Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Lost

Strange situation. Have a company with two physical sites connected via a point-to-point T1. On each end of the T1 are old Cisco 1602R routers. The problem is actually with Exchange servers failing to talk to each other properly. Site A is main office and Site B is branch office. Each site contains 1 Exchange server and the sites are supposed to talk over this p-t-p connection. I cannot use telnet to connect from site A to site B over port 25. I can however, connect from site B to site A over port 25.

Essentially, the communication between these Exchange servers is failing because messages cannot go from site A to site B, but can go from site B to site A.

The interesting thing is that I can use telnet from site A to site B using a different port, say 691 which is also used with Exchange and it works fine.

I can telnet into site B router and establish a telnet session to the Exchange server in site B.

The problem is router A. For some reason, it will not allow requests over port 25 to go through.

Any clue???

84 REPLIES
Hall of Fame Super Silver

Re: Lost

James

When some traffic does work but traffic on a particular port does not work my first guess is that there is an access list that is blocking.

If you would post the config of both routers we would more likely be able to identify the problem.

HTH

Rick

New Member

Re: Lost

OK. I am trying to clean up the previous admin's mess.

Site A: I think the problem is on this router.

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service

password-encryption

!

hostname NY_router

!

enable password "xxxx"

!

!

ip subnet-zero

no ip domain-lookup

!

process-max-time 200

!

interface Ethernet0

description connected to NY_LAN

ip address 192.168.110.1 255.255.255.0

no ip directed-broadcast

no keepalive

!

interface Serial0

description 56k CSU/DSU NOT USED

no ip address

no ip directed-broadcast

encapsulation ppp

no fair-queue

service module 56k clock source line

service module 56k network-type dds

!

interface Serial1

description connected to GA router via t1

bandwidth 1120

ip address 10.1.2.1 255.255.255.0

no ip directed-broadcast

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.110.6

ip route 192.168.120.0 255.255.255.0 10.1.2.2

no ip http server

!

!

line con 0

exec timeout 0 0

password "xxx"

login

transport input none

line vty 0 4

password "xxx"

login

!

end

192.168.110.6 is another gateway on the lan subnet that is connected to a sonicwall and then to the Internet.

New Member

Re: Lost

Site B:

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service udp-small-servers

no service tcp-small-servers

!

hostname GA-router

!

enable password "xxxx"

ip subnet-zero

no ip domain-lookup

!

interface Ethernet0

description connected to GA_LAN

ip address 192.168.120.1 255.255.255.0

no ip directed-broadcast

!

interface Serial0

description 56k CSU/DSU NOT USED

no ip address

no ip address directed-broadcast

encapsulation ppp

shutdown

service module 56k clock source internal

service module 56k network-type dds

!

interface Serial1

description connected to NY via t1

ip address 10.1.2.2 255.255.255.0

no ip address directed-broadcast

bandwidth 1120

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.120.2

ip route 0.0.0.0 0.0.0.0 192.168.110.1 2

ip route 192.168.110.0 255.255.255.0 10.1.2.1

ip route 192.168.110.0 255.255.255.0 192.168.120.2 2

!

line con 0

exec-timeout 0 0

password "xxx"

login

transport input none

line vty 0 4

password "xxx"

login

!

end

192.168.120.2 is connected to a sonicwall and out to the Internet. This serves as a backup vpn between the offices.

Hall of Fame Super Silver

Re: Lost

I do not see anything in this router config that would produce the symptoms that you describe. Can you post the config of the other router?

I do see a couple of things in this config that I would question - though I do not believe that they are related to the symptoms that you describe:

- interface Ethernet 0 is configured with no keepalive. Why is this? It is generally best practice to have keepalive on LAN interfaces?

- no ip classless is configured. This is a very old practice and in general we are better off to configure ip classless. Though with 1 static default route and 1 static network route it probably does not have much impact either way.

HTH

Rick

Hall of Fame Super Silver

Re: Lost

James

You posted the config of the second router while I was making my prior response. Thanks for posting the other config.

I do not see anything in the second config that would produce the symptom that you describe. And I went back and re-read the entire thread. I wonder about this statement in the original post:

I can telnet into site B router and establish a telnet session to the Exchange server in site B.

When you telnet to site B and telnet to the Exchange server is that a normal telnet or a telnet on port 25?

HTH

Rick

New Member

Re: Lost

port 25.

I just changed the port on the exchange server to port 30 and I can now connect to the exchange server on port 30 from site A.

Port 25 is being blocked on site A's router somehow. I have no idea how that could happen.

New Member

Re: Lost

silly question that i presume youve already checked... though is there any chance you did a:

show startup

and not a:

show run

i suppose you could have a startup config thats not what youre actually running?

you could try a:

show access-lists

or

show interfaces

to see if there are indeed any active acls or acls applied to any interfaces

New Member

Re: Lost

I did a show run!! good thought though.

But I will check the startup config and the access lists.

New Member

Re: Lost

Here is the results from show access-lists and then show int

NY_router#show access-lists

NY_router#show int

Ethernet0 is up, line protocol is up

Hardware is QUICC Ethernet, address is 00d0.bae0.29ec (bia 00d0.bae0.29ec)

Description: connected to NY_LAN

Internet address is 192.168.110.1/24

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 5232 drops; input queue 0/75, 0 drops

5 minute input rate 13000 bits/sec, 11 packets/sec

5 minute output rate 11000 bits/sec, 7 packets/sec

25357744 packets input, 3623322221 bytes, 8 no buffer

Received 17250795 broadcasts, 0 runts, 0 giants, 138875 throttles

3767 input errors, 1 CRC, 3766 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

9747530 packets output, 2071818853 bytes, 0 underruns

1098 output errors, 361077 collisions, 1 interface resets

0 babbles, 0 late collision, 129386 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Serial0 is down, line protocol is down

Hardware is QUICC Serial (with onboard CSU/DSU)

Description: 56k csu/dsu NOT USED

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive set (10 sec)

LCP Closed

Closed: CDPCP

Last input never, output never, output hang never

Last clearing of "show interface" counters 8w2d

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=down DTR=up RTS=up CTS=up

Serial1 is down, line protocol is down

Hardware is QUICC Serial (with FT1 CSU/DSU WIC)

Description: connected to GA router via t1

Internet address is 10.1.2.1/24

MTU 1500 bytes, BW 1120 Kbit, DLY 20000 usec,

reliability 202/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive set (10 sec)

LCP Closed

Closed: IPCP, CDPCP

Last input 8w1d, output 8w1d, output hang never

Last clearing of "show interface" counters 8w2d

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

11752 packets input, 753596 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

7351 input errors, 27 CRC, 5803 frame, 0 overrun, 0 ignored, 1521 abort

7490 packets output, 104860 bytes, 0 underruns

0 output errors, 0 collisions, 683 interface resets

0 output buffer failures, 0 output buffers swapped out

3 carrier transitions

DCD=down DSR=up DTR=up RTS=up CTS=down

NY_router#

New Member

Re: Lost

Here's another weird thing for you. On both routers, the serial1 interface shows that it is down. Yet I can get access both sites and ping, etc.

This is what I am seeing: serial1 is down, line protocol is down.?????

User Access Verification

Password:

NY_router>en

Password:

NY_router#sh int s1

Serial1 is down, line protocol is down

Hardware is QUICC Serial (with FT1 CSU/DSU WIC)

Description: connected to GA router via t1

Internet address is 10.1.2.1/24

MTU 1500 bytes, BW 1120 Kbit, DLY 20000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, loopback not set

Keepalive set (10 sec)

LCP Closed

Closed: IPCP, CDPCP

Last input never, output never, output hang never

Last clearing of "show interface" counters 00:06:53

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

DCD=down DSR=up DTR=up RTS=up CTS=down

Hall of Fame Super Silver

Re: Lost

James

I missed this clue in your earlier post. :(

I believe that it is quite helpful in understanding what the issue may be. The serial interface does show as down and that means that no data is flowing over the serial interface. Your earlier post indicates that there is a VPN connection which serves as a backup and I believe that data is flowing over that backup connection. There are several ways that you can verify this:

- do a show ip route on either or both routers and I believe that you will see that the route between the sites is over the backup.

- do a traceroute from NY to GA or from a host in NY to a host in GA. I believe that you will see that the responding interface is not the serial interface but is the VPN path.

This may also help explain the problem with port 25 in GA. If the data is passing through the sonicwall/VPN then there is a possibility that one of the sonicwall is denying that traffic.

HTH

Rick

New Member

Re: Lost

OK. I did a show ip route on the ny router and this is what I get:

Does that confirm your statement?

User Access Verification

Password:

NY_router>en

Password:

NY_router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.110.6 to network 0.0.0.0

C 192.168.110.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.110.6

NY_router#

New Member

Re: Lost

This is from the GA router:

User Access Verification

Password:

GA_router>en

Password:

GA_router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR

Gateway of last resort is 192.168.120.2 to network 0.0.0.0

S 192.168.110.0/24 [2/0] via 192.168.120.2

C 192.168.120.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 [1/0] via 192.168.120.2

GA_router#

Hall of Fame Super Silver

Re: Lost

James

Yes this is exactly the confirmation that I thought we would get. Notice here that the route to 192.168.110.0/24 has 192.168.120.2 as its next hop. That is the sonicwall/VPN and not the serial link.

So the traffic is definitely flowing through the VPN and not over the serial.

And I think that makes the sonicwall the primary suspect in what is the problem with port 25.

If you find the problem with the serial link and fix it I suspect that the port 25 problem will go away.

HTH

Rick

Silver

Re: Lost

Hi All

Just a question.

Is the fact that there are 2 default routes configured on Site B pointing to two different LAN addresses not a problem?

--- Snippet of config from Site B Router -----

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.120.2

ip route 0.0.0.0 0.0.0.0 192.168.110.1 2

ip route 192.168.110.0 255.255.255.0 10.1.2.1

ip route 192.168.110.0 255.255.255.0 192.168.120.2 2

!

----------- END------------------------------

Hall of Fame Super Silver

Re: Lost

Michael

If you look carefully you will see that it is not really 2 default routes but is 1 regular static default route and 1 floating static default route to back up the primary in case it fails. The extra 2 at the end of the second default route is an administrative distance and differentiates the primary static default route from the backup. This is a "good thing" and not a problem.

HTH

Rick

Silver

Re: Lost

Hi Rick

Cheers, for the swift response and clarification. I was thinking it was possibly that. I have read about floating static routes being used as backup routes in my studies but have never configured them or seen the configured.

I will know in future how they show up in a routing table.

Best Regards & again many thanks,

Michael

Hall of Fame Super Silver

Re: Lost

Michael

If you have not configured floating static routes or not seen them in configs then they are easy to miss. I am glad that you now have a better understanding of them. It may be helpful to look at the previous posting of show ip route from the GA router (where the floating static is configured) and figure which static is currently in the routing table.

HTH

Rick

New Member

Re: Lost

Gentlemen,

I think that is the problem. We see amber or warning lights on the p-t-p equipment so that is most likely the issue here. I won't call it a complete victory, but it certainly is the best news I have heard all week.

I will keep you updated next week. I can't thank you enough. A good learning experience for me.

Hall of Fame Super Silver

Re: Lost

James

I am glad that the discussion has been helpful. It has been an unusual and interesting problem to figure out. Please do update us as you work through the issue.

HTH

Rick

New Member

Re: Lost

i suspected the firewall.

New Member

Re: Lost

Hey guys,

A little update for you. We finally got the ISP on the phone and they have been remotely connecting to our smartjacks and cisco routers to help diagnose the problem. One of the things they saw was that the timing between the two routers was out of whack. I don't have much specific info, but how does timing work on these things and more importantly, based on the configs posted earlier, how should we reconfigure timing?

If that makes sense...?

Hall of Fame Super Silver

Re: Lost

James

A little more detail from them might be helpful. On most leased lines the timing on the circuit is based on timing from the provider. And I believe that is what you have based on this config:

!

interface Serial1

description connected to GA router via t1

bandwidth 1120

ip address 10.1.2.1 255.255.255.0

no ip directed-broadcast

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-20

service-module t1 remote-alarm-enable

!

If the ISP does not want timing from the circuit then you might try to configure:

service-module t1 clock source internal

Otherwise try to get some more information from the ISP including what they suggest as a solution.

In the mean time it might be helpful if you would post the output of show service-module serial 1. (from both routers)

HTH

Rick

Silver

Re: Lost

Hi Rick

Yes, I can see from the output of the "show ip route" command on the GA Router that the gateway of last resort is the default static route 192.168.120.2, which is denoted in the routing table by the code "S*" and that this is the route of choice as the AD is 1 as opposed to the AD of 2 that the floating static route is configured with.

I will do some playing around with floating static routes on my home lab tomorrow so I can gain experience configuring them and seeing how they work when I kill the primary default route :)

Once again many thanks for your explanations, they are much appreciated.

Best Regards,

Michael

New Member

Re: Lost

NY router:

NY_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is v1.10,

Image checksum is 0x461796D6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is line,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 1d05h

loss of signal : 1, last occurred 20:28:01

loss of frame : 7, last occurred 01:11:47

AIS alarm : 6, last occurred 01:11:47

Remote alarm : 0,

Module access errors : 0,

Total Data (last 96 15 minute intervals):

510 Line Code Violations, 1040 Path Code Violations

3 Slip Secs, 80639 Fr Loss Secs, 21 Line Err Secs, 6 Degraded Mins

29 Errored Secs, 29 Bursty Err Secs, 18 Severely Err Secs, 80627 Unavail Sec

s

Data in current interval (97 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

New Member

Re: Lost

GA router:

GA_router#show service-module serial 1

Module type is T1/fractional

Hardware revision is 0.88, Software revision is 1.07,

Image checksum is 0x8510A6B6, Protocol revision is 0.1

Receiver has no alarms.

Framing is ESF, Line Code is B8ZS, Current clock source is line,

Fraction has 20 timeslots (64 Kbits/sec each), Net bandwidth is 1280 Kbits/sec.

Last module self-test (done at startup): Passed

Last clearing of alarm counters 01:12:10

loss of signal : 0,

loss of frame : 0,

AIS alarm : 0,

Remote alarm : 1, last occurred 01:12:00

Module access errors : 0,

Total Data (last 4 15 minute intervals):

0 Line Code Violations, 0 Path Code Violations

6 Slip Secs, 11 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

62 Errored Secs, 0 Bursty Err Secs, 11 Severely Err Secs, 0 Unavail Secs

Data in current interval (690 seconds elapsed):

0 Line Code Violations, 0 Path Code Violations

0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins

0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Hall of Fame Super Silver

Re: Lost

James

Thank you for posting this output as I requested. It does show that currently both routers are getting timing (clocking) from the line. And this is generally what I would expect on a leased line. If the provider thinks that there is a timing problem you might talk to them about whether it is worth it to try using clock source internal as I suggested. I would probably not do this without checking with the provider.

This output does show that there are issues on the line. Note particularly:

510 Line Code Violations,

1040 Path Code Violations

80639 Fr Loss Secs

80627 Unavail Sec

Does the provider have anything to say about these?

HTH

Rick

New Member

Re: Lost

The ISP changed some clocking on the routers on Wednesday, but I am still having difficulty. I think the p-t-p connection is going up and down or is at least having too many packet errors/collisions and therefore the vpn is taking over.

To me it's different and I am not used to the setup here, which I think is wrong. Each subnet (NY and GA) has two default gateways. One is the p-t-p connection and the other is the vpn/Internet connection. Shouldn't each subnet have 1 gateway? What is the "best practice" to implement.

I think what is happening is that the p-t-p is flaky and the packets can't decided which way to go so they oscillate between the p-t-p and the vpn.

Hall of Fame Super Silver

Re: Lost

James

It is not clear what the ISP changed, but it seem pretty clear that it did not clear up the problem. Perhaps a fresh output of show service-module would be helpful.

I am not clear about your comment that each subnet has 2 default gateways. Is this related to the static route/default route and the floating static/default route? Or is it something else? Perhaps when we understand the question a bit better we can have answers about best practice.

HTH

Rick

311
Views
5
Helpful
84
Replies