09-11-2010 09:34 PM - edited 03-04-2019 09:44 AM
Hi,
Just wondering if anyone could shed light on the following trace results (from #9 down) taken from an Internet host to the inside interface of an Internet connected router.
TraceRoute to xx.56.137.249
Hop (ms) (ms) (ms) IP Address Host name 1 10 9 6 xx.249.128.109 - 2 6 6 6 xx.123.64.22 - 3 10 6 53 xx.192.242.253 - 4 46 50 257 xx.229.0.193 - 5 259 266 260 xx.229.0.193 - 6 269 276 370 xx.229.1.186 - 7 303 268 264 xx.170.0.182 - 8 266 262 Timed out xx.42.4.117 - 9 Timed out 358 390 xxx.42.129.50 - 10 Timed out 650 Timed out xx.42.129.50 - 11 525 504 502 xxx.42.129.50 - 12 506 502 503 xxx.42.129.49 - 13 657 681 670 xxx.42.129.50 - 14 328 333 340 xxx.42.129.50 - 15 356 374 343 xxx.42.129.50 - 16 946 831 1021 xxx.42.129.50 - 17 725 442 414 xxx.42.129.50 - 18 376 347 325 xxx.42.129.49 - 19 960 1174 1171 xxx.42.129.49 - 20 Timed out 1429 Timed out xxx.42.129.50 - 21 Timed out 1291 Timed out xxx.42.129.49 - 22 Timed out 1408 Timed out xxx.42.129.49 - 23 Timed out Timed out Timed out - 24 Timed out Timed out 1467 xxx.42.129.49 - 25 580 535 530 xxx.42.129.50 - 26 479 457 409 xxx.42.129.49 -
As you can see, there seems to be a loop, but the routing table only shows a static default to the PE router, along with the inside and outside connected networks. Access-lists have been removed for testing, so the only one remaining is used for debug purposes. No routing protocols are running.
Traffic passing through the router, for example to the connected 'outside' firewall interface (xx.56.137.251), or to a static NAT address running on the firewall (xx.56.137.252) don't seem to be affected by the loop.
The network looks like this..
And the config like this...
interface FastEthernet0/0 <<Inside
ip address xx.56.137.249 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0:0 <<Outside
ip address xxx.42.129.50 255.255.255.252
ip access-group test in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.42.129.49
!
ip access-list extended test
permit ip any host xx.56.137.252 log
permit ip any any
!
Thanks,
Duncan
09-12-2010 09:01 AM
Hi Duncan,
Have you or the provider made any changes on the network that will cause this?
Another word, did this just happen recently or it has always been like this and you did not know about it?
You have a default route towards the provide and it seems that the provider has the same towards you, but in an L3-vpn/vrf.
Reza
09-12-2010 03:36 PM
Duncan
Can you clarify what was the target address in the traceroute in your post? You mention that traffic to some destination addresses does work. So perhaps it would help us if we knew what the traceroute was trying to get to.
HTH
Rick
09-12-2010 04:30 PM
Hi Richard,
The traceroute was targeting the inside interface of the Internet router (xx.56.137.249).
I'm also seeing similar behaviour to certain NATed addresses on the firewall, behind the Internet router.
debug ip packet detail w/ an ACL filtering ICMP traffic to/from xx.56.137.248 /29 doesn't show the ICMP reaching the router for certain addresses (cef and fast switching disabled on both inside and outside interfaces to get complete packet-by-packet view), but for others it seems fine.
We tried restarting the router but to no avail.
The service provider recommends restarting the firewall too, which we'll try today, although the problem would seem to be in front of, rather than behind the Internet router.
Duncan
09-12-2010 04:39 PM
It seems it has been an issue since the beginning.
The main problem is that we use a 3rd party mail filter (our MX record points to them and they forward email once filtered), half of who's servers can reach our email server in the DMZ (xx.56.137.252) and half who can't (their traffic gets pulled into a loop between the CE and PE routers).
09-12-2010 04:46 PM
Is your connection to the service provider reside in a VRF? To me. it seems that you are sending the provider a global default router and the service provider send it back to you in your own VRF.
09-12-2010 06:29 PM
Duncan
These symptoms are quite puzzling. In your earlier posts it seemed that the problem was that certain destination addresses would work and other addresses would not work. Now you seem to be saying that the same destination address may work or may not work depending on the source of the packet. Am I understanding this correctly?
That leads me to wonder whether there might be more than one network path to this router. Is there more than just the serial interface that you show that could be used to access this router?
And it also makes me that that the question from Reza is possibly useful. Are you doing any VRFs on this router?
HTH
Rick
09-12-2010 09:15 PM
Richard,
We seem to get the same phenomenon in both directions (i.e. certain addresses are pingable from the Internet router and others aren't, and certain addresses in the xx.56.137.248/29 range are pingable from the Internet while others aren't.
As for other paths to the router, there are none (see below show ip int brief output):
IGD-RT01#sh ip int brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 xx.56.137.249 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM up down
Serial0/0/0:0 xxx.42.129.50 YES NVRAM up up
IGD-RT01#
Here's some sample output from a raw internet host pinging several addresses in the xx.56.137.248/29 range.
C:\Documents and Settings\Administrator>ping xx.56.137.253
Pinging xx.56.137.253 with 32 bytes of data:
Reply from xxx.42.129.50: TTL expired in transit.
Reply from xxx.42.129.50: TTL expired in transit.
Reply from xxx.42.129.50: TTL expired in transit.
Reply from xxx.42.129.50: TTL expired in transit.
Ping statistics for xx.56.137.253:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator>ping xx.56.137.252
Pinging xx.56.137.252 with 32 bytes of data:
Reply from xxx.42.129.49: TTL expired in transit.
Reply from xxx.42.129.50: TTL expired in transit.
Reply from xxx.42.129.50: TTL expired in transit.
Reply from xxx.42.129.49: TTL expired in transit.
Ping statistics for xx.56.137.252:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator>ping xx.56.137.249
Pinging xx.56.137.249 with 32 bytes of data:
Reply from xx.56.137.249: bytes=32 time=313ms TTL=239
Reply from xx.56.137.249: bytes=32 time=308ms TTL=239
Reply from xx.56.137.249: bytes=32 time=299ms TTL=238
Reply from xx.56.137.249: bytes=32 time=316ms TTL=238
Ping statistics for xx.56.137.249:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 299ms, Maximum = 316ms, Average = 309ms
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: