04-28-2010 07:17 AM - edited 03-06-2019 10:50 AM
I have a user that is trying to get to www.defender-usa.com, but everytime the url show to be unavaliable. I can resolve the address, but everytime I do a ping or traceroute, it keeps trying to route to my IronPort. I am running a Catalyst 4506 IOS, and have set a static route for the IP address of defender-usa.com to my firewall, which then route out to my provider. I have tried bypassing the site through the Ironport and the firewall, but it is not even getting there.
Anyone have any clue why my router would try to route the address(defender-usa.com) to my ironport when I have a static route directly to my firewall?
04-28-2010 07:24 AM
Hello Tim,
being a multilayer switch you need to compare
sh ip route
and CEF related commands like
sh ip cef exact-route address mask detail
and others to see if there is any difference
to verify if the CEF entry is correct or it is using a wrong next-hop.
Also you need to check if any form of Policy Based routing is applied on the L3 interface that receives the packets for the site that could change the IP next-hop to that of the IronPort
Hope to help
Giuseppe
04-28-2010 07:34 AM
Here are the details for the commands you requested. As you can see, the router show the correct path for the ip.
www.defender-usa.com - 216.39.57.107
Firewall (ASA) - 192.168.1.5
RouterA - 192.168.1.1
IronPort - 192.168.5.10
Traceroute
RouterA#traceroute 216.39.57.107
Type escape sequence to abort.
Tracing the route to p12p-i.geo.vip.re4.yahoo.com (216.39.57.107)
1 192.168.5.10 !H !H !H
Show IP Route
RouterA#show ip route 216.39.57.107
Routing entry for 216.39.57.107/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 192.168.1.5
Route metric is 0, traffic share count is 1
Show IP cef
RouterA#sh ip cef 216.39.57.107
216.39.57.107/32
nexthop 192.168.1.5 Vlan1
04-28-2010 07:38 AM
What gateway is configured on your hosts?
04-28-2010 07:39 AM
The gateway on the hosts is RouterA - 192.168.1.1.
04-28-2010 11:13 AM
Tim
Can you post router config please ?
Jon
04-28-2010 11:59 AM
and clear the route table and CEF entries for that route while you're at it...then check them again
04-28-2010 12:06 PM
I have cleared the route tables and CEF entries, as well as the mac table.
04-28-2010 12:14 PM
And I assume things are still messed up.../ OK, are you going to post the routers configs?
04-28-2010 12:15 PM
Yes, I am putting it together. I will post it as soon as I can.
04-28-2010 12:27 PM
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
logging console errors
enable secret 5 *************
!
username ***** password 0 *****
aaa new-model
!
!
!
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
hw-module module 1 port-group 1 select gigabitethernet
hw-module module 1 port-group 2 select gigabitethernet
ip subnet-zero
ip domain-name domain
!
vtp domain ''
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-5,8-20,88,110-140 priority 24576
!
vlan internal allocation policy ascending
!
***
***
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
***
***
!
router eigrp 1
no auto-summary
network 192.168.0.0 0.0.255.255
!
ip default-gateway 192.168.1.5
ip route 0.0.0.0 0.0.0.0 192.168.1.5
***
***
ip route 216.39.57.107 255.255.255.255 192.168.1.5
no ip http server
no ip http secure-server
!
!
kron occurrence Backup at 23:00 Sat recurring
policy-list Backup
!
kron policy-list Backup
cli show run | redirect tftp://192.168.1.20/RouterA.cfg
!
logging trap errors
logging 192.168.1.20
!
!
***
***
!
!
monitor session 1 source interface Gi4/48
monitor session 1 destination interface Gi3/24
ntp clock-period 17181661
04-28-2010 12:37 PM
You blocked out too much of the config...I think.
Do you have an interface in the 192.168.0.0/16 network?
your static route points to 1.5.....do you have a route to 1.5?
can you repost the config and block out only secret things....and lets see the route table
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide