el 10-13-2024 04:24 AM
Buenos dias, tengo un cisco IR1833 con sim 5G que es la ruta principal y tengo la sim 4g como ruta secundaria. Las access list las tengo idénticas y el problema lo tengo cuando el 5G deja de funcionar ( lo fuerzo tirando la interface ) y entra la red 4G con otra IP claramente. Desde los servidores externos puedo acceder por ssh al router, e incluso puedo acceder por ssh a un equipo conectado al router, pero el problema viene cuando desde ese equipo hago un ping hacia el exterior, me responde esto:
cube57:~ # ping 172.20.20.2
PING 172.20.20.2 (172.20.20.2) 56(84) bytes of data.
From 192.168.2.1 icmp_seq=1 Packet filtered
From 192.168.2.1 icmp_seq=2 Packet filtered
From 192.168.2.1 icmp_seq=3 Packet filtered
From 192.168.2.1 icmp_seq=4 Packet filtered
Pero este mismo procedimiento lo hago conectado a la red 5G y no tengo problemas de comunicación.
Alguien me podría ayudar o decirme que me puede faltar¿?
Gracias ante todo.
el 10-13-2024 05:58 AM
The message is saying the packet is getting filtered, meaning, something is denying the packet to move forward. ICMP, at least.
If you share the router config here would be easier to help.
Do you have firewall ? How is those Access lists applied? Do you have NAT?
el 10-13-2024 10:47 AM
Thank you very much, I am giving you the complete configuration, the ------ are the passwords that I deleted and as I mentioned, if I use 5G I have no problems reaching the Linux computer that I have connected to the Gigabit 0/1/0 interfaces from the external servers, but when I take down the 5G cellular interfaces and 4G comes into service, from the router I can ping the external server, but from the Linux computer I cannot reach the server.
versión 17.13
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level 50M
!
hostname 5G4G
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone GMT 0 0
!
canbus baudrate 125000
!
ignition off-timer 300
!
ignition undervoltage threshold 9 000
!
ignition battery-type 12v
!
ignition sense-voltage threshold 13 000
!
no ignition sense
!
no ignition enable
no ip routing protocol purge interface
!
ip domain name autgc.com
!
!
!
!
!
!
!
!
!
login block-for 60 attempts 3 within 30
login delay 3
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3195610746
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3195610746
revocation-check none
rsakeypair TP-self-signed-3195610746
hash sha256
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
crypto pki trustpoint TP-self-signed-2645817770
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2645817770
revocation-check none
rsakeypair TP-self-signed-2645817770
hash sha256
!
!
crypto pki certificate chain TP-self-signed-3195610746
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313935 36313037 3436301E 170D3234 31303132 32323237
30355A17 0D333431 30313232 32323730 355A3031 312F302D 06035504 030C2649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31393536
31303734 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100D501 8225735D E9DF5B13 9B37B325 4D3FF44B AF85DD1D 5E2B69A5
96C93771 66142FE0 D5409A7C E253BB44 10C77ECF A8B94326 F8D1F861 0041DEE1
241A4FE3 FE1611AF B0AE4770 823D9DE1 B328A2BE CF57A953 F27E5A5E 37D4E7DC
5AF7FB2C 900EF2E2 275BF2BC 3DC16CF9 A8B33FC3 4BBADDB0 7570FD76 4D410955
612966F7 7A14409D 6187E5F8 5838AF3B D41514E0 9A63B91E 98E617FF AC282E73
A9D2CBEB 4936D4C2 33DCF1C5 F91588B8 498E0D17 C4FEFFDD A8F48F60 353BE9FE
4F7B4341 876CD066 5DC130A4 384A0A89 BB89726F 664F5421 1AA62156 5DAC75DD
626E1E71 76295791 BBAD3987 663256A5 D1DA9CD8 EB70E418 00BE479D 597DC5FD
5457888B E2B70203 010001A3 53305130 1D060355 1D0E0416 0414A871 74D308A6
82B92AC4 2D725E0D 95E16724 DACE301F 0603551D 23041830 168014A8 7174D308
A682B92A C42D725E 0D95E167 24DACE30 0F060355 1D130101 FF040530 030101FF
300D0609 2A864886 F70D0101 0B050003 82010100 B64CF8CC E2B3419D F1F1933F
523F50C3 6B85166C AA0BFB01 2279623C 245FCE4D F1AB4AD5 6FF52E17 9E2D62C6
44659FEA B026F760 C86BCEB4 1E43749A FE5D3600 1E042DBF 85114802 02342C03
28E60311 C8E360F9 8943B385 0603D168 9633E90E B93EFE88 768F9511 16C1C8E3
3D9C34C5 27BBC07D A9351168 8D9C9E95 7D041947 63AA8445 C36DEF15 E99BB68E
3F092ECD EE799BB6 F0AF53FB AB390909 D52E51E2 73B24324 4E1709F8 7C9746D3
EB6DA6DD 93F56083 5BDDECD5 0BC4CE05 8804AC5B F9E8D4D2 946587B1 4A0301FC
49CB0EB1 BFF0B37A C1518CB8 3D97587B 498A2EB4 A57C6747 A4F53C50 7E41A84D
C7053BF1 FCC722B8 204B0302 8E764631 D104AEDE
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-2645817770
!
!
!
!
!
!
!
!
!
diagnostic bootup level minimal
!
no license feature hseck9
license udi pid IR1833-K9 sn FCW2803Y0MW
license boot level network-advantage
memory free low-watermark processor 43704
!
spanning-tree extend system-id
!
enable secret 9 $9$T6/MVPnxx/.s0E$Zaj8uSsru3CgKX5InGHpyKcpL6Qcknj0zzRhHgzVQ.Y
enable password -------
!
username admin privilege 15 password 0 ---------
!
redundancy
mode none
!
!
!
!
controller Cellular 0/4/0
!
controller Cellular 0/5/0
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode access
!
interface GigabitEthernet0/1/1
switchport trunk allowed vlan 1,10
switchport mode access
!
interface GigabitEthernet0/1/2
switchport trunk allowed vlan 1,10
switchport mode access
!
interface GigabitEthernet0/1/3
switchport trunk allowed vlan 1,10
switchport mode access
!
interface Wlan-GigabitEthernet0/1/4
!
interface Cellular0/4/0
description secondary_wan
ip address negotiated
ip nat outside
ip access-group 199 out
ip tcp adjust-mss 1460
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/4/1
no ip address
shutdown
!
interface Cellular0/5/0
description Primary_
ip address negotiated
ip nat outside
ip access-group 198 out
ip tcp adjust-mss 1460
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/5/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface Async0/2/0
no ip address
encapsulation scada
!
interface Async0/2/1
no ip address
encapsulation scada
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.2.10 22 10.20.0.32 2222 extendable
ip nat inside source static udp 192.168.2.10 14000 10.20.0.32 14000 extendable
ip nat inside source static udp 192.168.2.10 14001 10.20.0.32 14001 extendable
ip nat inside source static tcp 192.168.2.10 22 10.21.0.32 2222 extendable
ip nat inside source static udp 192.168.2.10 14000 10.21.0.32 14000 extendable
ip nat inside source static udp 192.168.2.10 14001 10.21.0.32 14001 extendable
ip nat inside source list 1 interface Cellular0/5/0 overload
ip nat inside source list 2 interface Cellular0/4/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/4/0
ip route 0.0.0.0 0.0.0.0 Cellular0/5/0
ip route 172.20.20.0 255.255.255.192 10.21.0.32
ip route 172.20.20.0 255.255.255.192 10.20.0.32
ip ssh bulk-mode 131072
!
!
ip access-list standard 1
10 permit 192.168.2.0 0.0.0.255
ip access-list standard 2
10 permit 192.168.2.0 0.0.0.255
ip access-list extended 197
10 permit ip any any
ip access-list extended 198
10 permit ip 192.168.2.0 0.0.0.255 172.20.20.0 0.0.0.63
20 permit ip 172.20.20.0 0.0.0.63 192.168.2.0 0.0.0.255
30 permit ip 192.168.2.0 0.0.0.255 10.20.0.0 0.0.7.255
40 permit ip 10.20.0.0 0.0.7.255 192.168.2.0 0.0.0.255
50 permit ip 172.20.20.0 0.0.0.63 10.20.0.0 0.0.7.255
60 permit ip 10.20.0.0 0.0.7.255 172.20.20.0 0.0.0.63
70 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended 199
10 permit ip 192.168.2.0 0.0.0.255 172.20.20.0 0.0.0.63
20 permit ip 172.20.20.0 0.0.0.63 192.168.2.0 0.0.0.255
30 permit ip 192.168.2.0 0.0.0.255 10.21.0.0 0.0.7.255
40 permit ip 10.21.0.0 0.0.7.255 192.168.2.0 0.0.0.255
50 permit ip 172.20.20.0 0.0.0.63 10.21.0.0 0.0.7.255
60 permit ip 10.21.0.0 0.0.7.255 172.20.20.0 0.0.0.63
70 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
stopbits 1
line 0/0/0 0/0/1
line 0/2/0 0/2/1
line vty 0
login local
length 0
transport input ssh
line vty 1 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
no acc-gyro enable
acc-gyro frequency one/sec
!
!
!
!
!
!
!
!
!
!
!
!
!
end
el 10-13-2024 11:17 AM
Run traceroute from the inside to outside with 5G and 4G. Lets see which path It is taken.
If you can ping from router but not from inside, this can be routing
el 10-13-2024 12:20 PM
Friend, I am attaching what you requested. Thank you .
Traceroute desde equipo al exterior con 4G (IP APN estatica: 10.21.32.0 )
57:~ # traceroute 172.20.20.2
traceroute to 172.20.20.2 (172.20.20.2), 30 hops max, 60 byte packets
1 router (192.168.2.1) 2.392 ms 2.388 ms 2.704 ms
2 router (192.168.2.1) 2.653 ms !X * *
57:~ #
Traceroute desde el router al exterior con 4G
5G4G#traceroute 172.20.20.2
Type escape sequence to abort.
Tracing the route to 172.20.20.2
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 195.55.47.6 76 msec 92 msec 72 msec
3 * * *
4 * * *
5 * * *
6 * * *
7 195.55.47.1 96 msec 120 msec 80 msec
8 195.55.47.2 80 msec 104 msec 76 msec
9 172.20.20.2 84 msec 108 msec *
5G4G#
Traceroute desde equipo al exterior con 5G (IP APN estatica: 10.20.32.0 )
57:~ # traceroute 172.20.20.2
traceroute to 172.20.20.2 (172.20.20.2), 30 hops max, 60 byte packets
1 router (192.168.2.1) 2.590 ms 2.551 ms 2.623 ms
2 * * *
3 195.55.47.2 (195.55.47.2) 72.925 ms 77.526 ms 72.886 ms
4 * * *
5 * * *
6 * * *
7 * * *
8 195.55.47.1 (195.55.47.1) 73.937 ms 79.718 ms 79.738 ms
9 195.55.47.2 (195.55.47.2) 73.693 ms 79.755 ms 80.616 ms
10 gcomg.etra-id.com (172.20.20.2) 78.621 ms * 97.819 ms
57:~ #
Traceroute desde el router al exterior con 5G
5G4G#traceroute 172.20.20.2
Type escape sequence to abort.
Tracing the route to 172.20.20.2
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 195.55.47.2 80 msec 84 msec 64 msec
3 * * *
4 * * *
5 * * *
6 * * *
7 195.55.47.1 88 msec 80 msec 68 msec
8 195.55.47.2 72 msec 72 msec 80 msec
9 172.20.20.2 88 msec * 96 msec
5G4G#
el 10-13-2024 03:41 PM
Looking the trace route using 4G
Traceroute desde equipo al exterior con 4G (IP APN estatica: 10.21.32.0 )
57:~ # traceroute 172.20.20.2
traceroute to 172.20.20.2 (172.20.20.2), 30 hops max, 60 byte packets
1 router (192.168.2.1) 2.392 ms 2.388 ms 2.704 ms
2 router (192.168.2.1) 2.653 ms !X * *
57:~ #
The line in red, with !X on it, means " "communication administratively prohibited" "
The packets seems to not leaving the router as it stops on the 192.168.2.1 or it could be the 4G service provider denying the packet.
Have you ever communicated successfuly using thie 4G link?
el 10-13-2024 04:18 PM
Good evening, if I delete everything related to 5G from the configuration and configure it exclusively for 4G, everything works correctly. I think it has something to do with the route it takes to exit through the router. I'm testing with load balancing and it's still the same, I really can't think of anything else. I'll keep investigating. Thanks and we'll keep in touch.
10-13-2024 05:15 PM - editado 10-13-2024 05:16 PM
Those routing and NAT on this router sounds weird. Two exactly route with different Gateway may cause confusion on the device
Take a look in IPSLA, It could help
el 10-15-2024 12:31 AM
Good morning friend, I finally managed to have balanced communication, if 5G goes down, 4G comes in and when 5G recovers, it returns to its initial state, the problem I have now is with the port NAT, I have to open the same ports for both ISPs and I can't do it. Would it be a dynamic NAT? Thanks.
el 10-15-2024 03:00 AM
I believe you can work with route-map
This is one example.
ip nat inside source route-map ISP1 pool ISP1_POOL overload
ip nat inside source route-map ISP2 pool ISP2_POOL overload
!
route-map ISP1 permit 10
match ip address NAT_ACL
match interface FastEthernet0/0
!
route-map ISP2 permit 10
match ip address NAT_ACL
match interface FastEthernet0/1
!
ip access-list extended NAT_ACL
permit ip 192.168.1.0 0.0.0.255 any
el 10-27-2024 06:04 AM
Good afternoon friend, sorry for the delay, but I've been busy and I haven't been able to do any tests. The load balancing issue works perfectly with the IP SLA, but the only thing I'm missing is that the static NAT that was coming out through the main ISP, when it goes down and I go out through the second ISP, the static NATs related to the main ISP are still left and I have no way to route it through the new route of the secondary ISP. Any solution?
el 10-27-2024 06:24 AM
Yes, there is solution for that. I will leave here some links, take a look and let me know.
el 10-27-2024 02:35 PM
Friend, the route balancing problem does not work for me. It does it correctly, but since the system works correctly for me through an ISP, since I make the change to the other exit that will take me to the same destination, the most important static NATs are associated with the ISP that connected for the first time and I cannot get everything to go out through the other ISP.
Nat static:
ip nat inside source static tcp 192.168.2.10 22 10.20.0.38 2222 extendable
ip nat inside source static udp 192.168.2.10 14000 10.20.0.38 14000 extendable
ip nat inside source static udp 192.168.2.10 14001 10.20.0.38 14001 extendable
ip nat inside source static tcp 192.168.2.10 22 10.21.0.38 2222 extendable
ip nat inside source static udp 192.168.2.10 14000 10.21.0.38 14000 extendable
ip nat inside source static udp 192.168.2.10 14001 10.21.0.38 14001 extendable
sh ip nat translations con ISP1 ( 10.20.0.38 )
Router_Failover#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.21.0.38:2222 192.168.2.10:22 --- ---
tcp 10.21.0.38:2222 192.168.2.10:22 --- ---
udp 10.20.0.38:14000 192.168.2.10:14000 --- ---
udp 10.20.0.38:14001 192.168.2.10:14001 --- ---
udp 10.21.0.38:14000 192.168.2.10:14000 --- ---
udp 10.21.0.38:14000 192.168.2.10:14000 --- ---
tcp 10.20.0.38:2222 192.168.2.10:22 --- ---
udp 10.21.0.38:14001 192.168.2.10:14001 --- ---
udp 10.21.0.38:14001 192.168.2.10:14001 --- ---
udp 10.20.0.38:14001 192.168.2.10:14001 172.20.20.2:14000 172.20.20.2:14000
tcp 10.20.0.38:2222 192.168.2.10:22 172.20.20.2:63608 172.20.20.2:63608
udp 10.20.0.38:14000 192.168.2.10:14000 172.20.20.2:52393 172.20.20.2:52393
Total number of translations: 12
With ISP1 my system works correctly
Then I do a shutdown of the ISP1 interface and the route is done correctly through the ISP2 interface, but in the NAT it leaves behind ports 14000 and 14001 and tells me that they are still trying to exit through ISP1, NAT with port 22 to 2222 does it without problems
sh ip nat translations con ISP2 ( 10.21.0.38 )
Router_Failover#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.21.0.38:2222 192.168.2.10:22 --- ---
tcp 10.21.0.38:2222 192.168.2.10:22 --- ---
udp 10.20.0.38:14000 192.168.2.10:14000 --- ---
udp 10.20.0.38:14001 192.168.2.10:14001 --- ---
udp 10.21.0.38:14000 192.168.2.10:14000 --- ---
udp 10.21.0.38:14000 192.168.2.10:14000 --- ---
tcp 10.20.0.38:2222 192.168.2.10:22 --- ---
udp 10.21.0.38:14001 192.168.2.10:14001 --- ---
udp 10.21.0.38:14001 192.168.2.10:14001 --- ---
udp 10.20.0.38:14001 192.168.2.10:14001 172.20.20.2:14000 172.20.20.2:14000
tcp 10.21.0.38:2222 192.168.2.10:22 172.20.20.2:63620 172.20.20.2:63620
Total number of translations: 11
I don't understand why it doesn't do the static NAT routing, because if I do it the other way around the same thing happens to me whether I start the link with ISP1 or ISP2...
el 10-28-2024 07:02 AM
You can try to clear the NAT right after the ISP change with an EEM script
event manager applet NAT-clear
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "clear ip nat translations **
action 1.3 syslog msg "Nat table cleared"
el 10-30-2024 02:45 AM
Good morning Flavio, I have tried with the script and there is no way to get the static NAT of the ports in UDP to be routed through ISP2, they stay in the first ISP.
If you look at the capture called NAT ISP2, ports 14000 and 14001 are still associated with the IP of ISP1
Thanks.
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad