cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
404
Views
0
Helpful
10
Replies

ICMP weirdness

John Blakley
VIP Alumni
VIP Alumni

All,

I've got a remote site. The remote site has a 2800 series router and it's connected to a L2 switch.

Configuration:

Serial WIC: 172.5.5.1

FE0/0: 10.126.5.1

10.125.5.1 second

10.15.5.1 second

The default-gateway on the switch is set to 10.126.5.1.

Problem/Weirdness:

I can ping across the wan to a host connected to the switch on the 10.126.5.0 subnet and the 10.125.5.0 subnet.

While running wireshark, I get two replies from each ping to the 10.125.5.0 subnet ONLY.

Pinging 10.126.5.0 host will result in:

request

reply

request

reply

Pinging a host on the 10.125.5.0 subnet results in:

request

reply

reply

request

reply

reply

Has anyone seen this? I'm "assuming" that it's because the router is receiving the packet on the secondary address and could be sending a reply from both addresses, but that's still really odd. My pings don't timeout, traces don't timeout, but I still get the double replies. My traces look right too. There are no "extra" hops per se.

Any ideas?

Thanks,

John

HTH, John *** Please rate all useful posts ***
10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

John

I have not tested this but believe that you are correct that it is related to it being sent to the secondary. Since you are pinging (or tracing) to the router itself and not to something through the router, then the router must receive it and must generate a reply. By default when Cisco routers generate packets the source address is the primary address of the outgoing interface. I believe that this accounts for one of the responses. I believe that the router then generates a second response so that it can respond from the address to which the original packet was addressed.

HTH

Rick

HTH

Rick

I tried the same thing with another site that has a similar setup, and I'm not seeing the problem there. :(

John

HTH, John *** Please rate all useful posts ***

John

Is the other site running the same version (and perhaps same feature set) of code?

HTH

Rick

HTH

Rick

This just gets better =)

In answer to your question about feature set, yes, both are running C2800NM-ENTSERVICESK9-M, Version 12.4(1a).

Now the cool part about this is that you remember it has 10.126.x.x, 10.125.x.x (as secondary), and 10.15.x.x? Well, I installed Wireshark on a server that's on the 10.126.x.x (I don't think they have any servers on the 10.125.x.x), and I pinged a device from the 10.126.x.x server to a host on the 10.125.x.x.

The result was:

request

reply

reply

reply

reply

request

reply

reply

reply

reply

I have no clue where to look. It sounds like a loop somewhere.

Thanks,

John

HTH, John *** Please rate all useful posts ***

John

Perhaps running debug on the router ie. debug ip packet with an acl. Obviously this could seriously degrade router performance.

Jon

Jon,

I wouldn't be able to do this until after hours, and like you said it could degrade router performance. If it did that to the point of not being responsive, I could be in trouble seeing as I'm remote. I guess I could do a "reload in" scheduled for an hour or longer later in case I locked myself out. I wonder what that would do to the config of the router to be rebooted in the middle of high processing times, or if it would even be able to reload during the high processing times.

Any other ideas I could do during the day?

Thanks,

John

HTH, John *** Please rate all useful posts ***

John

Understood and very sensible to be honest.

What happens if you ping a device using the other secondary address ie. 10.15.5.x

In your wireshark capture are the source and destination IP addresses the same. In fact is there any difference in the 4 replies at all ?

Jon

Jon,

If I ping one host from the server on the 10.126.5.x subnet, everything is fine.

If I ping one host on the 10.125.5.x subnet from the server on the 10.126.5.x subnet, I get the 4 replies per request.

If I ping a host from the 10.15.5.x from the server at 10.126.5.x, everything is fine.

The difference:

10.15.5.x is on it's own vlan.

10.126.5.x and 10.125.5.x share vlan 1.

Thanks Jon!

John

HTH, John *** Please rate all useful posts ***

John

Can you post output from wireshark for a ping that works correctly and one that doesn't.

Also are all the subnet masks correct on both the router and servers/hosts.

Could you also post "sh run" from router.

Jon

Here's the "important" stuff from the router:

interface Loopback0

ip address 172.21.55.1 255.255.255.0

!

interface FastEthernet0/0

description Internal Network

ip address 10.125.5.1 255.255.255.0 secondary

ip address 192.168.5.1 255.255.255.0 secondary

ip address 10.126.5.1 255.255.255.0

ip access-group 123 in

duplex full

speed 100

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

description AT&T Frame Relay - Local DLCI 255

bandwidth 1544

no ip address

encapsulation frame-relay

logging event subif-link-status

logging event dlci-status-change

!

interface Serial0/0/0.1 point-to-point

description St. Louis - IPFR ePVC

bandwidth 1544

ip address xxxxx

no ip mroute-cache

frame-relay interface-dlci 1000 IETF

!

router bgp 65155

no synchronization

bgp log-neighbor-changes

network 10.15.1.0 mask 255.255.255.0

network 10.125.5.0 mask 255.255.255.0

network 10.126.5.0 mask 255.255.255.0

network 172.20.155.0 mask 255.255.255.0

network 172.21.55.0 mask 255.255.255.0

network 192.168.55.0

neighbor 172.20.155.2 remote-as 13979

no auto-summary

!

no ip classless

ip route 10.15.1.0 255.255.255.0 10.126.5.5

!

!

After my initial post, I realized that the switch they have there is a Dell L3 switch. The switch has two vlans: one for the phones at 10.10.55.0 and one for the 10.126.5.0 and 10.125.5.0 subnets. The default gateway is 10.126.5.1 on the switch.

Here's one that works; I'm going to try to paste this:

No. Time Source Destination Protocol Info

3805 15:49:52.900597 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

3808 15:49:52.938788 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

3869 15:49:53.902375 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

3870 15:49:53.930511 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

4106 15:49:54.905232 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

4116 15:49:54.967510 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

4188 15:49:55.906279 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

4192 15:49:55.948929 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

4251 15:49:56.907252 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

4255 15:49:56.944606 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

4318 15:49:57.909204 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

4322 15:49:57.988093 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

4379 15:49:58.911120 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

4395 15:49:58.956752 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

4460 15:49:59.912150 john-blakley.glazers.info 10.126.5.172 ICMP Echo (ping) request

4463 15:49:59.949100 10.126.5.172 john-blakley.glazers.info ICMP Echo (ping) reply

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: