Sudden loss of connectivity

Unanswered Question
Feb 13th, 2009
User Badges:


Hosts segment A -> FWSM -> ROUTER1 -> WAN Link -> ROUTER2 -> Host segment B

Suddenly, I am not able to ping hosts B from hosts A. I can see sync timeouts on the FWSM but nothing shows on the debug ip packet detail on ROUTER1. I can ping the ethernet of ROUTER1 but not beyond that. All the ethernet and serials links are up. I don't see any drops on the router as well. Router ethernets have been configured with GLBP. Routes are not changed. Would could be the problem. No new access-list added. VLANs are correct. Where should I start.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Edison Ortiz Fri, 02/13/2009 - 17:34
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Where should I start.

From Router1, ping segment B while sourcing from the interface that is connected to the FWSM.

If fails, check the routing table in Router1 for segmentB and routing table in Router2 for segmentA.

If successful, from Router2 - ping segment A while source from the interface connected to segment B.

If fails, check the routing table in Router 2 for segment A and routing table in Router 1 for segment B.

If both have the right routes, the problem is at the FWSM device.



Mohamed Sobair Fri, 02/13/2009 - 18:03
User Badges:
  • Gold, 750 points or more


If you can ping the Ethernet of Router1 then ICMP is allowed through the FW.

Because you cant ping anything beyond R1, then its probably a routing issue On either R1 Or R2.

Check the routing table of R1 and make sure that R2 has valid route back to R1.



cisco_lite Fri, 02/13/2009 - 21:59
User Badges:

On the serial interface of ROUTERA, I had added 'ip verify unicast source reachable-via rx'. After removing it, the problem got resolved.

How could RPF cause this problem. Doesn't it only check whether the source address on receiving packet is in the FIB and has a route to it.

The routing table has a default route to the source address on the serial link.

Mohamed Sobair Fri, 02/13/2009 - 22:39
User Badges:
  • Gold, 750 points or more


RPF checks the routing table validate the route to the source of incoming packet.

RPF checks and applied ONLY inbound direction.

The best recommended way to implement RPF if the inbound packet of the incoming interface is also routed outbound through the same interface. (No Asymetrical routing), but its possible to be implemented either way.

RPF operates in two modes:

1- Strict.

2- Loose.

Could you clarify if you have any redundant link at your example.



cisco_lite Sat, 02/14/2009 - 00:01
User Badges:

Topology again:

RouterA <-> RouterB

RouterC <-> RouterD

The pair of routers on each side are configured with GLBP. And I configured RPF on ROUTERC only when it started causing connectivity problem. Does GLBP do Asymetric routing in the above topology or does it maintain statefulness. Was the RPF required on RouterA as well. Or is it required on all the routers to work bi-directionally.

I had configured RPF with rx meaning, strict mode.

Mohamed Sobair Sat, 02/14/2009 - 01:11
User Badges:
  • Gold, 750 points or more


GLBP is a High Availability method designed for Redundancy and loadbalancing Scheme in the LAN.

GLBP shouldnt be implemented on the WAN link but rather on the LAN If you have at least 2 Gateway routers for a particular LAN Network. The Loadbalancing in GLBP is done per HOST.

With RPF, If Router-A has Only single Outgoing Interface as an exit point, then RPF should be sufficent. RPF should not be considered where a possibility Of Asymetrical routing exist.(2 or More Exit points) in order to avoid IP Spoofing attacks.

Looking at ur example, RA has asingle Outbound WAN connection to RB, therfore RPF should suffice.



cisco_lite Sat, 02/14/2009 - 04:53
User Badges:

Between RA & RB there are two WAN links which I didn't mention above.

That's why RPF caused an issue I believe. I have configured GLBP over LAN only. Serial links are load balanced via static routes over each link due to multiple equal cost paths.

Can GLBP cause Asymetric routing, i.e. goes out thru one router and comes back thru the other. And can load balancing over serial links cause Asymetric routing.

cisco_lite Sat, 02/14/2009 - 06:12
User Badges:

Also, how can I identify which LAN hosts are stuck to which router (AVF) due to GLBP.


This Discussion