Re: Not Routable

daveyg · ‎03-26-2003

Hello - Hopefully someone can help me with this. My clients cant get through one subnet to another. Debug is showing "dispose udp.noport" messages.

I have a 3640 with 2 fastethernet interfaces.

Int fa0/0 is 10.197.181.0 subnet

Int fa0/1 is 10.192.182.0 subnet

Int fa0/0 is patched into a 1900 switch with 3 other devices on it with the same subnet.

Int fa 0/1 is patched into a 2900 switch with a lot of other devices with the same subnet. This switch is linked further.

I'm using rip with network 10.0.0.0 and no ip classless.

From the router I can ping any device on both subnets, also a DB server on a totally different subnet using a static route via another router.

The problem is the clients cant ping from the 10.197.181.0 subnet past the fa0/1 int which is 10.197.182.11.

At this stage I have changed the acl's and filters to allow anything in order to see if this was the problem. This didnt help at all.

I have attached some debug output which shows what is happening. I have also attached my cfg at the bottom.

Any help would be greatly appreciated.

Gavin.

00:57:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255, len 78, dispos

e udp.noport

01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255 (FastEthernet0/

0), len 240, rcvd 3

01:27:37: UDP: rcvd src=10.197.181.3(138), dst=10.197.181.255(138), length=220

01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255, len 240, dispo

se udp.noport

01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255 (FastEthernet0/

0), len 78, rcvd 3

01:27:37: UDP: rcvd src=10.197.181.3(137), dst=10.197.181.255(137), length=58

01:27:37: IP: s=10.197.181.3 (FastEthernet0/0), d=10.197.181.255, len 78, dispos

e udp.noport

The config with the acl's left out because I've basically permitted everything in order to test connectivity.

Current configuration : 4266 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname 3640GW

!

boot system flash c3640-ik2o3s-mz.121-5.T

logging rate-limit console 10 except errors

no logging console

!

ip subnet-zero

!

no ip finger

no ip domain-lookup

!

no ip bootp server

ip inspect udp idle-time 15

ip inspect tcp idle-time 30

ip inspect tcp finwait-time 1

ip inspect tcp synwait-time 15

ip audit notify log

ip audit po max-events 100

!

call rsvp-sync

!

interface FastEthernet0/0

description **Wireless AP Side**

ip address 10.197.181.254 255.255.255.0

ip access-group 101 in

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description **Corporate LAN Side**

ip address 10.197.182.11 255.255.255.0

ip access-group 100 in

duplex auto

speed auto

no cdp enable

!

router rip

version 2

network 10.0.0.0

no auto-summary

!

no ip classless

ip route 10.193.48.0 255.255.255.0 10.197.182.1 permanent

no ip http server

no cdp run

!

dial-peer cor custom

!

end

shannong · ‎03-26-2003

Those debugs show broadcasts for that subnet and probably have no relation to your problem. By default, the router does not forward any broadcasts.

I see two queries for NetBIOS name resolution. Have you tried pinging by IP?

Do the all clients involved have a default gateway?

Can the clients ping the routers FA0/1 interface?

Can clients ping other hosts on the FA0/1 interface?

It's really difficult to help without seeing the access-lists. Did you remove access-groups to test?

daveyg · ‎03-26-2003

Thanks for the reply.

I removed all access lists for testing and added in permit any's.

I have pinged by IP and it is the same. With a "request timed out" message.

The clients can ping the routers FA0/1 interface but no other hosts on the FA0/1 int.

Any ideas?

Thanks,

Gavin.

shannong · ‎03-26-2003

You should remove the access-groups from the interfaces rather than modifying your ACLs. Not only is this easier, it removes human-error from this part of the equation.

Can clients on the FA0/1 interface ping the router's FA0/0 interface?

Can clients on the FA0/0 interface ping the router's Fa0/1 interface?

If the answer is yes to both questions with the ACLs removed, then we have a really odd problem.

daveyg · ‎03-26-2003

The clients on int fa0/1 can ping the fa0/0 int. Havent checked if they can ping past it.

Clients on fa0/0 can ping int fa0/1 but no further.

I will remove the access-groups tomorow and give it a go as well trying to ping from a fa0/1 client past the fa0/0 int.

Its after midnight here in Ireland so I'll let you know how I get on tomorrow.

I've never seen anything like this before and I've asked some serious heads here and they're stumped.

Thanks for interest in this.

Gavin.

daveyg · ‎03-27-2003

Havent had a chance to go out to the customer site yet.

Do you think it could be that the clients on the int fa0/1 subnet are using a different router as their gateway and this router doesnt know the route to my test subnet?

I'm having trouble getting in contact with the companies on site cisco people. As soon as I can I'll ask them what routing protocol they use and if they could maybe add in a static route to my subnet. Maybe they have filtering in place as well.

I'll let you know what the outcome is, hopefully later today.

Gavin.

shannong · ‎03-27-2003

I don't know/understand the topology enough yet to talk about the other router. If the clients involved are using a different router as their different gateway, I would suspect this as the culprit.

It seems very odd that both set of clients can ping the router's "far" interface but not clients on those subnets.

Review and relay any new info.

daveyg · ‎04-08-2003

Seems that the problem was the class a couple of issues. The class of IP I was using being one of them. Also, the customer had an existing routing protocol of EIGRP running on all their Cisco routers.

After talking to one of their Cisco guys we came up with a config for that was being used on an identical set up on one of their remote sites.

If you look at the config you'll see that int fa0/0 has no access group assigned. The int fa 0/1 has a secoundary IP assigned also.

Thanks a lot for your interest in this shannong. You replied to some of my other posts before.

I really appreciate your help with this.

Many thanks,

Gavin.

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname

!

boot system flash c3640-ik2o3s-mz.121-5.T

logging rate-limit console 10 except errors

no logging console

enable secret

!

ip subnet-zero

!

no ip finger

no ip domain-lookup

!

no ip bootp server

ip inspect udp idle-time 15

ip inspect tcp idle-time 30

ip inspect tcp finwait-time 1

ip inspect tcp synwait-time 15

ip audit notify log

ip audit po max-events 100

!

call rsvp-sync

!

interface FastEthernet0/0

description **Wireless AP Side**

ip address 10.197.239.1 255.255.255.224

duplex auto

speed auto

!

interface FastEthernet0/1

description **Corporate LAN Side**

ip address 10.197.182.11 255.255.254.0 secondary

ip address 204.114.212.2 255.255.255.0

ip access-group dublin out

duplex auto

speed auto

!

router eigrp 240

passive-interface default

no passive-interface FastEthernet0/1

network 10.0.0.0

network 204.114.212.0

no auto-summary

eigrp log-neighbor-changes

!

ip classless

no ip http server

!

ip access-list extended dublin

permit ip 10.197.239.0 0.0.0.255 host 10.197.183.151

permit ip 10.197.239.0 0.0.0.255 host 10.193.48.76

!

dial-peer cor custom

!

banner motd ^C

Intranet / Internet Warning Banner

^C

!

line con 0

exec-timeout 0 0

password

login

transport input none

line aux 0

password

login

line vty 0 4

password

login

!

ntp clock-period

ntp server

end