cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
0
Helpful
17
Replies

Routing Problem...maybe

houstonrob
Level 1
Level 1

I have 4 subnets (well, really I have quite a few more, but showing 3 illustrates the point): 172.16.3.64/26, 172.16.3.128/26, 172.16.3.192/26, and 10.6.0.0/24. I’m having a problem where the 10.6.0.0 subnet isn’t able to route to the Internet and I can’t figure out why. The path to the Internet is my pc -> Cisco 4506 -> Cisco 3825 -> Cisco ASA -> Cisco 2600 ->Internet. If anyone can give me any new ideas I’d would greatly appreciate it. There are actually fifteen '172.16.x.x' subnets that can all route to the Internet just fine, it's just this one 10 network that is giving me huge problems.

I've attached the routing table of the 3825, the ASA, and the 4506 in case they're helpful.

17 Replies 17

houstonrob
Level 1
Level 1

I thought it might be helpful to include the pertinent parts of the running configs; they are attached.

Your gateway on firewall for 10.X network is router. Try changing it to 4506 switch.

Also, Please explain what is the exact issue you are facing. First check if DNS works from PC.

Regards,

bhavesh

Ganesh Hariharan
VIP Alumni
VIP Alumni

I have 4 subnets (well, really I have quite a few more, but showing 3 illustrates the point): 172.16.3.64/26, 172.16.3.128/26, 172.16.3.192/26, and 10.6.0.0/24. I’m having a problem where the 10.6.0.0 subnet isn’t able to route to the Internet and I can’t figure out why. The path to the Internet is my pc -> Cisco 4506 -> Cisco 3825 -> Cisco ASA -> Cisco 2600 ->Internet. If anyone can give me any new ideas I’d would greatly appreciate it. There are actually fifteen '172.16.x.x' subnets that can all route to the Internet just fine, it's just this one 10 network that is giving me huge problems.

I've attached the routing table of the 3825, the ASA, and the 4506 in case they're helpful.

           
        Attachments:                

Hi,

10.6.0.0/24 is connected network between 4506 and 3825,can you check from 4506 are you able to ping cisco 2600 interface and on cisco 2600 router are you getting routes for the same subnet or not.

Hope to Help !!

Ganesh.H

No, I am not able to ping the interface on the 2600 from inside the 4506. The 2600 only lists Internet routes, since it's on the other side of my ASA it doesn't see any LAN networks. The ASA should have NAT'd everything to it's own outside interface address by the time it hits the 2600 router.

I'm looking through your configs and have a few questions:

From the pc can you ping the ASA's inside address?

If so, can you ping the ASA's default route (1.2.3.4) address from the PC

If you can't do that, can you ping the ASA's default gateway from the 3825 sourcing from your g0/0: ping 1.2.3.4 source g0/0

If that works, start working backward to see where the problem lies. Once we figure out where the return traffic is actually lost, then we'd be able to help a little more. At first glance, I don't see anything wrong with your configs......

On your 4506, you don't need the static route for 10.6.0.0 since it's directly connected though....

no ip route 10.6.0.0 255.255.255.0 10.6.0.254

HTH,

John

HTH, John *** Please rate all useful posts ***

I threw that static route in there out of sheer desperation, I've run out of ideas about what the problem could be. From the 3825, both seem to work ok

fortressmaximus#ping 172.16.5.213 source GigabitEthernet0/0


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.5.213, timeout is 2 seconds:

Packet sent with a source address of 10.6.0.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

fortressmaximus#ping 172.16.5.213 source GigabitEthernet0/1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.5.213, timeout is 2 seconds:

Packet sent with a source address of 172.16.5.214

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms



However from the 4506 neither work:

4506#ping 172.16.5.213 source Vlan90

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.213, timeout is 2 seconds:
Packet sent with a source address of 10.6.0.253
.....
Success rate is 0 percent (0/5)
4506#ping 172.16.5.213 source Vlan20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.213, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.126
.....
Success rate is 0 percent (0/5)
4506#ping 172.16.5.213 source vlan30

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.213, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.254
.....
Success rate is 0 percent (0/5)
When I put myself in Vlan 20 I can get to the Internet, its just when im in Vlan 90 which is the 10.6.0.0 network that i have problems. Looking at this it seems like the 4506 would be the problem but it throws me off that the ping from 172.16.3.126 fails too.
Here's something that might be useful
4506#ping 72.14.204.99 source vlan20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.204.99, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.126
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/48 ms
4506#ping 72.14.204.99 source vlan90

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.204.99, timeout is 2 seconds:
Packet sent with a source address of 10.6.0.253
.....
Success rate is 0 percent (0/5)
This is from the 4506, 72.14.204.99 is google's IP address.
And the same from the 3825:
fortressmaximus#ping 72.14.204.99 source GigabitEthernet0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.204.99, timeout is 2 seconds:
Packet sent with a source address of 10.6.0.254
.....
Success rate is 0 percent (0/5)
fortressmaximus#ping 72.14.204.99 source GigabitEthernet0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.204.99, timeout is 2 seconds:
Packet sent with a source address of 172.16.5.214
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/48/48 ms
Thanks for the help

That's strange...I don't see "ip routing" in your config, only ip multicast-routing.

Can you do a "show ip int brief | inc Vlan190" and post those results? You also may want to try to put "ip routing" in the config, but I'm not sure how your site is laid out, or why you have it disabled right now.....I'm also seeing that you're using a helper address of 10.6.0.1..where is that device and can you ping that ip sourcing from vlan 190 or another vlan?

HTH,

John

HTH, John *** Please rate all useful posts ***

While searching around on the Internet I saw others with 4506's that didn't display the 'ip routing' in the running config. If I were to type 'no ip routing', that would show up in the running config, almost like they changed the default behavior for the 4506 to have ip routing enabled by default. It looks like it is routing since there are eigrp routes in the routing table and sh ip protocols sum shows:

4506#sh ip protocols sum

Index Process Name

0     connected

1     static

2     eigrp 100

*** IP Routing is NSF aware ***

Here's the output you asked for:
pparkmain#sh ip int bri | include Vlan90
Vlan90                 10.6.0.253      YES NVRAM  up                    up
4506#ping 10.6.0.1 source Vlan90

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.6.0.253
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

4506#ping 10.6.0.1 source Vlan20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.126
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Its very strange, I'm about to pull my hair out. It's starting to seem like I'm just going to have to readdress everything that's 10.6.0.0 to a 172.16.x.x address...

That's interesting about the default routing enabled....I guess that's a good thing that they did that And we'll figure it out....

One thing that I noticed on the routing table for the 3825 is that you have a TON of eigrp learned routes that point to different addresses in the 10.6.0.251 subnet. Do you have another device somewhere in between? Do you have a diagram of how you're laid out?

HTH, John *** Please rate all useful posts ***

The 4506 has a number of 3750E stacks connected to it via fiber cables. Each stack is on a different floor of a building all coming together at the 4506. I attached a miserable excuse for a diagram and that's where all the other stuff in the routing table is coming from.

i appreciate the extra set of eyes.

No problem. Okay, so here's something strange that I see. The 3800 series is connected to the 4506, yet the 3800 is showing that to get to 172.16.3.128, go to 10.6.0.X (251,250,248,247). I would think, since you don't show a direct connection to the 3750 from the 3800, the 172.16.3.128/26 should go to the 4506 and not all the way around. Do you have a redundant connection to your switches somehow?

Next test is, can you ping any of the 3750s from VLAN190 or vice versa, and can you connect your laptop to a 3750 and ping the VLAN 190 svi from there?

HTH, John *** Please rate all useful posts ***

That may have been because there were a few vlans not active yet, there are no redundant connections to the switches at this time. I've also brought up a couple WAN links to the 3825 now connected to a 10.6.4.0 network and a 10.6.10.0 network. Those can also reach the Internet; it's the strangest thing that just the 10.6.0.0/24 network isn't able to.Vlan 90 is able to ping all 5 stacks of 3750's and when I'm connected to one of the 3750 stacks I am able to ping 10.6.0.253 (the vlan 90 ip address on the 4506).

Here's the routing table from the 3825 as it now stands:

fortressmaximus#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is 172.16.5.213 to network 0.0.0.0


     172.16.0.0/16 is variably subnetted, 25 subnets, 5 masks

S       172.16.21.176/28 [1/0] via 10.6.0.249

D       172.16.11.128/26

           [90/2419456] via 192.168.1.18, 00:15:34, Serial0/0/1:0

D       172.16.4.128/26 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.5.128/26 [90/3072] via 10.6.0.251, 00:47:29, GigabitEthernet0/0

                        [90/3072] via 10.6.0.250, 00:47:29, GigabitEthernet0/0

                        [90/3072] via 10.6.0.248, 00:47:29, GigabitEthernet0/0

                        [90/3072] via 10.6.0.247, 00:47:29, GigabitEthernet0/0

D       172.16.3.128/26 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

C       172.16.5.208/28 is directly connected, GigabitEthernet0/1

D       172.16.11.192/29

           [90/2419456] via 192.168.1.18, 00:15:34, Serial0/0/1:0

D       172.16.4.192/26 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.5.192/28 [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.249, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.3.192/26 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                        [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.8.0/24 [90/3072] via 10.6.0.253, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.252, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

D       172.16.9.0/24 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.10.0/26 [90/3072] via 10.6.0.251, 00:47:01, GigabitEthernet0/0

