Solved

ProCurve 2900 IP routing

Posted on 2015-02-01
21
182 Views
Last Modified: 2015-02-22
I have two sites that are connected through a direct link from China Telecom. One site is in Sydney and the other is in Shanghai. I have a ProCurve 2900 switch at the Sydney end and a HP 1910 switch on the Shanghai end. Both of the sites also have Cisco ASA 5505's. The issue is that the Shanghai end can talk to Sydney but that the Sydney end can't talk to Shanghai. I think the issue is the IP routing on the Sydney end but I am not 100% about the rule.  Both ends have VLAN's setup to support the each IP ranges.

Sydney has 4 VLAN's but I am only interested in VLAN 1 and VLAN20 (Shanghai). VLAN 1's IP range is 10.0.0.1 and VLAN20's IP range is 10.0.1.6. The gateway is 10.0.0.1

Shanghai has 2 VLAN's. VLAN 1 is 10.0.1.2 and VLAN 2 is 10.0.0.5. The gateway is 10.0.1.2.

I was thinking something like: 10.0.0.0 255.255.255.0 10.0.1.2 but that doesn't work. I know what I am doing wrong is simple but I can't find out where the issue is.

I have a network diagram and the config files that I can post if required.
0
Comment
Question by:Kage33
  • 10
  • 7
  • 4
21 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40583153
The issue is that the Shanghai end can talk to Sydney but that the Sydney end can't talk to Shanghai. I think the issue is the IP routing on the Sydney end but I am not 100% about the rule.
How are you testing connectivity?  If you're able to communicate successfully when sourcing from Shanghai but not Sydney, it's not an IP routing problem since most traffic is bi-directional. Most likely you've got a config issue on one of the ASA's that is allowing traffic if it's sourced from Shanghai but denied if it's sourced from Sydney.

The sanitized configs from the ASA's would be where I would start.
0
 

Author Comment

by:Kage33
ID: 40583156
WE tested connectivity once connected at both ends by pinging the switches and the ASA's first. We can ping both of these successfully through the switches, ASA's and computers. But when it comes to pinging a computer that is connected to the network or access it remotely from Sydney it fails.

Shanghai has full access to the Sydney network and they are able to ping and remote to servers etc. Sydney isn't able to ping or access servers etc on the Shanghai end.

I will post the sanitized configs of both ASA's in a bit

Thanks
0
 
LVL 76

Expert Comment

by:arnold
ID: 40583164
Do the Asa's have a VPN between them.
Will await the sanitized configs.

Ip/netmasks on each side

Compare the destination to which Shanghai access and the source from which Sydney originates and the destination.

As was pointed out this might be a missing rule that allows the specific location to the remote destination which differs from the other.

10.0.0.0/24 and 10.0.1.0/24 to IP range 1 and 2 on the Sydney side.

Ip range 3 and 4 on Sydney side to IP ranges 3,4 on the other side is hitting a wall on the Sydney side.

Can the server to which they connect, connect back?
0
 

Author Comment

by:Kage33
ID: 40583288
The Sydney running config is attached. I am having a bit of trouble getting the Shanghai asa config atm.

The sites are connected through a direct tunnel going from our Sydney office to our Shanghai office. This is provided by China Telecom and allows for a faster, more reliable connection. There are no VPN's setup on the ASA's. The direct tunnel link is connected to a ProCure 2900 on the Sydney end and on the Shanghai end it is connected to a HP 1910.

The internet in its traditional form isn't being used at all on this direct link. This link is for Shanghai to access internal resources and for Sydney to access internal resources in Shanghai.

@Arnold: If I am reading your end question right then you are asking if the the Sydney side server connect to the Shanghai end server. The answer is no. But the Shanghai server can connect to the Sydney server with no a worry.

To be quite honest, I have updated the Sydney network as much as I dare. The person who originally built it had a lot of segmentation in the network when there really didn't need to be any. This network is the stuff of nightmares, well mine at least.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40583308
China telecom controlling your flow, so it will let a response through but it does not allow originating traffic from Sydney.

I think that is where your issue might be. What is the purpose of the ASA's.

You might not be able to setup a VPN tunnel between the two sites using the ASA's

China telecom functions as your VPN cloud?
0
 

Author Comment

by:Kage33
ID: 40583335
Attached is the Shanghai ASA config that has been sanitized.

After looking at it again I think I know what the issue is. But I would like someone else to look over it.
ShanghaiASA.txt
0
 

Author Comment

by:Kage33
ID: 40583354
Hi Arnold,

The China Telecom link doesn't function in this way and we actually have bi-directional access from Sydney to Shanghai right now. The issue with that is that both sites have to stay on the same IP and Shanghai is using Sydney's internet atm through this link. We have an International Ethernet Private Line from China Telecom (http://www.chinatelecomglobal.com/productservice/carrier/a/20140523/1400814969574.htm).

