03-26-2003 01:11 PM - edited 03-09-2019 02:39 AM
Hello - Hopefully someone can help me with this. My clients cant get through one subnet to another. Debug is showing "dispose udp.noport" messages.
I have a 3640 with 2 fastethernet interfaces.
Int fa0/0 is 10.197.181.0 subnet
Int fa0/1 is 10.192.182.0 subnet
Int fa0/0 is patched into a 1900 switch with 3 other devices on it with the same subnet.
Int fa 0/1 is patched into a 2900 switch with a lot of other devices with the same subnet. This switch is linked further.
I'm using rip with network 10.0.0.0 and no ip classless.
From the router I can ping any device on both subnets, also a DB server on a totally different subnet using a static route via another router.
The problem is the clients cant ping from the 10.197.181.0 subnet past the fa0/1 int which is 10.197.182.11.
At this stage I have changed the acl's and filters to allow anything in order to see if this was the problem. This didnt help at all.
I have attached some debug output which shows what is happening. I have also attached my cfg at the bottom.
Any help would be greatly appreciated.
Gavin.
00:57:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255, len 78, dispos
e udp.noport
01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255 (FastEthernet0/
0), len 240, rcvd 3
01:27:37: UDP: rcvd src=10.197.181.3(138), dst=10.197.181.255(138), length=220
01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255, len 240, dispo
se udp.noport
01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255 (FastEthernet0/
0), len 78, rcvd 3
01:27:37: UDP: rcvd src=10.197.181.3(137), dst=10.197.181.255(137), length=58
01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255, len 78, dispos
e udp.noport
The config with the acl's left out because I've basically permitted everything in order to test connectivity.
Current configuration : 4266 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 3640GW
!
boot system flash c3640-ik2o3s-mz.121-5.T
logging rate-limit console 10 except errors
no logging console
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
!
no ip bootp server
ip inspect udp idle-time 15
ip inspect tcp idle-time 30
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip audit notify log
ip audit po max-events 100
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description **Wireless AP Side**
ip address 10.197.181.254 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description **Corporate LAN Side**
ip address 10.197.182.11 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
no cdp enable
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
no ip classless
ip route 10.193.48.0 255.255.255.0 10.197.182.1 permanent
no ip http server
no cdp run
!
dial-peer cor custom
!
!
!
end
03-26-2003 01:34 PM
Those debugs show broadcasts for that subnet and probably have no relation to your problem. By default, the router does not forward any broadcasts.
I see two queries for NetBIOS name resolution. Have you tried pinging by IP?
Do the all clients involved have a default gateway?
Can the clients ping the routers FA0/1 interface?
Can clients ping other hosts on the FA0/1 interface?
It's really difficult to help without seeing the access-lists. Did you remove access-groups to test?
03-26-2003 02:13 PM
Thanks for the reply.
I removed all access lists for testing and added in permit any's.
I have pinged by IP and it is the same. With a "request timed out" message.
The clients can ping the routers FA0/1 interface but no other hosts on the FA0/1 int.
Any ideas?
Thanks,
Gavin.
03-26-2003 02:58 PM
You should remove the access-groups from the interfaces rather than modifying your ACLs. Not only is this easier, it removes human-error from this part of the equation.
Can clients on the FA0/1 interface ping the router's FA0/0 interface?
Can clients on the FA0/0 interface ping the router's Fa0/1 interface?
If the answer is yes to both questions with the ACLs removed, then we have a really odd problem.
03-26-2003 04:23 PM
The clients on int fa0/1 can ping the fa0/0 int. Havent checked if they can ping past it.
Clients on fa0/0 can ping int fa0/1 but no further.
I will remove the access-groups tomorow and give it a go as well trying to ping from a fa0/1 client past the fa0/0 int.
Its after midnight here in Ireland so I'll let you know how I get on tomorrow.
I've never seen anything like this before and I've asked some serious heads here and they're stumped.
Thanks for interest in this.
Gavin.
03-27-2003 04:53 AM
Havent had a chance to go out to the customer site yet.
Do you think it could be that the clients on the int fa0/1 subnet are using a different router as their gateway and this router doesnt know the route to my test subnet?
I'm having trouble getting in contact with the companies on site cisco people. As soon as I can I'll ask them what routing protocol they use and if they could maybe add in a static route to my subnet. Maybe they have filtering in place as well.
I'll let you know what the outcome is, hopefully later today.
Gavin.
03-27-2003 07:01 AM
I don't know/understand the topology enough yet to talk about the other router. If the clients involved are using a different router as their different gateway, I would suspect this as the culprit.
It seems very odd that both set of clients can ping the router's "far" interface but not clients on those subnets.
Review and relay any new info.
04-08-2003 02:04 AM
Seems that the problem was the class a couple of issues. The class of IP I was using being one of them. Also, the customer had an existing routing protocol of EIGRP running on all their Cisco routers.
After talking to one of their Cisco guys we came up with a config for that was being used on an identical set up on one of their remote sites.
If you look at the config you'll see that int fa0/0 has no access group assigned. The int fa 0/1 has a secoundary IP assigned also.
Thanks a lot for your interest in this shannong. You replied to some of my other posts before.
I really appreciate your help with this.
Many thanks,
Gavin.
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname
!
boot system flash c3640-ik2o3s-mz.121-5.T
logging rate-limit console 10 except errors
no logging console
enable secret
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
no ip bootp server
ip inspect udp idle-time 15
ip inspect tcp idle-time 30
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip audit notify log
ip audit po max-events 100
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description **Wireless AP Side**
ip address 10.197.239.1 255.255.255.224
duplex auto
speed auto
!
interface FastEthernet0/1
description **Corporate LAN Side**
ip address 10.197.182.11 255.255.254.0 secondary
ip address 204.114.212.2 255.255.255.0
ip access-group dublin out
duplex auto
speed auto
!
router eigrp 240
passive-interface default
no passive-interface FastEthernet0/1
network 10.0.0.0
network 204.114.212.0
no auto-summary
eigrp log-neighbor-changes
!
ip classless
no ip http server
!
!
ip access-list extended dublin
permit ip 10.197.239.0 0.0.0.255 host 10.197.183.151
permit ip 10.197.239.0 0.0.0.255 host 10.193.48.76
!
dial-peer cor custom
!
!
!
!
banner motd ^C
Intranet / Internet Warning Banner
^C
!
line con 0
exec-timeout 0 0
password
login
transport input none
line aux 0
password
login
line vty 0 4
password
login
!
ntp clock-period
ntp server
ntp server
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide