Re: Ping-one way problem

hanwucisco · ‎06-26-2006

Thank you first!

I was given this situation:

PC1--Gateway1---WAN---Gateway2--PC2;

pc1 can ping pc2, but pc2 cannot ping pc1. more generally, PC1 can ping outside, but none of the outside nodes can ping PC1.

I found the guy put a wrong IP of Gateway1 in PC1. After changing to correct IP of Gateway, PC2 can ping PC1 now.

I have no chance to access the configure in both gateways.

My question is:

when you do a ping from PC2, when the acho reply message comes to Gateway1, Gateway1 is supposed to deal with it the same way as it deals with the acho message that created from PC1 when you do the ping from PC1 to PC2.

Or Similiarly, when you ping from PC1, the echo reply message created by PC2 comes to Gateway1, the gateway is supposed to deal with it the same way as the echo message created by PC2 when you do ping from PC2.

then, how can the one way ping happen?

thanks!

han,

dabels · ‎06-26-2006

is there a posibility that there are ACL's in place? if you can get to each Gateway, try going to gateway 2 and do a ping of PC1 if that work then do an extended ping using the interface that PC2 is connected to. my first guess though wold be some sort of ACL on one of the gateways.

hanwucisco · ‎06-26-2006

hi, dabels,

thanks,

do you think the ACL can discriminate the two pickets? My understanding they should be treated by the ACL in the same manner--same distination and source.

Correct me if I am wrong.

thanks.

Han,

scottmac · ‎06-26-2006

One way is most frequently a mask problem.

One side (with the longest mask) gets the right gateway, and the traffic passes as expected

The other side (shorter mask), depending on the addresses, doesn't see the traffic as "remote" (off-LAN) so it just puts it on the local LAN / wire (not to the default gateway / default route).

The gateway device can't just suck frames off the wire; if the frame is not addressed to the device, it's ignored.

Look for things like a /30 mask on one side and a /24 on the other.

It can also be something like asymetrical routing without proper/cooperative ACLs / firewall rules but for the scenario given, it would likely be a mask or routing table issue.

Good Luck

Scott

hanwucisco · ‎06-26-2006

Hi,Scott

On both sides, the masks are corretly assigned.

I'd like to agree with routing table problems, but what can it be?

thanks,

scottmac · ‎06-26-2006

Have you checked for software firewalls on the system not getting the return pings?

Try putting something like Ethereal (now called Netshark ... something like that) on each machine to see if the traffic is failing on the way out, or the response on the way back.

A traceroute might be worth a shot too.

Do a "netstat -rn" on each PC and a "sh ip route" on each router and compare the routing tables (and / or post 'em up here) if it's a routing issue, it should show up in one or more of those tables.

Good Luck

Scott

bruce.porter · ‎06-26-2006

I've usually seen an arp table with an old GW entry or a wrong GW or ACLs or security on one end set to allow ping responses but not respond to pings.

hanwucisco · ‎06-27-2006

no firewall involved int this case.

GW settting is normal, because in network1 where PC1 resided, other pcs can ping fine.

zakymar77 · ‎06-28-2006

Hello,

We have to understand how PC1 send a packet to the gateway.First PC1 will try to send the frames to its default-gateway then found none.So PC1 will broadcast that to its broadcast domain.So all host on that broadcast domain receive the request from PC1 and it happens that the IP add on your router is on the same subnet as your IP add on PC1.And the router knows where PC2 is..