                       [90/3072] via 10.6.0.250, 00:47:01, GigabitEthernet0/0

                       [90/3072] via 10.6.0.248, 00:47:01, GigabitEthernet0/0

                       [90/3072] via 10.6.0.247, 00:47:01, GigabitEthernet0/0

D       172.16.11.0/26 [90/2419200] via 192.168.1.18, 00:15:34, Serial0/0/1:0

D       172.16.4.0/26 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.5.0/26 [90/3072] via 10.6.0.251, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 20:45:36, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 20:45:36, GigabitEthernet0/0

D       172.16.6.0/24 [90/3072] via 10.6.0.251, 19:20:49, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 19:20:49, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 19:20:49, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 19:20:49, GigabitEthernet0/0

D       172.16.7.0/24 [90/3072] via 10.6.0.253, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.252, 20:45:37, GigabitEthernet0/0

D       172.16.1.0/24 [90/3072] via 10.6.0.251, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 20:45:37, GigabitEthernet0/0

D       172.16.2.0/24 [90/3072] via 10.6.0.251, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 20:45:37, GigabitEthernet0/0

D       172.16.3.0/26 [90/3072] via 10.6.0.251, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.250, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.248, 20:45:37, GigabitEthernet0/0

                      [90/3072] via 10.6.0.247, 20:45:37, GigabitEthernet0/0

D       172.16.11.64/27 [90/2419456] via 192.168.1.18, 00:15:35, Serial0/0/1:0

D       172.16.4.64/26 [90/3072] via 10.6.0.251, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.250, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.248, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.247, 20:45:37, GigabitEthernet0/0

D       172.16.5.64/26 [90/3072] via 10.6.0.251, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.250, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.248, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.247, 20:45:37, GigabitEthernet0/0

D       172.16.3.64/26 [90/3072] via 10.6.0.251, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.250, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.248, 20:45:37, GigabitEthernet0/0

                       [90/3072] via 10.6.0.247, 20:45:37, GigabitEthernet0/0

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

D       10.6.10.0/24 [90/2419200] via 192.168.1.10, 02:23:29, Serial0/3/0:0

D       10.6.4.0/24 [90/2419200] via 192.168.1.22, 02:18:42, Serial0/2/0:0

C       10.6.0.0/24 is directly connected, GigabitEthernet0/0

C       10.10.10.100/32 is directly connected, Loopback0

     192.168.1.0/30 is subnetted, 3 subnets

C       192.168.1.8 is directly connected, Serial0/3/0:0

C       192.168.1.16 is directly connected, Serial0/0/1:0

C       192.168.1.20 is directly connected, Serial0/2/0:0

S*   0.0.0.0/0 [1/0] via 172.16.5.213

Vlan 90 is able to ping all 5 stacks of 3750's and when I'm connected to one of the 3750 stacks I am able to ping 10.6.0.253 

Can you get through the ASA when you're connected to the 3750? I agree, something isn't right. Is G0/0 from the 3800 series the only router interface that's connected to the switch? Do you have any other routing devices in the switch also?

Can you post "sh vlan" and "sh int trunk"?

HTH, John *** Please rate all useful posts ***

I can get through the ASA when I'm connected to a 3750 as long as I'm not in vlan 90. G0/0 is the only router interface connected to the switch and the only routing device connected to the switch.

4506#sh vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Te1/1, Te1/2, Gi1/5, Gi1/6, Gi6/47, Gi6/48

5    5VLAN                           active

10   10VLAN                          active

15   15VLAN                          active

20   20VLAN                          active

25   25VLAN                          active

30   30VLAN                          active

35   35VLAN                         active

40   40VLAN                         active

45   45VLAN                        active

50   50VLAN                         active

55   55VLAN                        active

60   60VLAN                        active

65   65VLAN                        active

70   70VLAN                       active

75   75VLAN                       active

90   90VLAN                       active    Gi6/1, Gi6/2, Gi6/3, Gi6/4, Gi6/5, Gi6/6, Gi6/7, Gi6/8, Gi6/9, Gi6/10, Gi6/11, Gi6/12, Gi6/13, Gi6/14, Gi6/15

                                                Gi6/16, Gi6/17, Gi6/18, Gi6/19, Gi6/20, Gi6/21, Gi6/22, Gi6/23, Gi6/24, Gi6/25, Gi6/26, Gi6/27, Gi6/28, Gi6/29

                                                Gi6/30, Gi6/40, Gi6/41, Gi6/42, Gi6/43, Gi6/44, Gi6/45, Gi6/46

95   ExternalInt_VLAN                 active

100  GeneralVoice_VLAN                active    Gi6/31, Gi6/33, Gi6/34, Gi6/35, Gi6/36, Gi6/37, Gi6/38, Gi6/39

101  Voice_VLAN                     active

102  CCVoice_VLAN                     active

105  BAS_VLAN                         active    Gi6/32

110  Guest-VLAN                       active

150  Native                           active

1002 fddi-default                     act/unsup

1003 trcrf-default                    act/unsup

1004 fddinet-default                  act/unsup

1005 trbrf-default                    act/unsup

All the switch vlan databases are configured via vtp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco