Solved: Re: 3620 that wont route

xetra8380 · ‎10-27-2005

We currently have a 3620 routing all traffic from our internal subnet to the internet. The router Ethernet 0/0 connects to our provider’s wireless bridge at our facility. The Ethernet 0/1 connects to our firewall. This router is showing its age and is to be replaced with another 3620 that we have.

The configuration of the working router that is currently in place is :

Current configuration : 699 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname edge

!

ip subnet-zero

!

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

call rsvp-sync

!

interface Ethernet0/0

ip address X.X.6.3 255.255.255.0

half-duplex

!

interface Serial0/0

no ip address

shutdown

!

interface Ethernet1/0

ip address X.X.19.193 255.255.255.192

half-duplex

!

interface Serial1/0

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.6.1

no ip http server

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

login

!

end

_________________________________________________________

And the new configuration on the new router is:

Current configuration : 667 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname sdca-gw01

!

ip subnet-zero

!

no ip domain lookup

!

no voice hpi capture buffer

no voice hpi capture destination

!

interface Ethernet0/0

ip address X.X.6.3 255.255.255.0

shutdown

half-duplex

!

interface Ethernet0/1

ip address X.X.19.193 255.255.255.192

shutdown

half-duplex

!

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.6.1

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

login

!

End

The new router will not pass the traffic to its outside interface. I connected directly to the outside interface of the new router in an effort to sniff the traffic for some insight but there is no traffic coming through. It almost seems that routing is disabled? What am I missing here? After two very long nights working on this any help is greatly appreciated

Georg Pauwen · ‎10-28-2005

Ray,

I am thinking that maybe for security reasons, the provider has locked down the MAC address of your router, that is, hard-coded the MAC address of the original router into his config. Can you try and manually configure the interface with the MAC address of the old router's Ethernet MAC address ?

The interface command to be used is 'mac-address h.h.h.h'...

Just a thought...

Regards,

GP

View solution in original post

Georg Pauwen · ‎10-27-2005

Hello,

I assume that in your 'real' configuration, the Ethernet0/0 and Ethernet0/1 interfaces are not configured as 'shutdown' ...

Can you ping the IP address of interface Ethernet0/0 from the device where the default gateway is pointing to, x.x.6.1 ?

Regards,

GP

xetra8380 · ‎10-28-2005

Hi GP,

I wish it were that simple, both protocol and interface are up.

I can ping the inside facing interface (x.x.19.193) and the outside facing interface (x.x.6.3) but i cannot ping the x.x.6.1 from hosts on the inside. I can however ping from console not only x.x.6.1 but out on the internet.

desai.jaideep · ‎10-28-2005

Hi

Your problem is simple routing concept.The packet has a outgoing route to internet/ISP, but for incomming the ISP has not defined the route to ur inside interface.try doing.......

(1)Ask your service provider to add a route in their network for ur internal IP range

inside_ip inside_subnet x.x.6.3 which will do the needfull

(2)If they dont allow it, try doing NAT between both the interfaces

Above will solve ur prob.

Regards

JD

sbrozius · ‎10-28-2005

Hi,

When pinging the inside and outside interface, do you do that from the console?

Furthermore, the simple fact that from console you can ping to the internet, your provider has everything set up properly, else you wouldn't get return packets.

Try issuing the command 'ip routing'. Very simple command, but might do the trick if routing is disabled on the device.

xetra8380 · ‎10-28-2005

JD,

The upstream provider has everything as it should be. This is not a new circuit n fact it is working fine rignt now. The issue is the new router will route as expected.

Sbrozius,

I have tried "ip routing" as that was the first thing that came to mind the behavior is exactly like ip routing were disabled.

I have two spare routers that i have tried the same exact configuration on and both do not work. I copied them line by line from the original.

olorunloba · ‎10-28-2005

Try debugging ip packets. Not often recommended on a production network, but I think it is what can give idea of what is happening.

desai.jaideep · ‎10-28-2005

Hi

Can u tell me:

1)is ur outside ip is on public network

2)is ur inside ip is on public network

3)is ur outside ip is private network

4)is us inside is on private network

What is the combination?Can u give the feedback?

Regards

JD

sbrozius · ‎10-28-2005

Hi,

What kind of firewall are you using?

Can you ping from both the 'old' and the new router to the firewall? Might be that on the firewall the ARP-cache needs to be vleared, at least for the IP-address of your 3620...

Georg Pauwen · ‎10-28-2005

Ray,

I am thinking that maybe for security reasons, the provider has locked down the MAC address of your router, that is, hard-coded the MAC address of the original router into his config. Can you try and manually configure the interface with the MAC address of the old router's Ethernet MAC address ?

The interface command to be used is 'mac-address h.h.h.h'...

Just a thought...

Regards,

GP

sbrozius · ‎10-28-2005

If that would be the case, it would not be possible to ping to the internet from a console-session on the router.

Only other side is the firewall, which might have the arp-cache to be cleared.

xetra8380 · ‎10-28-2005

I called the ISP to ask them if they had any port security in place, and they do not. I am also able to ping out from console so I know that traffic is able to leave from the router.

All the subnets are in public IP space.

To test the arp cache possibility i connected my laptop directly to the inside interface and still had no luck. I also power cycled their bridge to clear any cached items.

Does anybody think that it could be the Router itself or perhaps the NM modules?

Can anybody lead me in the right path to start debugging?

Thanks,

Ray

olorunloba · ‎10-28-2005

To debug use the command debug ip packet.

This command could increase the CPU utilisation significantly. If the router is in production, you might want to use debug ip packet 101, where 101 defines an access-list matching the traffic you are generating that is internet bound.

desai.jaideep · ‎10-28-2005

Hi

I agree with georg that u cannot have a C class(254) public IP address, until and unless you are itself an ISP.

Or in another case u are having both inside and outside IPs as private ones.

As I have suggested, use NAT and the config. will work.

Regards

JD

guibarati · ‎08-31-2006

your ethernet interfaces are shutdown.