Please help me with next step on this troubleshooting

Answered Question
Feb 4th, 2010

Hi, can you give me a hand here:

Clients complained that from a host IP=10.1.64.1 connected to 2960switch-site1, they can't reach an address on the internet 10.168.196.7.

I go to the my 4507-site1 upstream which is doing the layer 3 routing. If I do a ping or trace to 10.168.196.7 it is successful.

Then from the 4507-site1, if I do 'ping 10.168.196.7 source 10.1.64.3' (where 10.1.64.3 is the vlan interface which serves the 2960switch-site1 application) then ping times out. So that tells me something is really blocking 10.1.64.0 or route is missing).

I go upstream (10.1.60.133) following the traceroute.

I do 'show ip route 10.2.64.1' and I see the route there as being advertised from the 4507-site1 - OK.

I do show run access-list | i 10.2.64 but I do not find any relevant access-list there or when looking the ouput of show run access-list.

I do show ip int brief to see if I find a 10.2.64.0 interface (so that I could do ping source 10.2.64.x) but there is none.

Question:
Any ideas on what I can do from here? I can't see an access-list blocking this and I have ip route Ok for the 10.2.64.0 network.

Unfortunately the next hop is 10.1.47.193 but I do not have access to that hop.

From client on 2960switch:

C:\>tracert 10.168.196.7

Tracing route to 10.168.196.7 over a maximum of 30 h

  1  <10 ms  <10 ms  <10 ms  10.1.64.189
  2  <10 ms  <10 ms  <10 ms  10.1.60.133
  3  <10 ms  <10 ms  <10 ms  10.1.47.193
  4  <10 ms  <10 ms  <10 ms  10.176.254.65
  5  <10 ms    16 ms    15 ms  10.175.255.65
  6    *        *        *    Request timed out.
  7    *        *        *    Request timed out.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 10 months ago

news2010a wrote:

Hi, can you give me a hand here:

Clients complained that from a host IP=10.1.64.1 connected to 2960switch-site1, they can't reach an address on the internet 10.168.196.7.

I go to the my 4507-site1 upstream which is doing the layer 3 routing. If I do a ping or trace to 10.168.196.7 it is successful.

Then from the 4507-site1, if I do 'ping 10.168.196.7 source 10.1.64.3' (where 10.1.64.3 is the vlan interface which serves the 2960switch-site1 application) then ping times out. So that tells me something is really blocking 10.1.64.0 or route is missing).

I go upstream (10.1.60.133) following the traceroute.

I do 'show ip route 10.2.64.1' and I see the route there as being advertised from the 4507-site1 - OK.

I do show run access-list | i 10.2.64 but I do not find any relevant access-list there or when looking the ouput of show run access-list.

I do show ip int brief to see if I find a 10.2.64.0 interface (so that I could do ping source 10.2.64.x) but there is none.

Question:
Any ideas on what I can do from here? I can't see an access-list blocking this and I have ip route Ok for the 10.2.64.0 network.

Unfortunately the next hop is 10.1.47.193 but I do not have access to that hop.

From client on 2960switch:

C:\>tracert 10.168.196.7

Tracing route to 10.168.196.7 over a maximum of 30 h

  1  <10 ms  <10 ms  <10 ms  10.1.64.189
  2  <10 ms  <10 ms  <10 ms  10.1.60.133
  3  <10 ms  <10 ms  <10 ms  10.1.47.193
  4  <10 ms  <10 ms  <10 ms  10.176.254.65
  5  <10 ms    16 ms    15 ms  10.175.255.65
  6    *        *        *    Request timed out.
  7    *        *        *    Request timed out.

Marlon

Firstly have you changed the addressing because 10.0.0.0/8 is not routable on the internet ?

That the request is timing out after 10.175.255.65 so that is where you would need to look altho i appreciate you can't do this.

If you can ping from the 4507 and you needed to get this done urgently you could NAT the 10.1.64.1 address to the 4507 exit interface ie. the interface that leads to the next-hop.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 02/04/2010 - 08:08

news2010a wrote:

Hi, can you give me a hand here:

Clients complained that from a host IP=10.1.64.1 connected to 2960switch-site1, they can't reach an address on the internet 10.168.196.7.

I go to the my 4507-site1 upstream which is doing the layer 3 routing. If I do a ping or trace to 10.168.196.7 it is successful.

Then from the 4507-site1, if I do 'ping 10.168.196.7 source 10.1.64.3' (where 10.1.64.3 is the vlan interface which serves the 2960switch-site1 application) then ping times out. So that tells me something is really blocking 10.1.64.0 or route is missing).

I go upstream (10.1.60.133) following the traceroute.

I do 'show ip route 10.2.64.1' and I see the route there as being advertised from the 4507-site1 - OK.

I do show run access-list | i 10.2.64 but I do not find any relevant access-list there or when looking the ouput of show run access-list.

I do show ip int brief to see if I find a 10.2.64.0 interface (so that I could do ping source 10.2.64.x) but there is none.

Question:
Any ideas on what I can do from here? I can't see an access-list blocking this and I have ip route Ok for the 10.2.64.0 network.

Unfortunately the next hop is 10.1.47.193 but I do not have access to that hop.

From client on 2960switch:

C:\>tracert 10.168.196.7

Tracing route to 10.168.196.7 over a maximum of 30 h

  1  <10 ms  <10 ms  <10 ms  10.1.64.189
  2  <10 ms  <10 ms  <10 ms  10.1.60.133
  3  <10 ms  <10 ms  <10 ms  10.1.47.193
  4  <10 ms  <10 ms  <10 ms  10.176.254.65
  5  <10 ms    16 ms    15 ms  10.175.255.65
  6    *        *        *    Request timed out.
  7    *        *        *    Request timed out.

Marlon

Firstly have you changed the addressing because 10.0.0.0/8 is not routable on the internet ?

That the request is timing out after 10.175.255.65 so that is where you would need to look altho i appreciate you can't do this.

If you can ping from the 4507 and you needed to get this done urgently you could NAT the 10.1.64.1 address to the 4507 exit interface ie. the interface that leads to the next-hop.

Jon

news2010a Thu, 02/04/2010 - 08:13

Regarding the 10.0.0.0/8 network, sorry that is not Internet, it is then an application on another site on the internal network.

Thanks for the hint regarding the NAT.


Yes I will focus on the 10.175.255.65 (and let the admin for that site work on that one then).

Actions

This Discussion