Lost

Unanswered Question
Nov 15th, 2007
User Badges:

Strange situation. Have a company with two physical sites connected via a point-to-point T1. On each end of the T1 are old Cisco 1602R routers. The problem is actually with Exchange servers failing to talk to each other properly. Site A is main office and Site B is branch office. Each site contains 1 Exchange server and the sites are supposed to talk over this p-t-p connection. I cannot use telnet to connect from site A to site B over port 25. I can however, connect from site B to site A over port 25.


Essentially, the communication between these Exchange servers is failing because messages cannot go from site A to site B, but can go from site B to site A.


The interesting thing is that I can use telnet from site A to site B using a different port, say 691 which is also used with Exchange and it works fine.


I can telnet into site B router and establish a telnet session to the Exchange server in site B.


The problem is router A. For some reason, it will not allow requests over port 25 to go through.


Any clue???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 11/15/2007 - 19:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


When some traffic does work but traffic on a particular port does not work my first guess is that there is an access list that is blocking.


If you would post the config of both routers we would more likely be able to identify the problem.


HTH


Rick

jlcarey1usa Fri, 11/16/2007 - 04:23
User Badges:

OK. I am trying to clean up the previous admin's mess.


Site A: I think the problem is on this router.


Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service

password-encryption

!

hostname NY_router

!

enable password "xxxx"

!

!

ip subnet-zero

no ip domain-lookup

!

process-max-time 200

!

interface Ethernet0

description connected to NY_LAN

ip address 192.168.110.1 255.255.255.0

no ip directed-broadcast

no keepalive

!

interface Serial0

description 56k CSU/DSU NOT USED

no ip address

no ip directed-broadcast

encapsulation ppp

no fair-queue

service module 56k clock source line

service module 56k network-type dds

!

interface Serial1

description connected to GA router via t1

bandwidth 1120

ip address 10.1.2.1 255.255.255.0

no ip directed-broadcast

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.110.6

ip route 192.168.120.0 255.255.255.0 10.1.2.2

no ip http server

!

!

line con 0

exec timeout 0 0

password "xxx"

login

transport input none

line vty 0 4

password "xxx"

login

!

end



192.168.110.6 is another gateway on the lan subnet that is connected to a sonicwall and then to the Internet.




jlcarey1usa Fri, 11/16/2007 - 04:34
User Badges:

Site B:

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service udp-small-servers

no service tcp-small-servers

!

hostname GA-router

!

enable password "xxxx"

ip subnet-zero

no ip domain-lookup

!

interface Ethernet0

description connected to GA_LAN

ip address 192.168.120.1 255.255.255.0

no ip directed-broadcast

!

interface Serial0

description 56k CSU/DSU NOT USED

no ip address

no ip address directed-broadcast

encapsulation ppp

shutdown

service module 56k clock source internal

service module 56k network-type dds

!

interface Serial1

description connected to NY via t1

ip address 10.1.2.2 255.255.255.0

no ip address directed-broadcast

bandwidth 1120

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.120.2

ip route 0.0.0.0 0.0.0.0 192.168.110.1 2

ip route 192.168.110.0 255.255.255.0 10.1.2.1

ip route 192.168.110.0 255.255.255.0 192.168.120.2 2

!

line con 0

exec-timeout 0 0

password "xxx"

login

transport input none

line vty 0 4

password "xxx"

login

!

end


192.168.120.2 is connected to a sonicwall and out to the Internet. This serves as a backup vpn between the offices.



Richard Burts Fri, 11/16/2007 - 04:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I do not see anything in this router config that would produce the symptoms that you describe. Can you post the config of the other router?


I do see a couple of things in this config that I would question - though I do not believe that they are related to the symptoms that you describe:

- interface Ethernet 0 is configured with no keepalive. Why is this? It is generally best practice to have keepalive on LAN interfaces?

- no ip classless is configured. This is a very old practice and in general we are better off to configure ip classless. Though with 1 static default route and 1 static network route it probably does not have much impact either way.


HTH


Rick

Richard Burts Fri, 11/16/2007 - 04:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


You posted the config of the second router while I was making my prior response. Thanks for posting the other config.


I do not see anything in the second config that would produce the symptom that you describe. And I went back and re-read the entire thread. I wonder about this statement in the original post:

I can telnet into site B router and establish a telnet session to the Exchange server in site B.

When you telnet to site B and telnet to the Exchange server is that a normal telnet or a telnet on port 25?


HTH


Rick

jlcarey1usa Fri, 11/16/2007 - 05:27
User Badges:

port 25.


I just changed the port on the exchange server to port 30 and I can now connect to the exchange server on port 30 from site A.


Port 25 is being blocked on site A's router somehow. I have no idea how that could happen.





m.brentlinger Fri, 11/16/2007 - 06:06
User Badges:

silly question that i presume youve already checked... though is there any chance you did a:

show startup


and not a:

show run


i suppose you could have a startup config thats not what youre actually running?


you could try a:

show access-lists

or

show interfaces


to see if there are indeed any active acls or acls applied to any interfaces

jlcarey1usa Fri, 11/16/2007 - 06:28
User Badges:

I did a show run!! good thought though.


But I will check the startup config and the access lists.

jlcarey1usa Fri, 11/16/2007 - 06:32
User Badges:

Here is the results from show access-lists and then show int


NY_router#show access-lists


NY_router#show int

Ethernet0 is up, line protocol is up

Hardware is QUICC Ethernet, address is 00d0.bae0.29ec (bia 00d0.bae0.29ec)

Description: connected to NY_LAN

Internet address is 192.168.110.1/24

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 5232 drops; input queue 0/75, 0 drops

5 minute input rate 13000 bits/sec, 11 packets/sec

5 minute output rate 11000 bits/sec, 7 packets/sec

25357744 packets input, 3623322221 bytes, 8 no buffer

Received 17250795 broadcasts, 0 runts, 0 giants, 138875 throttles

3767 input errors, 1 CRC, 3766 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

9747530 packets output, 2071818853 bytes, 0 underruns

1098 output errors, 361077 collisions, 1 interface resets

0 babbles, 0 late collision, 129386 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Serial0 is down, line protocol is down

Hardware is QUICC Serial (with onboard CSU/DSU)

Description: 56k csu/dsu NOT USED

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive set (10 sec)

LCP Closed

Closed: CDPCP

Last input never, output never, output hang never

Last clearing of "show interface" counters 8w2d

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=down DTR=up RTS=up CTS=up


Serial1 is down, line protocol is down

Hardware is QUICC Serial (with FT1 CSU/DSU WIC)

Description: connected to GA router via t1

Internet address is 10.1.2.1/24

MTU 1500 bytes, BW 1120 Kbit, DLY 20000 usec,

reliability 202/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive set (10 sec)

LCP Closed

Closed: IPCP, CDPCP

Last input 8w1d, output 8w1d, output hang never

Last clearing of "show interface" counters 8w2d

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

11752 packets input, 753596 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

7351 input errors, 27 CRC, 5803 frame, 0 overrun, 0 ignored, 1521 abort

7490 packets output, 104860 bytes, 0 underruns

0 output errors, 0 collisions, 683 interface resets

0 output buffer failures, 0 output buffers swapped out

3 carrier transitions

DCD=down DSR=up DTR=up RTS=up CTS=down


NY_router#

jlcarey1usa Fri, 11/16/2007 - 11:45
User Badges:

Here's another weird thing for you. On both routers, the serial1 interface shows that it is down. Yet I can get access both sites and ping, etc.


This is what I am seeing: serial1 is down, line protocol is down.?????


User Access Verification


Password:

NY_router>en

Password:

NY_router#sh int s1

Serial1 is down, line protocol is down

Hardware is QUICC Serial (with FT1 CSU/DSU WIC)

Description: connected to GA router via t1

Internet address is 10.1.2.1/24

MTU 1500 bytes, BW 1120 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive set (10 sec)

LCP Closed

Closed: IPCP, CDPCP

Last input never, output never, output hang never

Last clearing of "show interface" counters 00:06:53

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=up DTR=up RTS=up CTS=down

Richard Burts Fri, 11/16/2007 - 12:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


I missed this clue in your earlier post. :(

I believe that it is quite helpful in understanding what the issue may be. The serial interface does show as down and that means that no data is flowing over the serial interface. Your earlier post indicates that there is a VPN connection which serves as a backup and I believe that data is flowing over that backup connection. There are several ways that you can verify this:

- do a show ip route on either or both routers and I believe that you will see that the route between the sites is over the backup.

- do a traceroute from NY to GA or from a host in NY to a host in GA. I believe that you will see that the responding interface is not the serial interface but is the VPN path.


This may also help explain the problem with port 25 in GA. If the data is passing through the sonicwall/VPN then there is a possibility that one of the sonicwall is denying that traffic.


HTH


Rick

jlcarey1usa Fri, 11/16/2007 - 12:38
User Badges:

OK. I did a show ip route on the ny router and this is what I get:


Does that confirm your statement?


User Access Verification


Password:

NY_router>en

Password:

NY_router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is 192.168.110.6 to network 0.0.0.0


C 192.168.110.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.110.6

NY_router#

jlcarey1usa Fri, 11/16/2007 - 12:40
User Badges:

This is from the GA router:


User Access Verification


Password:

GA_router>en

Password:

GA_router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR


Gateway of last resort is 192.168.120.2 to network 0.0.0.0


S 192.168.110.0/24 [2/0] via 192.168.120.2

C 192.168.120.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.120.2

GA_router#


Richard Burts Fri, 11/16/2007 - 12:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


Yes this is exactly the confirmation that I thought we would get. Notice here that the route to 192.168.110.0/24 has 192.168.120.2 as its next hop. That is the sonicwall/VPN and not the serial link.


So the traffic is definitely flowing through the VPN and not over the serial.


And I think that makes the sonicwall the primary suspect in what is the problem with port 25.


If you find the problem with the serial link and fix it I suspect that the port 25 problem will go away.


HTH


Rick

Hi All


Just a question.


Is the fact that there are 2 default routes configured on Site B pointing to two different LAN addresses not a problem?


--- Snippet of config from Site B Router -----


!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.120.2

ip route 0.0.0.0 0.0.0.0 192.168.110.1 2

ip route 192.168.110.0 255.255.255.0 10.1.2.1

ip route 192.168.110.0 255.255.255.0 192.168.120.2 2

!


----------- END------------------------------


Richard Burts Fri, 11/16/2007 - 12:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


If you look carefully you will see that it is not really 2 default routes but is 1 regular static default route and 1 floating static default route to back up the primary in case it fails. The extra 2 at the end of the second default route is an administrative distance and differentiates the primary static default route from the backup. This is a "good thing" and not a problem.


HTH


Rick

Hi Rick


Cheers, for the swift response and clarification. I was thinking it was possibly that. I have read about floating static routes being used as backup routes in my studies but have never configured them or seen the configured.


I will know in future how they show up in a routing table.


Best Regards & again many thanks,


Michael

Richard Burts Fri, 11/16/2007 - 12:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


If you have not configured floating static routes or not seen them in configs then they are easy to miss. I am glad that you now have a better understanding of them. It may be helpful to look at the previous posting of show ip route from the GA router (where the floating static is configured) and figure which static is currently in the routing table.


HTH


Rick

jlcarey1usa Fri, 11/16/2007 - 13:14
User Badges:

Gentlemen,


I think that is the problem. We see amber or warning lights on the p-t-p equipment so that is most likely the issue here. I won't call it a complete victory, but it certainly is the best news I have heard all week.


I will keep you updated next week. I can't thank you enough. A good learning experience for me.



Richard Burts Fri, 11/16/2007 - 14:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


I am glad that the discussion has been helpful. It has been an unusual and interesting problem to figure out. Please do update us as you work through the issue.


HTH


Rick

jlcarey1usa Tue, 11/20/2007 - 09:55
User Badges:

Hey guys,


A little update for you. We finally got the ISP on the phone and they have been remotely connecting to our smartjacks and cisco routers to help diagnose the problem. One of the things they saw was that the timing between the two routers was out of whack. I don't have much specific info, but how does timing work on these things and more importantly, based on the configs posted earlier, how should we reconfigure timing?


If that makes sense...?

Richard Burts Tue, 11/20/2007 - 10:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


A little more detail from them might be helpful. On most leased lines the timing on the circuit is based on timing from the provider. And I believe that is what you have based on this config:

!

interface Serial1

description connected to GA router via t1

bandwidth 1120

ip address 10.1.2.1 255.255.255.0

no ip directed-broadcast

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

If the ISP does not want timing from the circuit then you might try to configure:

service-module t1 clock source internal


Otherwise try to get some more information from the ISP including what they suggest as a solution.


In the mean time it might be helpful if you would post the output of show service-module serial 1. (from both routers)


HTH


Rick

Hi Rick


Yes, I can see from the output of the "show ip route" command on the GA Router that the gateway of last resort is the default static route 192.168.120.2, which is denoted in the routing table by the code "S*" and that this is the route of choice as the AD is 1 as opposed to the AD of 2 that the floating static route is configured with.


I will do some playing around with floating static routes on my home lab tomorrow so I can gain experience configuring them and seeing how they work when I kill the primary default route :)


Once again many thanks for your explanations, they are much appreciated.


Best Regards,


Michael

jlcarey1usa Tue, 11/20/2007 - 10:55
User Badges:

NY router:


NY_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is v1.10,

Image checksum is 0x461796D6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is line,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 1d05h

loss of signal : 1, last occurred 20:28:01

loss of frame : 7, last occurred 01:11:47

AIS alarm : 6, last occurred 01:11:47

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

510 Line Code Violations, 1040 Path Code Violations

3 Slip Secs, 80639 Fr Loss Secs, 21 Line Err Secs, 6 Degraded Mins

29 Errored Secs, 29 Bursty Err Secs, 18 Severely Err Secs, 80627 Unavail Sec

s

Data in current interval (97 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

jlcarey1usa Tue, 11/20/2007 - 10:55
User Badges:

GA router:


GA_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is 1.07,

Image checksum is 0x8510A6B6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is line,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 01:12:10

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 1, last occurred 01:12:00

Module access errors : 0,

Total Data (last 4 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

6 Slip Secs, 11 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

62 Errored Secs, 0 Bursty Err Secs, 11 Severely Err Secs, 0 Unavail Secs

Data in current interval (690 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs



Richard Burts Tue, 11/20/2007 - 11:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


Thank you for posting this output as I requested. It does show that currently both routers are getting timing (clocking) from the line. And this is generally what I would expect on a leased line. If the provider thinks that there is a timing problem you might talk to them about whether it is worth it to try using clock source internal as I suggested. I would probably not do this without checking with the provider.


This output does show that there are issues on the line. Note particularly:

510 Line Code Violations,

1040 Path Code Violations

80639 Fr Loss Secs

80627 Unavail Sec

Does the provider have anything to say about these?


HTH


Rick

jlcarey1usa Sat, 11/24/2007 - 09:02
User Badges:

The ISP changed some clocking on the routers on Wednesday, but I am still having difficulty. I think the p-t-p connection is going up and down or is at least having too many packet errors/collisions and therefore the vpn is taking over.


To me it's different and I am not used to the setup here, which I think is wrong. Each subnet (NY and GA) has two default gateways. One is the p-t-p connection and the other is the vpn/Internet connection. Shouldn't each subnet have 1 gateway? What is the "best practice" to implement.


I think what is happening is that the p-t-p is flaky and the packets can't decided which way to go so they oscillate between the p-t-p and the vpn.



Richard Burts Sat, 11/24/2007 - 09:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


It is not clear what the ISP changed, but it seem pretty clear that it did not clear up the problem. Perhaps a fresh output of show service-module would be helpful.


I am not clear about your comment that each subnet has 2 default gateways. Is this related to the static route/default route and the floating static/default route? Or is it something else? Perhaps when we understand the question a bit better we can have answers about best practice.


HTH


Rick

Hi There


As Rick pointed out in an earlier mail, as you have two possible paths for traffic to get from NY to GA (or vice versa), the primary route, the P2P route and the backup route, the VPN, so you have 2 default gateways. When your P2P link is functioning correctly, traffic will choose the default gateway associated with this link as the Administrative Distance of this default gateway is 1.


When the P2P link goes down this default route will no longer be considered valid and as there is a second default route with the Administrative Distance of 2 configured for this traffic over the VPN, traffic will be passed via this route across the VPN to the other office.


This configuration is called "Foating static route" and is a means of configuring redundancy into your routing table. This would be considered "Best Practice" IMHO as it is far better to have an alternative route for your traffic then for the traffic just to be dropped and your offices productivity come to a halt.


I think your main problem stems from the fact that your P2P link does not appear to be stable at present and if it is flapping, then every time this link is up your traffic will route across it (Higher AD on Def Route)and every time it fails your traffic then switches and goes across the VPN.


Best Regards,


Michael

jlcarey1usa Sat, 11/24/2007 - 10:30
User Badges:

I understand all of that about floating static routes. Makes perfect sense. What I meant was that the subnet has two physical gateways. Picture a typical network diagram with a horizontal subnet drawn across the paper. On one end is the p-t-p link with the 110.1 address and the other end is the 110.6 address which is the vpn and Internet gateway. Shouldn't there be one physical gateway that is attached to a router and have that router attached to the Internet, subnet, and p-t-p linkV? Or doesn't it matter? What can I do to test the routers for lousy connectivity?

jlcarey1usa Sat, 11/24/2007 - 12:11
User Badges:

NY_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is v1.10,

Image checksum is 0x461796D6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is internal,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 2d23h

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

4573 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 31 Degraded Mins

4573 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (217 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

12 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

12 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs




GA_router>en

Password:

GA_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is 1.07,

Image checksum is 0x8510A6B6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is internal,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 2d23h

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

4391 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

4391 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (129 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

7 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

7 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Richard Burts Sat, 11/24/2007 - 13:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


While it may be a bit more common to have a single gateway router for the subnet, it is not a problem to have 2 gateway routers. Some people I know choose to do it this way to provide greater redundancy - in the router with the point to point were to fail the subnet still has a way to get out. If there were a single gateway router then there is a single point of failure.


I will note that if there are going to be 2 gateway routers that it is common to run HSRP between the gateway routers so that the end station default gateway works to either gateway. In the way that it is configured now, if there is a failure of the point to point router in GA (failure of the router rather than failure of the ptp link) then I believe that the GA subnet would have no effective gateway.


Relative to your other post: the show service-module shows that things are not as bad as they were. But there are still significant problems. In particular both routers have a significant number of slip seconds and of Error seconds (which would be the slip seconds). I note that the ISP now has both routers set to clock internal. In my experience usually only one router is set to clock source internal and the other is left with clock source line. I am not sure that is the cause of the problem, but I would suggest to the ISP that they try it with only one router set to clock source internal.


HTH


Rick

jlcarey1usa Sat, 11/24/2007 - 13:59
User Badges:

I looked back on my previous posts and discovered that prior to any change by the ISP, both routers were set to clock source line. Now they are both set to clock source internal. So, by doing that, they have allowed the connection to work intermittently? Maybe these guys don't know what they are doing...


What is the real difference between internal and line?



Richard Burts Sat, 11/24/2007 - 14:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


In my experience the most common situation is for both routers on a leased line point to point circuit to be configured for clock source line in which the routers look for timing signals generated by the provider on the circuit. They use this to control and to synchronize their signaling. In some cases the provider does not provide clock on the circuit and one of the routers is configured for clock source internal in which case the router uses an internal oscillator to generate the clocking signal.


While I can not say for sure that having both set for clock source internal is causing the problem at this point, I would surely suggest to the ISP that you would like to see what happens if only one is set for clock source internal.


HTH


Rick

jlcarey1usa Sat, 11/24/2007 - 14:14
User Badges:

Can I issue the commands on the router myself? What would they be?


I can log on to both routers.

Richard Burts Sat, 11/24/2007 - 14:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


As long as you have access to enable mode then you certainly can enter the command yourself. The command is quite simple:

interface Serial1

service-module t1 clock source line


note that this sets the clock source to its default value and probably it will not show up when you do show run. You can verify the setting in the output of the show service-module. Also note that I do not have much experience with 1602 routers and assume the syntax is similar to other routers. If you get a syntax error you should be able to use the question mark help to figure out the particular syntax.


HTH


Rick

jlcarey1usa Sat, 11/24/2007 - 14:36
User Badges:

I don't think that changes much:


GA_router>en

Password:

GA_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is 1.07,

Image checksum is 0x8510A6B6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is internal,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 3d02h

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

4381 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

4381 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (714 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

28 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

28 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs



NY_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is v1.10,

Image checksum is 0x461796D6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is line,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 3d02h

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

4560 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 31 Degraded Mins

4560 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (36 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs



What would you suggest?



Richard Burts Sat, 11/24/2007 - 17:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


Without knowing when you made the change and how much of the error statistics was before the change and how much after the change (given that the statistics accumulate over a 24 hour interval), it is hard to asses the impact of the change. The error count in GA (clock source still internal) for the current interval is showing about the same frequency of error. The count for NY (now is clock source line) for the current interval is hard to interpret since it only measures 36 seconds. If you give it a little while longer and the error statistics stay about the same then we can conclude that clock source is not the major factor in the problem. At that point I would go back to the ISP and say that you continue to get these many errors and that performance is suffering, and ask what they can do.


HTH


Rick

jlcarey1usa Sun, 11/25/2007 - 05:11
User Badges:

This is the latest output from this morning:


NY_router>en

Password:

NY_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is v1.10,

Image checksum is 0x461796D6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is line,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 3d17h

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

1831 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 31 Degraded Mins

1831 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (67 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs



GA_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is 1.07,

Image checksum is 0x8510A6B6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is internal,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 3d16h

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

1784 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

1784 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Data in current interval (898 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs




Richard Burts Sun, 11/25/2007 - 14:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


At this point you have a better configuration for clock source and it does not seem to make much difference. I would go back to the ISP and say that you continue to get these many errors and that performance is suffering, and ask what they can do.


HTH


Rick

jlcarey1usa Mon, 12/17/2007 - 07:33
User Badges:

Rick,


Since you were so helpful before, I would like to get your input on a few things. I finally convinced the powers-that-be here that we need to reconfigure the network. So, we will be implementing a different, but simpler, network topology. When I do a sh ip route command on the NY router, I get this:


User Access Verification


Password:

NY_router>en

Password:

NY_router#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is 192.168.110.6 to network 0.0.0.0


S 192.168.120.0/24 [1/0] via 10.1.2.2

C 192.168.110.0/24 is directly connected, Ethernet0

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.2.0 is directly connected, Serial1

S* 0.0.0.0/0 [1/0] via 192.168.110.6

NY_router#


Doesn't the S* at the bottom mean that every request goes back to 110.6 because it is the candidate default?


I assume the GA router has the same statement except it would be 0.0.0.0/0 [1/0] via 192.168.120.2


What we are planning on doing is to eliminate the two physical gateways on the subnet. We will have the Internet coming into the WAN port on the Sonicwall firewall. Then have the LAN port on the Sonicwall directly connected to the E/0 port on a 2611. E/1 will be the actual LAN subnets and the DSU/CSU WIC will be the point-to-point connection between the two offices. This will give us the 1 gateway per subnet and allow us to use the p-t-p as it should be set up.


Everything correct so far?


The subnets will use 110.0 for NY and 120.0 for GA. My question is this. Since we only have a simple network, I guess putting in Static routes is the way to go, instead of configuring OSPF or any other form of dynamic routing because it will never change once implemented.


What ip address scheme should I give the E/0 port which is connected to the Sonicwall? I was thinking something like 192.168.0.1/24. Is this correct?






Richard Burts Mon, 12/17/2007 - 08:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


In the statement S* 0.0.0.0/0 [1/0] via 192.168.110.6, the S* indicates that this is a static configured route (default route). What it means is that any packet for which there is not a more specific route will be sent through the default route. (this is subtly different from saying that every request goes back to 110.6 - especially anything for the GA office in 192.168.120.0 will go over the serial rather than going through 110.6)


I can certainly understand the desire to redesign the network and to simplify it. There are some trade-offs and I think you should be clear about them as you redesign the network. In the previous design with two routers at each site, if there was a problem with the Internet facing router there was an alternative that gave you connectivity to the other office and at least possibly an alternate route to the Internet through the second router. With a single router at each site you give up some of this redundancy.


Certainly static routes have less overhead than a dynamic routing protocol. Static routes are especially appropriate for networks that are very stable and most especially for networks in which there is only a single way to get to most destinations. If GA is going to use the serial primarily as a way to get to the NY network but also to use the serial as a backup way to get to the Internet if the primary path through the firewall should have a problem you might think whether a dynamic routing protocol could react to failures better than a static route will.


In issues like this I believe that frequently there is not a clear answer about what is best. You need to consider the advantages of several approaches and decide which fits best in that particular situation.


As for the subnet addressing to use between the router and the firewall I believe that 192.168.0.0 is a fine network to use. If it really has only 2 devices on it (router and firewall) you could use a mask much smaller than /24. But since you are using a /24 on the point to point serial I guess for consistency go ahead with a /24 between router and firewall.


HTH


Rick

jlcarey1usa Mon, 12/17/2007 - 08:47
User Badges:

Thanks. I understand the redundancy issue, but in this case I am willing to give that up. It's a very strange situation in which the two gateways are not functioning correctly, and we are forced to use the gateways that reach the Sonicwalls first.


Also, am I correct in saying that we can simply copy and past the current configuration into the new routers and then just manually add the route and ip info for the new interface? Or will we need to do some other reconfigurations?


If I write in for the E/0 interface: ip address 192.168.0.1 255.255.255.0, no shut


and then add in a static route for that interface.


Change the ip address in the LAN interface of the sonicwall to 192.168.0.2


This should work?



Richard Burts Mon, 12/17/2007 - 09:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


In general cut and paste works well in transferring configuration information from one router to another router. You do sometime need to watch out for changes in interface numbering which might change between models of router. I am not clear whether this is an issue here.


I am not sure what static route you are talking about adding. It almost sounds like you are planning for a static route for the subnet of the interface. You do not need to do this. The connected interface subnet will show up in the local routing table automatically. If it is some other static route then please clarify what static route it is.


HTH


Rick

jlcarey1usa Mon, 12/17/2007 - 09:17
User Badges:

I see what you are saying. I will need to be careful about the interface numbers. I think I actually have them backwards. It doesn't matter though. So, the local routing table will automatically understand that all requests to the Internet, (i.e. not to the other subnet) will need to go out the new interface. I thought you actually had to add a route in the config that would let the router know that.

Richard Burts Mon, 12/17/2007 - 09:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


Each router currently has a static default route (and the GA router has an additional floating static default route). when you connect the firewall on another interface and change the IP address of the firewall you will need to change the existing static default route. Your post talked about adding a static route, perhaps you meant change the static route.


HTH


Rick

jlcarey1usa Tue, 12/18/2007 - 14:48
User Badges:

Rick,


We are starting to configure the new routers. So far this is what we have:


From my pc, I am unable to ping 192.168.0.1 or 192.168.0.2 which is the connection between the router and the Sonicwall firewall. 110.0 is the subnet I am on.


NY2811>en

Password:

NY2811#sh run

Building configuration...


Current configuration : 1081 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NY2811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$SazW$RKdLN.XMp2gL9DmJFl2kC1

enable password stanton

!

no aaa new-model

ip subnet-zero

no ip routing

!

!

no ip cef

!

!

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.110.1 255.255.255.0

no ip route-cache

duplex full

speed auto

no mop enabled

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.0.0

no ip route-cache

duplex auto

speed auto

!

interface Serial0/0/0

bandwidth 1120

ip address 10.1.2.1 255.255.255.0

no ip route-cache

no fair-queue

!

interface Serial0/1/0

no ip address

no ip route-cache

shutdown

clockrate 2000000

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.2

ip route 192.168.120.0 255.255.255.0 10.1.2.2

!

ip http server

no ip http secure-server

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password carpet

login

!

scheduler allocate 20000 1000

!

end


NY2811#


Richard Burts Wed, 12/19/2007 - 08:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


I am not sure why this is in the config:

no ip routing

I would suggest that you configure:

ip routing

and see what happens.


HTH


Rick

jlcarey1usa Wed, 12/19/2007 - 08:42
User Badges:

Yes, we missed some configuration info. The only thing that seems to be not functioning is the actual p-t-p connection. We are unable to set the clocking on it. This is a 2811 router. We used the service-module t1 clock source line/internal command and it did not take.


Perhaps there is some new command for this newer router?

Actions

This Discussion