remote offices have no internet access

Unanswered Question
Feb 3rd, 2009
User Badges:

Hello,


I have a bit of a problem. Up until today, we had RIP running on our PTP and frame routers. I migrated to EIGRP and internally everything looks fine, and all devices can contact each other. The only issue I have is a few of our remote offices can not access the internet.


The office affected are the ones directly connected to our main router. The main site has no issues with internet either.


Packets just seem to get to the main router and get dropped.


Here is the main routers config. Some has been edited to fit the post.



interface FastEthernet0/0

description connected to EthernetLAN_1

ip address 192.168.0.254 255.255.255.0

ip policy route-map WWW_Traffic

speed auto

full-duplex

no cdp enable

!

interface Serial0/0

description connection to village

ip address 192.168.108.2 255.255.255.0

no ip mroute-cache

!

interface Serial0/1

description connection to east

ip address 192.168.102.2 255.255.255.0

no ip mroute-cache

fair-queue

!

interface Serial0/1.4

!

interface Serial1/0

description connection to warehouse

ip address 192.168.104.2 255.255.255.0

!

interface Serial1/1

no ip address

encapsulation frame-relay

no fair-queue

frame-relay lmi-type ansi

!

interface Serial1/1.1 point-to-point

ip address 192.168.205.2 255.255.255.0

!

interface Serial1/1.2 point-to-point

description connection to East Hampton

ip address 192.168.105.2 255.255.255.0

frame-relay interface-dlci 17

!

interface Serial1/1.3 point-to-point

description connetcion to watermill

ip address 192.168.103.2 255.255.255.0

frame-relay interface-dlci 18

!

interface Serial1/1.4 point-to-point

description connetcion to tutto

ip address 192.168.110.2 255.255.255.0

frame-relay interface-dlci 19

!

interface Serial1/1.5 point-to-point

description connetcion to tutto

ip address 192.168.110.4 255.255.255.0

shutdown

frame-relay interface-dlci 20

!

router eigrp 10

network 192.168.0.0

network 192.168.102.0

network 192.168.103.0

network 192.168.105.0

network 192.168.108.0

network 192.168.110.0

auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.1

no ip http server

!

!

access-list 199 permit tcp any any eq www

access-list 199 permit tcp any any eq 443

access-list 199 permit udp any any eq domain

dialer-list 1 protocol ip permit

!

route-map WWW_Traffic permit 10

match ip address 199

set ip next-hop 192.168.0.15

!

route-map WWW_Traffic permit 20

!


end


Headquarters#


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mahmoodmkl Tue, 02/03/2009 - 09:49
User Badges:
  • Gold, 750 points or more

Hi


I think u r facing the issue with eigrp split horizon,disable it under u r serial1/1 interface and check.


Thanks

Mahmood

lamav Tue, 02/03/2009 - 10:04
User Badges:
  • Blue, 1500 points or more

Mahmoud:


Why would split horizon pose a problem on sub-interfaces that are configured as point-to-point?



Fret:


Perhaps giving us more topological information would help us.


Give a specific example of one remote site that does not have Internet access.


Can you post the config of that remote router that does not have Internet access?


What sits in front of the core router? A firewall?


Have you checked the routing tables HOP-BY-HOP to make sure that each device has a route to the destination network it is supposed to be forwarding traffic to?


HTH


Victor

fretburner Tue, 02/03/2009 - 10:08
User Badges:

I tried the no "ip split-horizon eigrp 10" command on each interface and still have the same issue.



mahmoodmkl Tue, 02/03/2009 - 10:17
User Badges:
  • Gold, 750 points or more

Hi


Victor


Thanks for pointing my mistake as i didnt read the post carefully.


Thanks

Mahmood

fretburner Tue, 02/03/2009 - 10:34
User Badges:

Victor,

Here is the "show IP route" on the core router.


Gateway of last resort is 192.168.0.1 to network 0.0.0.0


D 192.168.107.0/24

[90/2172416] via 192.168.0.251, 01:30:27, FastEthernet0/0

D 192.168.104.0/24

[90/2172416] via 192.168.0.249, 01:30:29, FastEthernet0/0

C 192.168.105.0/24 is directly connected, Serial1/1.2

D 192.168.8.0/24 [90/2172416] via 192.168.108.1, 00:20:21, Serial0/0

C 192.168.110.0/24 is directly connected, Serial1/1.4

D 192.168.9.0/24 [90/2174976] via 192.168.0.249, 01:30:29, FastEthernet0/0

D 192.168.10.0/24 [90/2172416] via 192.168.110.1, 01:29:13, Serial1/1.4

C 192.168.108.0/24 is directly connected, Serial0/0

D 192.168.109.0/24

[90/2172416] via 192.168.0.249, 01:30:29, FastEthernet0/0

D 192.168.4.0/24 [90/2174976] via 192.168.0.249, 01:30:29, FastEthernet0/0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

D 10.1.1.0/24 [90/2174976] via 192.168.105.1, 01:29:38, Serial1/1.2

D 10.1.1.109/32 [90/2174976] via 192.168.105.1, 01:29:38, Serial1/1.2

D 192.168.6.0/24 [90/2172416] via 192.168.105.1, 01:29:38, Serial1/1.2

D 192.168.7.0/24 [90/2174976] via 192.168.0.251, 01:30:27, FastEthernet0/0

C 192.168.0.0/24 is directly connected, FastEthernet0/0

C 192.168.102.0/24 is directly connected, Serial0/1

C 192.168.205.0/24 is directly connected, Serial1/1.1

C 192.168.103.0/24 is directly connected, Serial1/1.3

D 192.168.2.0/24 [90/2172416] via 192.168.102.1, 01:30:21, Serial0/1

D 192.168.3.0/24 [90/2172416] via 192.168.103.1, 01:29:40, Serial1/1.3

S* 0.0.0.0/0 [1/0] via 192.168.0.1


Here is the config and routing table on the router attached to int S0/1




ip subnet-zero

ip dhcp excluded-address 192.168.2.1 192.168.2.60

ip dhcp excluded-address 192.168.2.200 192.168.2.230

!

ip dhcp pool Eastside

network 192.168.2.0 255.255.255.0

dns-server 192.168.0.2 192.168.0.3

netbios-name-server 192.168.0.2 192.168.0.3

default-router 192.168.2.1

!

!

interface FastEthernet0

ip address 192.168.2.1 255.255.255.0

speed auto

full-duplex

!

interface Serial0

ip address 192.168.102.1 255.255.255.0

!

router eigrp 10

network 192.168.2.0

network 192.168.102.0

auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.102.2

no ip http server

!

!

end



Gateway of last resort is 192.168.102.2 to network 0.0.0.0


D 192.168.107.0/24 [90/2684416] via 192.168.102.2, 01:33:32, Serial0

D 192.168.104.0/24 [90/2684416] via 192.168.102.2, 01:33:32, Serial0

D 192.168.105.0/24 [90/2681856] via 192.168.102.2, 01:33:32, Serial0

D 192.168.8.0/24 [90/2684416] via 192.168.102.2, 00:23:34, Serial0

D 192.168.110.0/24 [90/2681856] via 192.168.102.2, 01:33:32, Serial0

D 192.168.9.0/24 [90/2686976] via 192.168.102.2, 01:33:32, Serial0

D 192.168.10.0/24 [90/2684416] via 192.168.102.2, 01:32:25, Serial0

D 192.168.108.0/24 [90/2681856] via 192.168.102.2, 01:33:32, Serial0

D 192.168.109.0/24 [90/2684416] via 192.168.102.2, 01:33:32, Serial0

D 192.168.4.0/24 [90/2686976] via 192.168.102.2, 01:33:32, Serial0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

D 10.1.1.0/24 [90/2686976] via 192.168.102.2, 01:32:50, Serial0

D 10.1.1.109/32 [90/2686976] via 192.168.102.2, 01:32:50, Serial0

D 192.168.6.0/24 [90/2684416] via 192.168.102.2, 01:32:50, Serial0

D 192.168.7.0/24 [90/2686976] via 192.168.102.2, 01:33:33, Serial0

D 192.168.0.0/24 [90/2172416] via 192.168.102.2, 01:33:33, Serial0

C 192.168.102.0/24 is directly connected, Serial0

D 192.168.103.0/24 [90/2681856] via 192.168.102.2, 01:33:33, Serial0

C 192.168.2.0/24 is directly connected, FastEthernet0

D 192.168.3.0/24 [90/2684416] via 192.168.102.2, 01:32:52, Serial0

S* 0.0.0.0/0 [1/0] via 192.168.102.2



fretburner Tue, 02/03/2009 - 10:36
User Badges:

and victor, there are two firewall attached to the network. one is the 192.168.0.1 address and teh other is the 192.168.0.15 addressin the main config.


