Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
I've encountered a routing problem to a single IP address within a global IP range.
Two traceroutes to a pair of addresses in the same subnet range are attached; the first traceroute, to 188.8.131.52, works, while the second traceroute, to 184.108.40.206, goes into a loop one hop out from the firewall of the destination network.
If these addresses are part of the same subnet 220.127.116.11/29, how can one work and the other one fail?
My ip route for this subnet is:
'ip route 18.104.22.168 255.255.255.240 Vlanxx'
this is interesting trace route, your static route is good too. If you are in firn2-doe-turlington-ce.firn2.net [22.214.171.124] router can you get to host 134? I would look into this router configuration.. but this is weird ! it seems as though 126.96.36.199 does not know about 188.8.131.52/29
That's why I posted this - it goes over my head; I'm trained in PIX/ASA and LAN protocols - I'm not a CCNP yet ;-P
I admin the 184.108.40.206 hop - the 220.127.116.11 router is a connected VPN router that points somewhere else completely; why the trace would go there at all is a mystery, much less for a single address but no others...
Even from the 18.104.22.168 device (an L3 3750 with VLANs configured), traceroutes fail to that IP.
I already ruled out the target server as a cause by replacing it with a laptop and making a static NAT in the firewall to the global IP.
I've scheduled a reboot for both of those devices for tonight, to rule out 'wierd IOS error'. Other than that, I have no idea what this might be.
It looks to me like firn2-doe-turlington-ce.firn2.net is routing differently for 22.214.171.124 than for 126.96.36.199. THey may be in the same subnet as far as you are concerned, but firn2-doe-turlington-ce.firn2.net may think differently. It could, for example have a host route as a result of ip mobility, or a frame-relay p2mp, or a PPP link, or something like that.
You really need show ip route on firn2-doe-turlington-ce.firn2.net
Maybe you can clarify a little about the 188.8.131.52./29 . If its a /29 then .134 and .139 are not in the same subnet , /29 ends at the .135 address and .139 is in the next subnet so one could fail and the other not because they would be in different subnets. You have the static route at the /28 boundary so you would have to clarify that .
Kevin posted good though ..and Glen nailed it, and lessson learn at my end to look closer.. if this is the case that is a good catch by Glen, if you take a look at /28 and /29.
/28 hosts addresses
184.108.40.206 subnet address
/29 hosts addresses
220.127.116.11 Subnet address
so as posted by Glen, you would have to take a look at if indeed you have one /28 and one /29 network somewhere or both to taylor your static route.. if you do have both networks going same destination then two staic routes will be needed one for /28 and /29.
Apologies to all - that mask was a typo; it used to be a /29 but was opened up to a /28 earlier this year.
A 'sh ip route from that 3750:
xxxxx3750#sh ip route
Codes: C - connect*snip*
Gateway of last resort is 18.104.22.168 to network 0.0.0.0
*** Private ranges removed ***
C 22.214.171.124/29 is directly connected, Vlan600
S 126.96.36.199/24 [1/0] via 10.10.245.132
C 188.8.131.52/30 is directly connected, Vlan7
S 184.108.40.206/28 [1/0] via 10.10.245.133
C 220.127.116.11/22 is directly connected, Vlan21
S 18.104.22.168/28 [1/0] via 10.10.245.131
S 22.214.171.124/26 [1/0] via 126.96.36.199
S 188.8.131.52/27 is directly connected, Null0
C 184.108.40.206/28 is directly connected, Vlan593
C 220.127.116.11/30 is directly connected, Vlan591
C 18.104.22.168/30 is directly connected, Vlan8
S 22.214.171.124/29 is directly connected, Null0
C 126.96.36.199/30 is directly connected, Vlan9
S* 0.0.0.0/0 [1/0] via 188.8.131.52
The global route commands taken off of the 'show running-config':
ip route 184.108.40.206 255.255.255.240 10.10.245.133
ip route 220.127.116.11 255.255.255.240 10.10.245.131
ip route 18.104.22.168 255.255.255.192 22.214.171.124
ip route 126.96.36.199 255.255.255.240 Vlan21
ip route 188.8.131.52 255.255.255.248 Null0
ip route 184.108.40.206 255.255.255.224 Null0
ip route 220.127.116.11 255.255.255.0 10.10.245.132
A reboot of both this switch and the 18.104.22.168 router had no effect.
The problem has been fixed;
I got a solution from a contractor consultant that my Agency uses; he identified a proxy ARP statement in the 22.214.171.124 1700 VPN router for the affected IP address.
Apparently, the 1700 was responding first to ARP requests sent out by the 3750, since both of its interfaces connect to it (on different VLANs) and was thus was giving the 3750 an erroneous ARP entry for that IP; since the 3750 is the default route out of the 1700, a loop was being created.
I would've never found this on my own.
Thanks all for inquiring and trying to help me out.
Proxy arp respond if the 3750 is trying to reach a address outside the configure network.
Did you forget to change the netmask on the 1700 when you changed your network from a /29 to /28 ?
I don't manage the 1700 router, so I just went on what he told me; all I know is that whatever tweak they made in the configuration worked...