06-01-2007 10:28 PM - edited 03-03-2019 05:16 PM
Hi Guys
I have one cisco 2800 runing BGP with my own AS. I have only one ISP.
I have one default route staticly configured to my ISP.
In my router i don't have any filters.
I have an issue that some networks on internet can't ping my servers inside my AS.
Most off all other networks can ping fine, just few big networks such as bellsouth and verisign can't ping my servers.
I've tried a lot of thing, like put source ip in my loopback and ping from it to servers (work), receive default route via bgp, change default route from ip to interface and i didn't have success.
I did a debug ip icmp and see this messages just one that networks try to ping my AS servers:
000366: *Jun 1 23:56:05.815 PCTime: ICMP: time exceeded (time to live)
sent to xx.xx.xx.xx (dest was xx.xx.xx.xx my AS)
I'm trying to figure out how to solve this problem.
Can one help me with this issue ?
Thanks.
Fred
06-01-2007 11:04 PM
Hi Fred,
Can you post your config?
Dandy
06-02-2007 05:49 AM
Follow bellow.
Current configuration : 3067 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
clock timezone PCTime -8
no network-clock-participate wic 1
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip domain name company.com
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
voice-card 0
no dspfarm
!
!
!
voice service voip
!
username xxxxxxxxx
!
!
controller E1 0/1/0
clock source internal
!
controller E1 0/1/1
!
!
!
interface FastEthernet0/0
description ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address xx.xx.xx.xx 255.255.255.0 (my AS network)
no cdp enable
!
interface FastEthernet0/0.11
no cdp enable
!
interface FastEthernet0/0.12
no cdp enable
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
no cdp enable
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
no cdp enable
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1.10
no cdp enable
!
interface Serial0/0/0
ip address xx.xx.xx.xx 255.255.255.252 (my isp interface)
encapsulation ppp
no cdp enable
!
interface Serial0/0/1
no ip address
shutdown
clockrate 2000000
no cdp enable
!
router bgp xxxxx (my as number)
no synchronization
bgp log-neighbor-changes
network xx.xx.xx.0 mask 255.255.240.0 (my as range)
aggregate-address xx.xx.xx.0 255.255.240.0 as-set
redistribute connected
redistribute static
neighbor xx.xx.xx.xx remote-as xxxx (my isb neighbor and as)
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx (default gateway for my ISP)
ip route xx.xx.xx.xx 255.255.255.0 xx.xx.xx.xx (route to one subnet of my AS inside my network point to internal gateway)
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
logging trap debugging
no cdp run
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Thanks.
06-02-2007 10:10 AM
Hi,
This is a case for you ISP, not you.
Its a classic issue of AS-path filter (or prefix-filter).
Your IPS have to "talk" to Verisign's ISP.
HTH, rate if it does using the croll-box at the bottom right .
BR,
Bjornarsb
06-02-2007 10:19 AM
I have a ticket open with them, but they insist that this is mine problem.
If some one can give some hint i can send to my ISP for analyse.
Thanks.
Fred
06-02-2007 10:24 AM
No,
its NOT you problem.
Use this and it might give you infomation that you can use against your ISP.
http://www.bgp4.as/looking-glasses
BR,
Bjornarsb
06-02-2007 10:36 AM
Hi Fred,
Pls. do see thro.... some of the route-servers publicly available and see where it gets droping....
If it gets droped @ your isp, you can show this as reference....
Choose your relevant route-server and have a try....
Rate if it does,
Rgs,
06-02-2007 10:55 AM
How can i collect some evidences of AS-path filter and show to my ISP ?
Thanks.
Fred
06-02-2007 10:21 PM
Hi Fred,
See the releavant route server output and if the drop is not @ your end, You can tell the isp to troubleshoot where it is getting blocked or how to get permitted... That is there responsibility to get it done...
Rgs
06-03-2007 07:34 AM
Hi,
Can you execute the following in your router and post the output in this forum?
1. Check if you are advertising correctly your prefixes to your ISP.
show ip bgp neighbors xx.xx.xx.xx advertised-routes | include xx.xx.xx.0
2. Check if the route is in BGP routing table.
show ip bgp xx.xx.xx.0 255.255.240.0 longer-prefixes
3. Check if there is an exact route in the routing table.
show ip route xx.xx.xx.0 255.255.240.0 longer-prefixes
NOTE: You have to replace "summary-only" with "no auto-summary". I suspect that component networks are suppressed by "summary-only". After replacing, execute the 3 routing checks above again.
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide