Cisco 1811 Router in remote location reach Server but Client Couldn't

Answered Question
Jun 19th, 2007

Hi,

Let first have the Network Diagram.

1. I?m having Cisco 2821 Router in Head Office which serving 4 Branch Office with Cisco 1721 Router in MPLS VPN Cloud.

2. Right now I?m having a Remote Location which is connected using Wimax Technology using Cisco 1811 Router.

3. From Remote Router I can access the server in Head Office, where a local client in Remote Location couldn?t able to reach server. Hope there is Routing is missing.

4. Perhaps nothing to with Head Office Router because it serving other Branch Office without any problem.

5. Kindly provide the necessary Information as soon. Waiting for you all for your feedback.

RUNNING CONFIGURATIONS

!

interface FastEthernet0.3429

description FastEthernet 0.3429 dot1q vlan id=3429. By VPNSC: Job Id#=8134

encapsulation dot1Q 3429

ip address 172.31.2.154 255.255.255.252

ip nat outside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

router bgp 64659

no synchronization

bgp log-neighbor-changes

neighbor 172.31.2.153 remote-as 65000

no auto-summary

!

!

Hoping best

Abdul Rahaman

Attachment: 
Correct Answer by Pavel Bykov about 9 years 8 months ago

Wow. Good catch. At first i was startled by BGP too - because local AS would be in AS Path. But since all routing information is provided by the provider, it's not a problem.

I think the problem can also be solved by injecting a route into ISP cloud, if ISP allows it.

Method 1.

Call ISP, and ask them to add route 192.168.1.0/24 to the next hop of 172.31.2.154.

After the route 192.168.1.0 shows in the "show ip route" in the HQ, remove "ip nat inside" and "ip nat outside" statements on the REMOTE router.

Method 2. (Configure BGP yourself)

HQ:

router bgp 64659

neighbor 84.235.77.85 allowas-in 1

Remote:

interface FastEthernet0.3429

no ip nat outside

interface Vlan1

no ip nat inside

router bgp 64659

network 192.168.1.0 mask 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Richard Burts Tue, 06/19/2007 - 03:08

Abdul

There are several things that could produce the symptoms that you describe and we do not yet have enough information to know which it is.

It might be that the client at the remote site does not have a correct configuration of default gateway. Can the client at the remote site access any resource not on its local LAN? Can someone check and verify the configuration of the default gateway on the client?

If the remote router can access the server it would indicate that the remote router does have a route to the subnet of the server. But it is possible that the router at the HQ does not have a proper route back to the subnet of the client. One way to check this would be to use extended ping from the remote router. In the extended ping specify the server as the destination and specify the client LAN interface as the source.

It looks like this is a VPN connection and it might be possible that there is an MTU issue with the client accessing the server due to frame size issues. Are you doing anything in the config to control frame size or to reset the DF bit?

If you can clarify these we may be able to help find the cause of this problem.

HTH

Rick

reachrahaman Tue, 06/19/2007 - 04:06

Thanks

1.

Client has the IP Address as IP: 192.168.1.50 SM: 255.255.255.0 GW: 192.168.1.2 (Which is Vlan 1 IP Address in Cisco 1811 Router)

2.

Exactly HQ does not have route back to subnet of Remote

HQ :

AL-AYUNI-OLAYA#sh ip route

Gateway of last resort is not set

B 50.0.0.0/8 [20/0] via 84.235.77.85, 05:38:35

84.0.0.0/30 is subnetted, 4 subnets

B 84.235.67.208 [20/0] via 84.235.77.85, 04:44:56

B 84.235.88.160 [20/0] via 84.235.77.85, 22:29:12

C 84.235.77.84 is directly connected, Serial0/0/0.104

B 84.235.83.68 [20/0] via 84.235.77.85, 5w1d

C 20.0.0.0/8 is directly connected, GigabitEthernet0/0

172.31.0.0/30 is subnetted, 1 subnets

B 172.31.2.152 [20/0] via 84.235.77.85, 2w2d

AL-AYUNI-OLAYA#

REMOTE :

AL-AYUNI-HAIRE#sh ip route

Gateway of last resort is not set

B 50.0.0.0/8 [20/0] via 172.31.2.153, 05:32:45 ---------------- Another Branch Office

84.0.0.0/30 is subnetted, 4 subnets

B 84.235.67.208 [20/0] via 172.31.2.153, 04:39:33

B 84.235.88.160 [20/0] via 172.31.2.153, 22:23:49

B 84.235.77.84 [20/0] via 172.31.2.153, 1d19h

B 84.235.83.68 [20/0] via 172.31.2.153, 1d19h

B 20.0.0.0/8 [20/0] via 172.31.2.153, 1d19h ---------------------- Head Office

172.31.0.0/30 is subnetted, 1 subnets

C 172.31.2.152 is directly connected, FastEthernet0.3429

C 192.168.1.0/24 is directly connected, Vlan1

AL-AYUNI-HAIRE#

3.

When I Try to Ping using Extended Ping as you specify...

AL-AYUNI-HAIRE#ping 20.0.0.10 source vlan 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.0.0.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.2

.....

Success rate is 0 percent (0/5)

4. Exactly its IP VPN using MPLS Clouds. I don't know about to check MTU & Frame Size issue...

Please explain this further

Thanks in advance

Richard Burts Tue, 06/19/2007 - 06:42

Abdul

If you have determined that the problem is that HQ does not have a route to the remote network then there is not much need to discuss MTU and frame size since the problem is obviously a routing issue not a fragmentation issue.

Without seeing details from the configs it is difficult to know exactly what the problem is, but it is evident that the remote is not advertising its network to HQ. I do not know whether there is not a network statement for the 192.168.1.0 network, or whether there is outbound route filtering on the remote or whether there is inbound route filtering at HQ. But for some reason the network from the remote is not getting into the routing table at HQ. And until it does get into the routing table at HQ the clients at the remote will not be able to access the server at HQ.

HTH

Rick

reachrahaman Tue, 06/19/2007 - 09:14

Rick

Thanks for your Support.

Im enclosing the Running Config @ HQ & Remote Location.

Running Config in HQ :-----------HQ---------

AL-AYUNI-OLAYA#sh run

Building configuration...

Current configuration : 4121 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AL-AYUNI-OLAYA

!

boot-start-marker

boot system flash c2800nm-advipservicesk9-mz.124-7a.bin

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$HmWK$KkbkSpGuJ4WcVpaEI1hA3.

!

no aaa new-model

!

resource policy

!

ip cef

!

ip domain name yourdomain.com

!

voice-card 0

no dspfarm

!

!

username abdul privilege 15 secret 5 $1$OPedl$smM/VjMP4A/cCfIFr/CGf/

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 20.0.0.1 255.0.0.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/0/0.104 point-to-point

ip address 84.235.77.86 255.255.255.252

frame-relay interface-dlci 104

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

interface XTagATM0

no ip address

!

router bgp 64659

no synchronization

bgp log-neighbor-changes

redistribute connected

neighbor 84.235.77.85 remote-as 65000

no auto-summary

!

control-plane

!

!

line con 0

login local

line aux 0

line vty 0

privilege level 15

password abdulvty

login

transport input telnet

line vty 1 4

privilege level 15

no login

transport input telnet

!

scheduler allocate 20000 1000

!

end

AL-AYUNI-OLAYA#

Running Config in REMOTE :--------REMOTE------

AL-AYUNI-HAIRE#sh run

Building configuration...

Current configuration : 3201 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AL-AYUNI-HAIRE

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$2bj.$5ejOc1TZt9XfYCR8v6mPlt.

!

no aaa new-model

!

resource policy

!

!

!

ip cef

!

username abdul privilege 15 password 0 asdf

!

interface FastEthernet0

no ip address

duplex auto

speed auto

!

interface FastEthernet0.3429

description FastEthernet 0.3429 dot1q vlan id=3429. By VPNSC: Job Id#=8134

encapsulation dot1Q 3429

ip address 172.31.2.154 255.255.255.252

ip nat outside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

router bgp 64659

no synchronization

bgp log-neighbor-changes

neighbor 172.31.2.153 remote-as 65000

no auto-summary

!

!

control-plane

!

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

password abdul

login

!

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

AL-AYUNI-HAIRE#

Hope this will resolve my issues..

Abdul

Richard Burts Tue, 06/19/2007 - 09:38

Abdul

Thanks for posting the configs. When I first looked I thought that I had found the problem when I noted that the remote router is running BGP but is not advertising its local network. But when I looked more closely I believe that the real issue is something else. I note that the outbound interface FastEthernet0.3429 is configured with nat outside and that VLAN 1 is configured with nat inside. But I do not see any other nat configuration. If you will add the configuration to translate the VLAN 1 addresses using overload on the FastEthernet0.3429, then HQ will have a path to the remote subnet.

HTH

Rick

reachrahaman Sat, 06/23/2007 - 03:42

Rick

Sorry for belated reply.

I have added these two statments...

ip nat inside source list 1 interface FastEthernet0.3429 overload

access-list 1 permit 192.168.1.0 0.0.0.255

After this Client can access Server in HQ.

But Still HQ Router doesnt have the path to remote subnet.

How we can resolve this issue

Richard Burts Sun, 06/24/2007 - 04:27

Abdul

I am glad to know that my suggestion was effective in allowing the clients at the remote to access the server at HQ.

For solving the issue of HQ initiating traffic to the remote there are several alternatives that could work. Choosing which one is best would depend on knowing more about the design and setup of your network.

First lets be sure that we understand what is happening now: you are using dynamic translation with overload, which is generally called PAT (for Port Address Translation). In dynamic PAT when an end station initiates traffic to HQ the router generates an entry in the translation table which allows traffic from HQ to the end station to be correctly translated and delivered to the correct host. But if HQ initiates traffic there is not an entry in the translation table and therefore traffic from HQ can not be translated and delivered to the end station at the remote.

So one solution would be to configure some kind of static translation so that end stations would always have an entry in the translation table and HQ would be able to initiate traffic to them.

Another alternative would be to put a network statement under router bgp at the remote to advertise the LAN network through BGP to HQ. This would make all the end stations reachable without requiring any translation.

Perhaps looking at the other remote offices could show how they solve this issue and help choose the most appropriate alternative for this office.

HTH

Rick

Correct Answer
Pavel Bykov Sun, 06/24/2007 - 07:30

Wow. Good catch. At first i was startled by BGP too - because local AS would be in AS Path. But since all routing information is provided by the provider, it's not a problem.

I think the problem can also be solved by injecting a route into ISP cloud, if ISP allows it.

Method 1.

Call ISP, and ask them to add route 192.168.1.0/24 to the next hop of 172.31.2.154.

After the route 192.168.1.0 shows in the "show ip route" in the HQ, remove "ip nat inside" and "ip nat outside" statements on the REMOTE router.

Method 2. (Configure BGP yourself)

HQ:

router bgp 64659

neighbor 84.235.77.85 allowas-in 1

Remote:

interface FastEthernet0.3429

no ip nat outside

interface Vlan1

no ip nat inside

router bgp 64659

network 192.168.1.0 mask 255.255.255.0

reachrahaman Mon, 06/25/2007 - 00:38

I would like to thanks Rick and Slider.

I have tried Method 2. Working excellent.

Thanks for your Support.

Abdul.

Actions

This Discussion