11-21-2008 10:42 AM - edited 03-04-2019 12:26 AM
Ok,
I posted a couple of days ago about a telnet problem that I had where I could ping the router, but couldn't telnet to it. There are NO acls involved at all.
Well today, I figured out that I can telnet to the router from another router, but not from a host behind the router. It looks like this:
Cannot telnet: host -> router -> router
Can telnet: router -> router
This doesn't make any sense to me at all. Any ideas?
--John
11-21-2008 10:57 AM
It seems the destination router does not have a route back to the host - Yes, I know you said ping works but it could be due to some proxy-arp feature enable on the router<->router link.
Verify routing from the router to host and vice-versa.
HTH,
__
Edison.
11-21-2008 12:04 PM
Ping works fine. The setup is like this:
RouterA (f0/0) 192.168.1.2 -----> 192.168.1.1 (fa0/0) Router b
Router B's last resort is 192.168.1.2 (ip route 0.0.0.0 0.0.0.0 192.168.1.2)
That's the only route that it has.
If I do a show arp | i 192.168.1.2, I show that 1.1 and 1.2 are on interface fa0/0 on RouterA. Does this mean it's doing proxy arp? I don't have it specifically disabled, and I'm not sure what ramifications it would have if I did disable it. Aside from that, why can I telnet from a router, but not from a host behind the router? No firewalls in any scenario by the way.
Thanks,
John
11-21-2008 10:58 AM
John
Can that host telnet to the first router? Is it possible that there is something on that host that interferes with telnet?
Is it possible that there is some security policy on the middle router that might intercept the telnet to the other router?
HTH
Rick
11-21-2008 11:59 AM
The host can telnet into the router that's local to it, but not across to the other router. The router that's local to the host can telnet to the other router. There's nothing blocking traffic, and it's really frustrating me. :-)
Thanks Rick!
--John
11-21-2008 11:00 AM
Can any other host get to this router?
Is there a firewall inline between these, or a proxy server?
I had an issue at a client site and it was a firewall that sit between the host and the edge router, but there was another path via another zone in the firewall that allowed a switch to telnet into the router.
11-21-2008 11:58 AM
There are no hosts behind this router, but all routers in the enterprise can telnet to it.
11-21-2008 12:02 PM
Is this the only router that this particular host cannot telnet to?
Have you tried from another host?
also telnet to that specific router from another router and turn on debug
debug telnet
Make sure you term mon to show the output
This will tell you if you can even get to it.
11-21-2008 12:07 PM
I can telnet to any of my other routers from this host (and it's not really a host issue). I can't telnet from any location, any host, behind a router, to this router. I've created access lists that dump logs, and I don't see any of my host IPs in there, but I do see when the router gets connected.
--John
11-21-2008 12:13 PM
Ok, I can't telnet from the "bad" router to another host. I'm sure it's a routing issue, but I can ping the host from the router, soooo my next question is:
What is so different about telnet as compared to ping in that it won't just use the default route of "ip route 0.0.0.0 0.0.0.0 192.168.1.2"?
Thanks!!
--John
11-21-2008 01:25 PM
Are you advertising the 192.168.1.x (router-to-router) link to the rest of the network?
Can you traceroute from the host to the router and see where it dies?
You can setup an ACL with log options on the router incoming interface and see if the packet is making it there.
HTH,
__
Edison.
11-21-2008 01:28 PM
Packet isn't making it there, but traceroute doesn't die. It goes all the way through to the router. I admit, it's a weird problem.
I'm not advertising the public interface of that router, but I am advertising the internal subnet (10.10.10.0) to the rest of the network via bgp by redistributing my statics on the primary router that links to this router.
--John
11-21-2008 01:32 PM
I'm not advertising the public interface of that router,
A little confused there. You mentioned 192.168.1.x/24 - you call that public interface?
You said, traceroute doesn't die - does it go into a loop ?
Is this a lab or production network?
Can you post configs, diagram and routing table?
Thanks
11-21-2008 01:58 PM
No loop; it finishes the trace with no problems. I've attached a quick diagram. This is a production network, and it's working fine with everything else. It's a DR site, and yes the 192.168.1.1 is the public side. This is a fiber point to point connection (ATT Opteman link).
Here's my routing table
Routing entry for 10.10.10.0/24
Known via "static", distance 1, metric 0
Redistributing via bgp 65101
Advertised by bgp 65101
Routing Descriptor Blocks:
* 192.168.1.1
Route metric is 0, traffic share count is 1
192.168.1.1 Routing table:
192.168.1.0/24 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
C 10.11.11.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.2
Thanks!
John
11-21-2008 02:08 PM
Try redistributing connected on the 192.168.1.2 BGP router.
HTH,
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide