Strange routing issue - only one IP affected

Unanswered Question
Nov 29th, 2007

I've encountered a routing problem to a single IP address within a global IP range.

Two traceroutes to a pair of addresses in the same subnet range are attached; the first traceroute, to, works, while the second traceroute, to, goes into a loop one hop out from the firewall of the destination network.

If these addresses are part of the same subnet, how can one work and the other one fail?

My ip route for this subnet is:

'ip route Vlanxx'



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Thu, 11/29/2007 - 11:43

this is interesting trace route, your static route is good too. If you are in [] router can you get to host 134? I would look into this router configuration.. but this is weird ! it seems as though does not know about


drumrb0y Thu, 11/29/2007 - 11:52

That's why I posted this - it goes over my head; I'm trained in PIX/ASA and LAN protocols - I'm not a CCNP yet ;-P

I admin the hop - the router is a connected VPN router that points somewhere else completely; why the trace would go there at all is a mystery, much less for a single address but no others...

Even from the device (an L3 3750 with VLANs configured), traceroutes fail to that IP.

I already ruled out the target server as a cause by replacing it with a laptop and making a static NAT in the firewall to the global IP.

I've scheduled a reboot for both of those devices for tonight, to rule out 'wierd IOS error'. Other than that, I have no idea what this might be.


Kevin Dorrell Thu, 11/29/2007 - 14:52

It looks to me like is routing differently for than for THey may be in the same subnet as far as you are concerned, but may think differently. It could, for example have a host route as a result of ip mobility, or a frame-relay p2mp, or a PPP link, or something like that.

You really need show ip route on

Kevin Dorrell


glen.grant Thu, 11/29/2007 - 15:28

Maybe you can clarify a little about the . If its a /29 then .134 and .139 are not in the same subnet , /29 ends at the .135 address and .139 is in the next subnet so one could fail and the other not because they would be in different subnets. You have the static route at the /28 boundary so you would have to clarify that .

JORGE RODRIGUEZ Thu, 11/29/2007 - 16:33

Kevin posted good though ..and Glen nailed it, and lessson learn at my end to look closer.. if this is the case that is a good catch by Glen, if you take a look at /28 and /29.

/28 hosts addresses subnet address Broadcast

/29 hosts addresses Subnet address broadcast

so as posted by Glen, you would have to take a look at if indeed you have one /28 and one /29 network somewhere or both to taylor your static route.. if you do have both networks going same destination then two staic routes will be needed one for /28 and /29.

drumrb0y Fri, 11/30/2007 - 06:39

Apologies to all - that mask was a typo; it used to be a /29 but was opened up to a /28 earlier this year.

A 'sh ip route from that 3750:

xxxxx3750#sh ip route

Codes: C - connect*snip*

Gateway of last resort is to network

*** Private ranges removed ***

C is directly connected, Vlan600

S [1/0] via

C is directly connected, Vlan7

S [1/0] via

C is directly connected, Vlan21

S [1/0] via

S [1/0] via

S is directly connected, Null0

C is directly connected, Vlan593

C is directly connected, Vlan591

C is directly connected, Vlan8

S is directly connected, Null0

C is directly connected, Vlan9

S* [1/0] via


The global route commands taken off of the 'show running-config':

ip route

ip route

ip route

ip route Vlan21

ip route Null0

ip route Null0

ip route

A reboot of both this switch and the router had no effect.


JORGE RODRIGUEZ Fri, 11/30/2007 - 08:28

first what is is it a switch router or PC?

can you post just show ip route from 3570.

drumrb0y Fri, 11/30/2007 - 08:55

The problem has been fixed;

I got a solution from a contractor consultant that my Agency uses; he identified a proxy ARP statement in the 1700 VPN router for the affected IP address.

Apparently, the 1700 was responding first to ARP requests sent out by the 3750, since both of its interfaces connect to it (on different VLANs) and was thus was giving the 3750 an erroneous ARP entry for that IP; since the 3750 is the default route out of the 1700, a loop was being created.

I would've never found this on my own.

Thanks all for inquiring and trying to help me out.


dominic.caron Fri, 11/30/2007 - 10:59

Proxy arp respond if the 3750 is trying to reach a address outside the configure network.

Did you forget to change the netmask on the 1700 when you changed your network from a /29 to /28 ?

drumrb0y Fri, 11/30/2007 - 11:03

I don't manage the 1700 router, so I just went on what he told me; all I know is that whatever tweak they made in the configuration worked...



This Discussion