Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
4
Replies

Help

pp3493
Level 1
Level 1

‎09-20-2006 12:05 PM - edited ‎03-03-2019 02:04 PM

Hello,

We have a cisco 2600 at the remote site. We can connect to it via VPN connection. There is a machine, which people can always get to it from the same subnet/remote network. Now they want to access that machine from the network. For some reasons, we cannot ping two of ip addresses (that machine plus another machine)in that subnet from our network; but we can ping and telnet from the 2600 router. Both machines connect to a HP4000 switch, which connects to the cisco 2600 fastethernet 0/1. The default gateway looks fine. We can see both ip and MAC address in the arp table in cisco 2600. One of machines shows SNAP type in ARP table. Others show ARPA. We can ping other machines in that subnet (probably about 40 machines, including PCs and printers, etc.). Could this be encapslation problem? Does anyone know the problem? Any suggestions?

thanks for your help,

Gene

Labels:
0 Helpful
4 Replies 4

jackyoung
Level 6
Level 6

‎09-20-2006 06:39 PM

Ping provide the config. of 2600 and the successful & failure trace route result.

How about these two machines ping to other hosts ? successful or fail ?

0 Helpful

pp3493
Level 1
Level 1
In response to jackyoung

‎09-21-2006 08:35 PM

Hi Jack,

In cisco 2600, I can ping and traceroute both machines because they are directly connected to a HP switch via a 2600 Ethernet port. But anything outside of that subnet, the trace will go through the VPN tunnel and go back and forth on that VPN /30 ip. I even manually insert a static route in the routing table, of which did not work. For some reasons, I cannot login to those two machines; so I was not able to do any ping or trace from these two machines.

thanks the help,

0 Helpful

jackyoung
Level 6
Level 6
In response to pp3493

‎09-21-2006 09:36 PM

Thanks for the info. What I believe the packet forward take place in the VPN tunnel instead of normal path. Could you please ensure the ACL for the VPN does not include these hosts ? Or please advise the condition of when, what address will be pass through the VPN and not.

Below is a doc. which describe the sequence which the packet out-going from an interface.

Please check it for reference.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Without configuration it is quite difficult to provide a solid ans., you may need to troubleshhot yourself by ping, trace and fine tune the ACL. However, if you cannot access the router, you cannot modify the config. and test.

But you said you can ping from the router, please try to check if you can provide the "show access-list", "show VPDN", "show ip route", etc. related output which describe the VPN status and the access-list for VPN.

Hope this helps.

0 Helpful

m-haddad
Level 5
Level 5
In response to jackyoung

‎09-22-2006 03:11 PM

Hello,

Can you check the default route on these two machines. They should have the 2600 as default route. If you have route to them this does not mean they can route back to you.

Therefore, try to trace to your network from those machines. Ask somebody to do the trace and send you the output.

As I said I feel the problem is the default route on those two machines is incorrect.

Let me know if this solves the problem and rate if this helps,

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card