The topolgy of the network is mostly hub and spoke, at least for the serial connection on the main router.

Roberto Salazar Tue, 02/03/2009 - 10:54
User Badges:
  • Gold, 750 points or more

Hello, you've mentioned the following:

The only issue I have is a few of our remote offices can not access the internet.


I assume that the the users are not able to browse to the web but have you check if you are able to ping or browse to web site using the ip address instead of the site name? Trying to suggest to see of the routing is really the issue. If you are able to ping to an internet ip address then the routing obviuosly is okay and the issue is somewhere else.

Yudong Wu Tue, 02/03/2009 - 11:59
User Badges:
  • Gold, 750 points or more

Add something besides Bob's suggestion.

1. All internet traffic coming from those serial links will go throuth the firewall 192.168.0.1. Does internet not work for all remote sites which are connected via those serial links on core router?

2. You have a PBR configured under LAN interface which will redirect all web traffic to firewall 192.168.0.15. Do you know if you web traffic in main site use a different firewall?


fretburner Tue, 02/03/2009 - 12:30
User Badges:

Sorry for any confusion.


Until I changed from RIP to EIGRP this morning, everything worked fine. All sites had internet, and could communicate with no issues. Once I implimented eigrp, and removed RIP from the routers, that is when the 4 remote offices lost internet. but they can communicate to our servers here at the main site.


I removed the ip olicy from fa0/0 on the main router, but that did not help.


I know I could alway impliment RIP again, but that is not the resolution to me. Apparently something is wrong with my config, and would rather fix this issue.


We have two connections to the internet. One connection, 192.168.0.15, is solely interent traffic, that is why the IP policy is applied to fa0/0. All other traffic goes out the other firewall at 192.168.0.1.


I did not configure this network. So i am slowly fixing things, or breaking as it seems today.


I have to assume it has to do with the main router and the serial interfaces connected to it, as none of the other sites have any issues connected to other routers

Yudong Wu Tue, 02/03/2009 - 12:34
User Badges:
  • Gold, 750 points or more

In that case, cau you try to apply that PBR under one of your serial interface to see if it helps?

lamav Tue, 02/03/2009 - 12:38
User Badges:
  • Blue, 1500 points or more

Fret:


Assuming these remote sites have no Internet connectivity, whether IP or name addresses are used, you would have to finish verifying the routing.


The spoke defaults to the core, and the core has a policy (which I recommend you put back in place for now so as not to create any new issues) that forwards Internet traffic to the 0.15 FW.


Does that FW have a route back to the source network behind the spoke?


If you're routing has been verified in BOTH directions, hop-by-hop, check to see if there are any ACLs that are blocking traffic to the source subnet behind the spoke.



joshua.wilson Tue, 02/03/2009 - 12:13
User Badges:

it there suppose the be a dlci on subint


=====

interface Serial1/1.1 point-to-point

ip address 192.168.205.2 255.255.255.0

joshua.wilson Tue, 02/03/2009 - 12:18
User Badges:

it there suppose the be a dlci on subint


=====

interface Serial1/1.1 point-to-point

ip address 192.168.205.2 255.255.255.0

fretburner Tue, 02/03/2009 - 12:36
User Badges:

sorry for the confusion on this. That cicuit is not in service.

lamav Tue, 02/03/2009 - 12:39
User Badges:
  • Blue, 1500 points or more

Fret:


Assuming these remote sites have no Internet connectivity, whether IP or name addresses are used, you would have to finish verifying the routing.


The spoke defaults to the core, and the core has a policy (which I recommend you put back in place for now so as not to create any new issues) that forwards Internet traffic to the 0.15 FW.


Does that FW have a route back to the source network behind the spoke?


If you're routing has been verified in BOTH directions, hop-by-hop, check to see if there are any ACLs that are blocking traffic to the source subnet behind the spoke.





Yudong Wu Tue, 02/03/2009 - 13:08
User Badges:
  • Gold, 750 points or more

Victor made a good point here. If your firewall was using RIP to learn the internal network, they won't know how to reach the internal network after routing protocol is changed to EIGRP.

fretburner Tue, 02/03/2009 - 13:49
User Badges:

You were right about the firewall using RIP. For the time being I added static routes to thre firewall. and can ping the network fine from both firewalls.


One thing I did notice is that any of the routers directly connected to the main router can not ping 192.168.0.1 at all. I even added static routes to test this, but still can not get to the firewall. The other networks that can get out outside, can ping that firewall just fine.



Actions

This Discussion