Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

SOLVED: RV340 - Router drops replies despite routing seemingly working

Go to solution
JGustavsson_TP
Level 1
Level 1

‎12-28-2020 05:01 AM - edited ‎12-29-2020 04:01 AM

Hi!

 

First of all I must admit that I am a complete beginner when it comes to Cisco routers, but I am experiencing a situation that is not making much sense to me, and I would be grateful for any assistance in trying to solve the matter.

 

Currently we have an RV340 router (we can call this Router 1), which is connected to a public IP on WAN1, a server that we would like to make available externally on LAN4 and a connection to a Dell PowerConnect 6248P switch on LAN1. The Dell switch further connects to another RV340 router (we can call this Router 2), as well as all of the internal workstations of the company (the intranet).

 

The server is a virtual machine hypervisor, and as such has several IP addresses associated with its bridge network interface. The goal is to make the server accessible through the public WAN of Router 1, and allow traffic on certain ports between the server and the intranet so that server administrators can access the server. Router 1 and the server will as such act as a DMZ, with limited access via the switch to the intranet. All intranet traffic will be routed to the internet via Router 2.

 

We have created a VLAN for the server(s) to reside on, VLAN666. There are also several VLANs where the intranet workstations reside (for now we only need VLAN120 to be able to access the server on VLAN666). In addition to this we have a default VLAN1.

 

To me the seemingly easiest way to provide the isolation we are looking for would be to allow inter-VLAN communication between VLAN666 and VLAN120, and then use the firewall in Router 1 to disallow ports we do not want communicating with the intranet.

 

I have created VLANs 1 (assigned to 192.168.1.2/24), 120 (assigned to 10.1.120.0/24) and 666 (assigned to 192.168.10.0/24) in both Router 1 and in the Dell Switch. I have further added local bindings for each VLAN on the switch, effectively following the steps here:

 

https://www.dell.com/downloads/global/products/pwcnt/en/app_note_38.pdf

 

RIP is enabled, both on the switch and on Router 1, and the logs seem to indicate that it is working. Because of this I have not set up any static routes.

 

When I try to ping a workstation residing on VLAN120 (10.1.120.104) from the server (192.168.10.100) everything works perfectly and I get a reply. However when I try to ping from the workstation to the server a reply never arrives. When I run tcpdump on the server I can see the ping packets from the workstation arriving and being replied to. As such I figured that they were getting lost somewhere on the way back. In order to figure out where I set up port mirroring on LAN2, connected a computer running Wireshark to this port, and then mirrored LAN1 (the connection to the switch) and then LAN4 (the connection to the server) and ran a dump. Here I could see that the ping made its way through LAN1, to LAN4, to the server (which we already knew since it showed up in tcpdump on the server), and then the reply could be seen on LAN4, but not on LAN1. As such it would seem like the reply packet gets dropped somewhere between the server and the router, and never makes it out from the router to the switch.

 

I am at a complete loss how this is possible. The routing seems to work fine since the ping from the server succeeds in reaching (and receiving the reply from) the workstation, and the ping from the workstation obviously makes it to the server - it is just the reply that gets dropped. Since I am doing the dump from a mirrored port (which should only show packets that the router picks up) and the reply packets show up when mirroring VLAN4 they don't get lost on the way from the server to the router - the router obviously sees them. This leads me to conclude that it is the router that drops the replies.

 

I checked the firewall but it is currently set to allow all traffic between VLAN120, VLAN1 and VLAN666, and it makes no difference if I turn the firewall completely off. The successful pings from the server to the workstation do show up in the firewall log on the router as accepted, but there is nothing in the firewall log regarding the pings from the workstation to the server. What else would cause these replies to get dropped?

 

I have tried with other requests than pinging - attempting to request HTTP traffic and SSH - but the result is the same, the packets make it to the server but the replies get dropped by the router on the way back.

 

I have also tried to change the tagging on LAN1 and LAN4 ports but no matter what the tagging configuration is the result is exactly the same. The link on VLAN1 is set to a trunk port in the Dell switch, and is configured to allow VLAN 120 and 666.

 

Any assistance in figuring this out would be much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JGustavsson_TP
Level 1
Level 1

‎12-29-2020 04:00 AM

I was able to identify what the issue was. The router was configured with a default route pointing to Router 2. This was meant to serve as a backup in case the internet connection on WAN1 went down, but it seems to have caused issues with the routing. Removing the default route solved the issue.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
JGustavsson_TP
Level 1
Level 1

‎12-29-2020 04:00 AM

I was able to identify what the issue was. The router was configured with a default route pointing to Router 2. This was meant to serve as a backup in case the internet connection on WAN1 went down, but it seems to have caused issues with the routing. Removing the default route solved the issue.

0 Helpful
Customers Also Viewed These Support Documents