This link doesn't have any routing on it and it is basically a dummy switch.

I am not wanting to setup a VPN tunnel on the ASA to both sites. The link China Telecom is superior to this and supersedes the need for the VPN tunnel. What I need to do is to get the VLAN's on both ends talking to each other. I originally thought this was through the HP 2900 on the Sydney side and the HP 1910 on the Shanghai side.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40583373
You've not posted the Sydney,


The route outside picked my interest, but since I do not have the other side, not sure whether that is the issue given outbound connection from one segment make it to the other side, pesa pes your issue is that your 10.0.0.x systems get stuck and never make it back because of the route outside 10.0.0.0 255.255.255.0 10.0.0.5 1 while your outgoing.....
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40583960
The issue is that the Shanghai end can talk to Sydney but that the Sydney end can't talk to Shanghai.

access-list OUT_IN extended permit tcp any host 10.0.1.168 eq 7001
access-group OUT_IN in interface outside

Open in new window


The only traffic coming from Sydney that's going to be allowed in is traffic to 10.0.1.168 on port 7001.

Nothing else should be allowed in.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40584229
Only traffic destined to 10.0.1.0/24 is going over the link?
you do not allow any 10.0.0.0 traffic to leave Shanghai.
Yes, your reading of the out_in access list is the cause with the above IP range.
You are feeding inter location unencrypted over the link.
What is the performance hit for transfer between the two location via the existing setup versus a VPN between the two locations?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Kage33
ID: 40585153
Sydney Config is attached. Sorry I thought I attached it
running-config.txt
0
 

Author Comment

by:Kage33
ID: 40585183
Sydney is on the range 10.0.0.0/24
Shanghai is on the range 10.0.1.0/24

The below is nothing to do with the issue. This should actually be removed, I haven't had a chance to.

access-list OUT_IN extended permit tcp any host 10.0.1.168 eq 7001

I am not sure what the performance rate is via the existing setup vs VPN. The existing link is a 10G link. As a temp measure I setup the site to site VPN before the link and it was bearable. But not acceptable, when you are talking about syncing working files bi-directionally, so that all the 3D artists are working on the same files, across the board. The site to site VPN would be perfect if we were just talking documents etc but the company is a visual effects company and to use all company resources we share project files across both sites.

But the issue with the existing International Ethernet Private Line is that it's primary site is Sydney, so it takes the Sydney IP range and won't let anything through on either end without routing if they have different IP ranges. I know the simple solution is to have Shanghai on the same IP range but we don't want to do this, the office needs to be independent and only use the International Ethernet Private Line for accessing internal devices. At the moment it is accessing internal devices and our internet, as it is on the same IP range. This is so they can access resources from Sydney to work.

I did think the solution HP provided would work and it seems to do on one end but not the other. I am no where near a network genius but this has me at my wits end.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40585189
The below is nothing to do with the issue. This should actually be removed, I haven't had a chance to.

access-list OUT_IN extended permit tcp any host 10.0.1.168 eq 7001

It's part of the config and it's applied to the outside interface.  

It will prevent the flow of traffic.
0
 

Author Comment

by:Kage33
ID: 40585399
I've removed the line: access-list OUT_IN extended permit tcp any host 10.0.1.168 eq 7001 now.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40585409
Please post the current config of the ASA's.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40585413
You need to add access to the access list rather than removing the one.

One is the setting on the Sydney ASA on the outside interface, the Shanghai should match that.

Sydney China telecom link <=> which interface on the ASA outside..
The Sydney ASA has a Australian firm feed as well?
Shanghai China telecom link <=> asa port OUTSIDE <=> two ports VLAN 1 and ....
0
 
LVL 76

Expert Comment

by:arnold
ID: 40585428
The Shanghai side has a routing rule for 10.0.0.0 255.255,255,0 to 10.0.0.5 to prevent local 10.0.0.0 255.255.255.0 segment traffic from leaking out.

The Sydney side if sending 10.0.1.0 255.255.255.0 through the outside are these in this IP block in the nonat rule?
0
 

Author Comment

by:Kage33
ID: 40590282
I have now been told my the IT guy in Shanghai that everything on the Shanghai ASA was for testing purposes and has nothing to do with the network setup.

So please disregard everything to do with the Shanghai ASA.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40590317
You likely best have a network diagram to see how the traffic flows.

Shanghai
Sydney
And how they interconnect.
0
 

Accepted Solution

by:
Kage33 earned 0 total points
ID: 40615837
This is now working and fixed. The solution was to reconfigure the cisco to allow the HP 1910 to act as a gateway and to bypass the NATing on the cisco's, at both ends.
0
 

Author Closing Comment

by:Kage33
ID: 40624002
This is my own solution and none of the solutions that were offered up helped.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now