Spoke can't ping a host behind the hub

Ricky Sandhu · ‎03-15-2012

Hi all,

We have a hub and spoke network with all spoke routers connecting to two hubs (for redundency) over Tunnel0 and Tunnel1.

Each hub is connected to one another via a common switch.

Hub 1's Tunnel IP is 10.10.200.1 /24

Hub 2's Tunnel IP is 10.10.201.1 /24

We have our Cisco Secure ACS server (IP 172.18.120.230/24) connecting to the same common switch (Layer 3 stack) between the 2 hubs.

Each hub can ping the IP address of this server and knows it via the interface connecting to the switch.

On the spoke side, a show ip eigrp topology identifies Hub on Tunnel0 to be the successor and Tunnel1 to be the Feasible Successor to network 172.18.120.0/24

Also on the spoke side, a show ip route 172.18.120.230 returns that it has a route to this host via Tunnel0 which validates the previous statement.

Now here is the problem. I can't ping 172.18.120.230 from the spoke router. I tried to source the ping from Tunnel0 and Tunnel1 but it still fails.

I CAN ping 172.18.120.230 from each hub without an issues.

There are no filters or ACLs in place on the hubs or the spoke that would block this connection.

Although sometimes it works where I can ping without any issues. Also this is not the case with every spoke where I CAN successfully ping the host from them without any issues.

Below is a capture of the configuration from spoke side and ping from both hubs. I would really appreciate any help anyone can provide.

r-exp-lab-1#sh ip route 172.18.120.230

Routing entry for 172.18.120.0/24

Known via "eigrp 1", distance 170, metric 2560256, type external

Redistributing via eigrp 1

Last update from 10.10.200.1 on Tunnel0, 21:18:24 ago

Routing Descriptor Blocks:

* 10.10.200.1, from 10.10.200.1, 21:18:24 ago, via Tunnel0

Route metric is 2560256, traffic share count is 1

Total delay is 50010 microseconds, minimum bandwidth is 2000 Kbit

Reliability 255/255, minimum MTU 1400 bytes

Loading 1/255, Hops 1

r-exp-lab-1#

r-exp-lab-1#sh ip eigrp nei

EIGRP-IPv4 Neighbors for AS(1)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 10.10.200.1 Tu0 10 22:27:47 169 1014 0 244617

0 10.10.201.1 Tu1 14 22:27:49 14 138 0 49093

r-exp-lab-1#

r-exp-lab-1#sh ip eigrp top 172.18.120.0/24

EIGRP-IPv4 Topology Entry for AS(1)/ID(1.1.1.150) for 172.18.120.0/24

State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2560256

Descriptor Blocks:

10.10.200.1 (Tunnel0), from 10.10.200.1, Send flag is 0x0

Composite metric is (2560256/2816), route is External

Vector metric:

Minimum bandwidth is 2000 Kbit

Total delay is 50010 microseconds

Reliability is 255/255

Load is 1/255

Minimum MTU is 1400

Hop count is 1

External data:

Originating router is 1.1.1.1

AS number of route is 0

External protocol is Static, external metric is 0

Administrator tag is 0 (0x00000000)

10.10.201.1 (Tunnel1), from 10.10.201.1, Send flag is 0x0

Composite metric is (3840256/2816), route is External

Vector metric:

Minimum bandwidth is 1000 Kbit

Total delay is 50010 microseconds

Reliability is 255/255

Load is 1/255

Minimum MTU is 1400

Hop count is 1

External data:

Originating router is 1.1.1.2

AS number of route is 0

External protocol is Static, external metric is 0

Administrator tag is 0 (0x00000000)

r-exp-lab-1#ping

Protocol [ip]:

Target IP address: 172.18.120.230

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: Tunnel0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:

Packet sent with a source address of 10.10.200.150

.....

Success rate is 0 percent (0/5)

r-exp-lab-1#

r-exp-lab-1#ping

Protocol [ip]:

Target IP address: 172.18.120.230

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: Tunnel1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:

Packet sent with a source address of 10.10.201.150

.....

Success rate is 0 percent (0/5)

R-HUB-1#ping 172.18.120.230

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R-HUB-2#ping 172.18.120.230

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R-Q9-2#

cadet alain · ‎03-15-2012

Hi,

you did your extended ping sourcinf from tunnel1 but in the RIB it is installed via Tunnel0, a feasible successor is not installed in the RIB unless the successor fails. What is happening sourcinf from Tunnel0 ?

Regards.

Alain

Don't forget to rate helpful posts.

Ricky Sandhu · ‎03-16-2012

Hi Alain, I just wanted to show from Tunnel1 for comparison. I have posted an extended ping output from Tunnel0 just above that.

Ricky Sandhu · ‎03-19-2012

Anybody?

Mandlenkosi Nkiwane · ‎03-19-2012

If you use a static route at the spoke does it work. The routing part is un-explainable and I cannot see why it is not working, unless there is an acl or filter, of which you have said you don't have?

Ricky Sandhu · ‎03-23-2012

Hi Mandlenkosi, if I use a static route at the spoke it works. Yea it's strange to me as well as it doesn't make any sense. No ACLs or Filters exist as I have checked it over and over again.

I have attached a screenshot of running continous pings from one spoke to another. It times out for a long time and then all of a sudden it starts to respond again.

Ricky Sandhu · ‎03-23-2012

Could this offer any clues? Below is an output from the Tunnel interface on my hub and spoke router. I am still new to this so I might be missing something.

Tunnel Interface on HUB side

interface Tunnel0

bandwidth 1000

ip address 10.10.201.1 255.255.255.0

no ip redirects

ip accounting output-packets

ip mtu 1400

no ip next-hop-self eigrp 1

ip nhrp authentication xxxx

ip nhrp map multicast dynamic

ip nhrp network-id 201

ip nhrp holdtime 600

no ip split-horizon eigrp 1

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 201

tunnel protection ipsec profile IPSECPROF1

--------------------------------------------------

Tunnel interface on SPOKE side

interface Tunnel1

bandwidth 8000

ip address 10.10.201.24 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip hello-interval eigrp 1 60

ip hold-time eigrp 1 180

no ip next-hop-self eigrp 1

ip flow ingress

ip nhrp authentication xxxx

ip nhrp map multicast dynamic

ip nhrp map multicast xxx.xxx.xxx.xxx

ip nhrp map 10.10.201.1 xxx.xxx.xxx.xxx

ip nhrp network-id 201

ip nhrp holdtime 600

ip nhrp nhs 10.10.201.1

ip nhrp registration no-unique

ip tcp adjust-mss 1380

load-interval 30

delay 100

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 201

tunnel protection ipsec profile IPSECPROF1 shared

end