnel50
C       10.255.0.23/32 is directly connected, Loopback22
 
D EX    10.255.0.12/32 [170/2038784] via 10.255.255.9, 4d10h, Tunnel50
D       10.255.0.14/32 [90/2417664] via 10.255.255.9, 4d10h, Tunnel50

Office C voice router#sh ip rout 172.16.12.0
Routing entry for 172.16.12.0/24
  Known via "eigrp 42", distance 170, metric 2038784
  Tag 65500, type external
  Redistributing via eigrp 42
  Last update from 10.255.255.9 on Tunnel50, 4d10h ago
  Routing Descriptor Blocks:
  * 10.255.255.9, from 10.255.255.9, 4d10h ago, via Tunnel50
      Route metric is 2038784, traffic share count is 1
      Total delay is 10200 microseconds, minimum bandwidth is 1440 Kbit
      Reliability 255/255, minimum MTU 1400 bytes
      Loading 1/255, Hops 2
      Route tag 65500

Office B voice router #sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort isxxxxxxxxxxxxxxxxxxxxxxxxxxxx

     199.37.161.0/30 is subnetted, 6 subnets
B       199.37.161.64 [20/0] via 10.255.254.6, 1w0d <--- AT&T
B       199.37.161.40 [20/0] via 10.255.254.6, 1w0d

     172.16.0.0/24 is subnetted, 12 subnets
D EX    172.16.253.0 [170/53760] via 172.16.10.2, 1w4d, FastEthernet0/1.222
B       172.16.17.0 [20/0] via 10.255.254.6, 4d10h <--office C LAN
B       172.16.19.0 [20/0] via 10.255.254.6, 4d10h
C       172.16.12.0 is directly connected, FastEthernet0/1.900
C       172.16.8.0 is directly connected, FastEthernet0/1.108
C       172.16.10.0 is directly connected, FastEthernet0/1.222

Office B voice router#sh ip route 172.16.16.0
Routing entry for 172.16.0.0/12, supernet
  Known via "static", distance 1, metric 0 (connected)
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1

I think  the problem is in office B. I don't think BGP is either advertising or seeing the traffic coming from office C for the 172.156.16.0 network. Not too sure where I need to make the entry for that.
OfficeA-VG.txt
OfficeA-VPN.txt
OfficeB-VG.txt
OfficeC-VG.txt
OfficeC-VPN.txt
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 39292075
I looked over the configs, and I must be honest - I'm kind of lost. Part of it is that there is a lot going on, and part is that I'm not quite putting together how your network should truly look in my head (regardless of your diagram).
However, I did notice something that you are doing currently and remembered how I handled one of my more complex customers. I both added and removed complexity all at the same time. The link below is to a "blog" (should have been an article) which goes over the design and reasoning behind laying a DMVPN configuration on top of an MPLS cloud. Redistribution can be a nightmare, and working around all the caveats to redistributed routes, metrics that don't align, and administrative distances that overrule good routes can lead to some frustrating late nights. Consider what I wrote in the blog as it could apply to your network. You appear to be using a combination of MPLS between sites A and B, and sites D and C connect back to A via IPSEC VPN. This means that you cannot simply do a single DMVPN cloud, but instead must do a cloud per common connection type. So for you this means a DMVPN cloud for internet-based IPSEC connections, and another cloud layered on top of MPLS. Your BGP configuration only need function enough to allow you to make it to the MPLS-connected interface. No redistribution. Your internet connections are the same on a basic level - you only truly need a [default] route back to the hub. From here all sites use a tunnel interface to connect back to site A on the respective tunnel headend interface. Within each cloud all sites can speak directly, and site A would be the gateway between connection topologies. The beauty is that all routes will appear as regular, internal EIGRP routes with no redistribution to worry about.

Granted, the above idea would take some effort, and almost without doubt more effort than figuring out the immediate issue at hand. However, if you feel there is any chance of things changing... more sites, different connections, etc., then laying the groundwork for a design that can truly simplify your network overall might be a good choice.

http://www.experts-exchange.com/blogs/rauenpc/B_7190-DMVPN-over-MPLS-to-make-networks-easier.html

My above opinion aside, I do feel confident I could figure this issue out, but I would probably need to be on the routers directly as there are so many different commands that could be run to figure this out it could take me weeks and weeks to accomplish this over EE. Going back and forth in these postings for the more complicated setups can be quite difficult.

I also noticed that you don't appear to be redistributing eigrp in to BGP on the site A router.
0
 

Author Closing Comment

by:marceloNYC
ID: 39293906
Thank You so much for your time with this network I inherited. we made changes to the network and I am stuck with the one voice network...  

Regards, Marcelo
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39294203
View my profile and shoot me a direct message.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now