Link to home
Start Free TrialLog in
Avatar of aclaus225
aclaus225

asked on

Routing Issue

I have an AVG virus server at 192.168.100.87 for internal computers.  External computers should be able to get this by going to a different IP address, that then forwards to that computer.  The mapping suggests that the AVG port (I forget what it is right now) goes from 192.168.101.2 to 192.168.100.87.  This seems to work for external computers.  Semi-internal computers, who get their internet access from a different place, should also be able to reach 192.168.101.2 via another port on the router.  I have put in a route for 192.168.101.2 on the router to use FastE0/3/0.  I can ping from my router and reach 192.168.101.2 but I cannot ping that IP from inside the network without it timing out.  What do I need to do to remedy this?
Avatar of David Vicente
David Vicente
Flag of France image

Hello,

A diagram would help a lot to resolve the issue.
Can you write all the ip configuration for the: avg virus server, (ip / netmask / gateway)
the same for a computer that should but can't connect to the server.
And ip configuration and route on your router (or l3 switch).

i'm pretty sure it's a route problem

Regards,
forgot to add:
might need a route print on both devices (server + computer )
Avatar of aclaus225
aclaus225

ASKER

Router 1

Fa0 192.168.101.2/30
Fa1 192.168.100.1/24
Fa3 192.168.101.5/30

Router 2

Fa0 192.168.200.6/30
Fa1 192.168.0.3/21
Fa3 192.168.101.6/30

Router2 has a route that says 192.168.100.1 255.255.255.0 Fa3, which should point to Router 1. I can ping from router 2 to 192.168.100.87, but I cannot get a computer from 192.168.0.0/21 to find 192.168.100.87.
Hello, i would need a complete route print of the 2 routers.

You need a route on your router 1 :
ip route 192.168.0.0 255.255.248.0   192.168.101.6

something like that
ip configuration and all route from:
server avg
computer in network 192.168.0.x
router 1
router 2
AVG Server is at 192.168.100.87
It can successfully ping 192.168.1.17, which is the printer in the 192.168.0.0/21 network.
I can successfully ping 192.168.100.87 from a machine in the 192.168.0.0/21 network.

Router 1 routing table:
Gateway of last resort is 192.168.101.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.101.1
      10.0.0.0/24 is subnetted, 1 subnets
S        10.10.0.0 [1/0] via 192.168.100.254
S     192.168.0.0/21 [1/0] via 192.168.101.6
      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/24 is directly connected, FastEthernet0/1
L        192.168.100.1/32 is directly connected, FastEthernet0/1
      192.168.101.0/24 is variably subnetted, 4 subnets, 2 masks
C        192.168.101.0/30 is directly connected, FastEthernet0/0
L        192.168.101.2/32 is directly connected, FastEthernet0/0
C        192.168.101.4/30 is directly connected, FastEthernet0/2/0
L        192.168.101.5/32 is directly connected, FastEthernet0/2/0

Routing table on Router 2:
Gateway of last resort is 192.168.200.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.200.5
C     192.168.0.0/21 is directly connected, FastEthernet0/1
      192.168.0.0/32 is subnetted, 1 subnets
L        192.168.0.3 is directly connected, FastEthernet0/1
S     192.168.100.0/24 is directly connected, FastEthernet0/3/0
      192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
S        192.168.101.2/32 is directly connected, FastEthernet0/3/0
C        192.168.101.4/30 is directly connected, FastEthernet0/3/0
L        192.168.101.6/32 is directly connected, FastEthernet0/3/0
      192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.200.4/30 is directly connected, FastEthernet0/0
L        192.168.200.6/32 is directly connected, FastEthernet0/0
From the computer trying to reach the server. can you try a tracert 192.168.100.87 ?
found something on your router 2:


Routing table on Router 2:
Gateway of last resort is 192.168.200.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.200.5
C     192.168.0.0/21 is directly connected, FastEthernet0/1
      192.168.0.0/32 is subnetted, 1 subnets
L        192.168.0.3 is directly connected, FastEthernet0/1
S     192.168.100.0/24 is directly connected, FastEthernet0/3/0
      192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
S        192.168.101.2/32 is directly connected, FastEthernet0/3/0
C        192.168.101.4/30 is directly connected, FastEthernet0/3/0
L        192.168.101.6/32 is directly connected, FastEthernet0/3/0
      192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.200.4/30 is directly connected, FastEthernet0/0
L        192.168.200.6/32 is directly connected, FastEthernet0/0




should not be: S     192.168.100.0/24 [1/0] via 192.168.101.5 ???
and shouldn't be: 192.168.101.6/30 ????
there is something wrong with your netmask there


can you show us your router 2 config ?
ip / route ....
i guess it's cisco router
Router 2

interface FastEthernet0/0
 description WirelessOutside
 bandwidth 204800
 ip ddns update sdm_ddns1
 ip address 192.168.200.6 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description Wireless Students
 ip address 192.168.0.3 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 service-policy input P2P
!
interface FastEthernet0/3/0
 ip address 192.168.101.6 255.255.255.252
 duplex auto
 speed auto
!
ip default-gateway 174.77.164.81
ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.200.5
ip route 192.168.100.0 255.255.255.0 FastEthernet0/3/0
ip route 192.168.101.2 255.255.255.255 FastEthernet0/3/0
Router 1

interface FastEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 bandwidth 204800
 ip ddns update sdm_ddns1
 ip address 192.168.101.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface FastEthernet0/1
 description Inside
 bandwidth 10000000
 ip address 192.168.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly drop-fragments
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 !
!
interface FastEthernet0/2/0
 ip address 192.168.101.5 255.255.255.252
 duplex auto
 speed auto
 !
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.54 3389 192.168.101.2 3389 extendabl
e
ip nat inside source static tcp 192.168.100.87 4158 192.168.101.2 4158 extendabl
e
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ip route 10.10.0.0 255.255.255.0 192.168.100.254
ip route 192.168.0.0 255.255.248.0 192.168.101.6
change this on router 2:
 ip route 192.168.100.0 255.255.255.0 FastEthernet0/3/0
with
 ip route 192.168.100.0 255.255.255.0 192.168.101.5
I can ping .87, but the computer is still not connecting with the AVG server.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\wsc>tracert 192.168.100.87

Tracing route to 192.168.100.87 over a maximum of 30 hops

  1     2 ms     4 ms     9 ms  192.168.0.3
  2     2 ms     2 ms     2 ms  192.168.101.5
  3     2 ms     1 ms     1 ms  192.168.100.87

Trace complete.

C:\Users\wsc>ipconfig

Windows IP Configuration


Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::ccfd:b04e:bf68:48d4%12
   IPv4 Address. . . . . . . . . . . : 192.168.4.45
   Subnet Mask . . . . . . . . . . . : 255.255.248.0
   Default Gateway . . . . . . . . . : 192.168.0.3
so far, from your computer you can ping the 192.168.100.87 right ?
Yes, I am able to ping back and forth between 192.168.100.87 and a computer on the other network.
mmmmmm ..
but I cannot ping that IP from inside the network without it timing out <== what do you mean by that as you just said you can ping.
Originally the only route that I had installed told router 2 to use FastE 0/3/0 if it was looking for 101.2.  Using that path the router was able to ping to the internal network.  However, I then installed the path telling the router to use FastE0/3/0 if it was looking for the .100 network also.  This resolved the pinging problem and now the only problem is that the computers on the .0 network cannot reach 192.168.100.87 port 6051, which is what is used for AVG.
if you add a route, add the next hop ip, not your interface.

check on the avg server logs if you see something.
or install wireshark on it and log everything that is coming into that server.
probably the server denying it now.
This is one of the two requests from 192.168.5.48 to 192.168.100.87.  I do not make sense of this at all:

678      76.305911      192.168.5.48      192.168.100.87      TCP      62      [TCP Spurious Retransmission] 50053 → 4158 [SYN] Seq=0 Win=8192 Len=0 MSS=1452 SACK_PERM=1

Frame 678: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
    Interface id: 0 (\Device\NPF_{6D91314C-45A3-4C1E-B05A-7FF693F0B55B})
    Encapsulation type: Ethernet (1)
    Arrival Time: May 11, 2017 15:48:24.264848000 Pacific Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1494542904.264848000 seconds
    [Time delta from previous captured frame: 0.116901000 seconds]
    [Time delta from previous displayed frame: 0.116901000 seconds]
    [Time since reference or first frame: 76.305911000 seconds]
    Frame Number: 678
    Frame Length: 62 bytes (496 bits)
    Capture Length: 62 bytes (496 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update]
Ethernet II, Src: Cisco_f9:f0:39 (00:1b:d5:f9:f0:39), Dst: Microsof_64:2a:00 (00:15:5d:64:2a:00)
    Destination: Microsof_64:2a:00 (00:15:5d:64:2a:00)
        Address: Microsof_64:2a:00 (00:15:5d:64:2a:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_f9:f0:39 (00:1b:d5:f9:f0:39)
        Address: Cisco_f9:f0:39 (00:1b:d5:f9:f0:39)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.5.48, Dst: 192.168.100.87
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 48
    Identification: 0x1743 (5955)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 126
    Protocol: TCP (6)
    Header checksum: 0xfaac [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.5.48
    Destination: 192.168.100.87
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 50053, Dst Port: 4158, Seq: 0, Len: 0
    Source Port: 50053
    Destination Port: 4158
    [Stream index: 11]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 28 bytes
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 4158]
                [Connection establish request (SYN): server port 4158]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0x669b [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (8 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1452 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1452
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        TCP SACK Permitted Option: True
            Kind: SACK Permitted (4)
            Length: 2
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): This frame is a (suspected) spurious retransmission]
                [This frame is a (suspected) spurious retransmission]
                [Severity level: Note]
                [Group: Sequence]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]
well the thing is that wireshark can filter what's incoming so you can see what is blocked. if you don't really know how to use it ... :/
what you can probably do is check yyour avg server logs and check if it denies something coming from your computer.
I understand how to use WireShark, but when I said I can't make sense of it, to me that frame looks like it should have gone through, since it was recognized, so we know that it is getting past the router to the computer.  I do not see anything in the AVG server logs to indicate why it would be getting blocked.  Looking at the bottom of the capture it says that it is a suspected retransmission, but that is an editorial comment, not an actual error.
mmmm try disabling your avg server firewall to test.
AVG Firewall was not installed on the server.  I disabled the Windows Firewall too.  AVG simply says connection not available.  

When I turned on Wireshark it was telling me the same thing again.
install some kind of service http or ftp or anything, and try it.
HTTP worked and was reachable.  

I did not see anything that looked bad with WireShark in regards to HTTP.
ASKER CERTIFIED SOLUTION
Avatar of David Vicente
David Vicente
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for all your help.