Re: Cisco 2901 router random websites not reachable

network_champ84 · ‎08-10-2021

We have a standard config on Cisco router with /29 assigned to customer LAN (all public IPs). Our customer reported an issue where they are unable to reach random websites with request time out. When we checked using router interface as source IP

address we are unable to see any issues as we can successfully reach all those websites and IPs.

From customer own device they are unable to reach those websites:

E..g:

ping federate.secure.barclays.com

Pinging e5913.b.akamaiedge.net [23.5.221.111] with 32 bytes of data:

Request timed out.

Ping statistics for 23.5.221.111:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging dyna.wikimedia.org [91.198.174.192] with 32 bytes of data:

Request timed out.

Ping statistics for 91.198.174.192:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

I have troubleshooted this but unable to see any issues etc however customer is adamant they are unable to reach those sites from any of their devices.

I wonder if someone can advise if there is anything I am missing here.

Georg Pauwen · ‎08-10-2021

Hello,

these issues are often related to MTU settings. Try 'ip mtu 1400' on the WAN interface. If that does not help, post the running configuration of your 2901 router...

Richard Burts · ‎08-10-2021

I agree that in general issues where some web sites are not accessible may be related to MTU. But in the original post we are seeing ping with 32 bytes of payload failing. Hard to see that as an MTU issue.

Are we sure that the device doing these pings can reach some destinations in the Internet? I am concerned that the ping failures might reflect some issue with default gateway or routing for this device, or perhaps some issue with address translation.

In addition to seeing the current running config it might be helpful to see the results of traceroute/tracert from a user device.

HTH

Rick

network_champ84 · ‎08-11-2021

Here is the config you requested above.

Config is pretty standard that we use however we are unable to replicate this issue from our router i.e only issue is experienced by customer from their available IP ranges linked to LAN port g0/2 on router.

Building configuration...

Current configuration : 2898 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RA001-LL005
!
boot-start-marker
boot system flash:c2951-universalk9-mz.SPA.154-3.M5.bin
boot-end-marker
!
!

no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name X.X.X.X.net
ip name-server X.X.X.X
ip name-server X.X.X.X
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
!
license udi pid CISCO2951/K9 sn FCZ15047135
!
!
username admin password 7 X.X.X.X
!
redundancy
!
track timer ip route 1
!
track 1 ip route 0.0.0.0 0.0.0.0 reachability
delay down 1 up 1
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN - X.X.X.X-LON
ip address 1.1.1.1 255.255.255.252
media-type sfp
!
interface GigabitEthernet0/2
description LAN

ip address 2.2.2.2 255.255.255.192
duplex auto
speed auto
vrrp 1 ip 2.2.2.1
vrrp 1 priority 120
vrrp 1 authentication DRA001
vrrp 1 track 1 decrement 30
!
router bgp 74999
bgp log-neighbor-changes
redistribute connected
neighbor X.X.X.X remote-as X.X.X.X
neighbor X.X.X.X timers 10 30
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip ssh version 2
!
ip access-list standard X.X.X.X-MONITORING
permit X.X.X.X 0.0.0.7
ip access-list standard X.X.X.X-NTP
permit X.X.X.X
permit X.X.X.X
deny any
!
ip access-list extended X.X.X.X-ADMIN
permit ip X.X.X.X 0.0.0.7 any
permit ip X.X.X.X 0.0.0.7 any
permit ip host X.X.X.X any
permit ip X.X.X.X 0.0.0.3 any
permit ip X.X.X.X 0.0.0.7 any
permit ip X.X.X.X 0.0.0.255 any
permit ip X.X.X.X 0.0.0.3 any
!
!
!
snmp-server community public RO X.X.X.X-MONITORING
snmp-server location X.X.X.X
snmp-server contact noc@X.X.X.X.com
access-list 80 remark ntp-association permit 10 X.X.X.X
access-list 80 remark ntp-association permit 20 X.X.X.X
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 1
access-class X.X.X.X-ADMIN in
exec-timeout 0 0
logging synchronous
login local
transport input telnet ssh
line vty 2 4
access-class X.X.X.X-ADMIN in
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp access-group peer X.X.X.X-NTP
ntp access-group serve-only X.X.X.X-NTP
ntp server X.X.X.X
!
end

Georg Pauwen · ‎08-11-2021

Hello,

I agree with Richard that MTU might not be the problem, although you could try and set the MTU size to e.g. 1400 on the WAN interace, and check if the issue persists. VRRP could also be the culprit, try and disable that on the LAN interface...

Giuseppe Larosa · ‎08-11-2021

Hello @network_champ84 ,

where is the NAT configuration ?

Are you using the public address 2.2.2.0/26 ? or you have changed it for your security?

Only if you have a public address range you can skip NAT. But the ISP must agree that the block belongs to you.

no subnets in 10/8 172.16-31.0.0/16 or 192.168.X.0/24 are public

Edit:

reviewing your first post I understand the customer has public IP address block .

Have you tried to use extended ping on the router using as source the LAN IP address 2.2.2.2 ?

if you simply ping you are using the WAN IP address you need to use extended ping to specify a source address similar to client IP addresses.

Hope to help

Giuseppe

paul driver · ‎08-11-2021

Hello

I would check your dns setup?

nslookup
Default Server: dns.opendns.com
Address: 208.67.222.222

> e5913.b.akamaiedge.net

Server: dns.opendns.com
Address: 208.67.222.222

Non-authoritative answer:
Name: e5913.b.akamaiedge.net
Address: 104.87.103.202

> 23.5.221.111
Server: dns.opendns.com
Address: 208.67.222.222

Name: a23-5-221-111.deploy.static.akamaitechnologies.com
Address: 23.5.221.111

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎08-11-2021

In the original post it was described as a standard config. Based on that I was assuming that we had a normal user lan connected to a single router, which was connected to the Internet. Now we have learned that there is a firewall between the router and the Internet. And I wonder if vrrp in the config suggests that we are not dealing with a simple user lan and a single router. Can we get an explanation of the real environment here?

We have been given some vague description of users not being able to access random web sites. I would like a more precise description of a particular user device that can access some Internet resources (specifically a couple of web sites that do work and a couple of web sites that do not work). And it would be helpful along with that description if we had the output of attempts to ping and to traceroute to those sites.

HTH

Rick

Giuseppe Larosa · ‎08-11-2021

Hello @network_champ84 ,

check NAT translations with

show ip nat translations

verfiy if an entry is created when an internal customer end user device tries to ping one of the websites

being ping with 32 bytes payload MTU should not be an issue here at least for ping test. Different matter if they cannot load the web page in a browser.

Verify also if you have ACLs applied to your router

Hope to help

Giuseppe

network_champ84 · ‎08-11-2021

@Giuseppe Larosa all IPs have been changed to safeguard customer network.

NAT is handled by customer firewall connected to router on port g0/2

Currently they are unable to get onto few websites with not reachable error with examples above.

PS C:\Users\$livesp1> ping en.wikipedia.org

Pinging dyna.wikimedia.org [91.198.174.192] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 91.198.174.192:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging e5913.b.akamaiedge.net [23.5.221.111] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 23.5.221.111:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Georg Pauwen · ‎08-11-2021

Hello,

I can ping both websites with the standard packet size of 1472.

Which brand/model is the firewall ?

Giuseppe Larosa · ‎08-11-2021

Hello @network_champ84 ,

to understand if it is a routing issue or the problem can be on the client firewall can you test to ping those sites from the customer router using a source interface that is the LAN?

ping 23.5.221.111 with source gig0/2 or gi0/2 IP address you can use extended ping for this

You start by typing ping <enter> and then you fill the fields .

There is also an option like ping 23.5.221.111 /source gi0/2

Try to test in this way if you haven't already done and compare the results.

if you get answer it should not be a routing problem and you can point to the customer firewall.

if you still get time outs you should open a ticket with the ISP to verify if they are correctly routing to you the /29 public address block.

Hope to help

Giuseppe