I am experiencing a interesting problem with my default route on my router. As an example, I have a default route pointing to 192.168.1.254, i.e "ip route 0.0.0.0 0.0.0.0 192.168.1.254"
There are a few address that do not go to the default gateway automatically. However, if I put in their route "ip route 10.1.1.34 255.255.255.255 192.168.1.254" then they can be routed correctly. If I take them out, the traffic cannot be routed. However, address before and after it are ok, i.e 10.1.1.33 or 10.1.1.35 do not need to put a route to the gateway and they can be routed correctly but for 10.1.1.34, I must put in a static route to the gateway if not the traffic will just stop at the router.
Anyone know what could be the problem?
If I do not put in the static route, the traffic do not seem to reach the FW as we could not see any traffic going to the FW. The looks of it shows that the traffic is dropped at the router as the router does not know where to route this traffic.
Looks like I am not the only one facing this problem. Really hoping that someone can give an explanation on this. Thanks!
Do one thing, do not put the specific host route in the router. Try setting up a host route on your Client PC which is behind the F/W
c:/> route add x.x.x.x mask y.y.y.y z.z.z.z -p
Let us know if that works.
I have really seen this issue with the checkpoint firewall. There are around 100 of servers in our Datacenter which are behind the Checkpoint firewall and users can only access it, if we add specific host routes.
I am not able to replicate the problem on the PCs or Servers. However, that may also be due to some firewall rules on the FW. So far the problem is only consistent on our core router. Anyway, all the traffic are route via the core router before they reach the FW.
If I do a continuous ping from my PC to any of the problematic ip when the static route is there, the ping will not drop even after I remove the static route. However, if I stop the ping and start it again, I can't connect any more until I add back that static route.
How do I convince my FW engineer that it is a FW issue when any changes to resolve the problem is done on the router and nothing need to be done on the FW. According to my FW engineer, they even put an allow all rule for my PC during testing and they only see traffic when I add in the static route.
Anyway, Thanks for telling me that I am not alone in this puzzling issue. Hopefully someone with the solution will see this soon.
Happy New Year!!
could that be an ARP/ Proxy ARP issue between router and FW? Just a wild guess ... can´t forward Layer3 when no Layer2 info is there.
Hope this helps
Can you check your switching process i.e. show ip cef or show ip cache, to know how the packet are being switched when it is being dropped.
As a last resort, you might want to debug, be careful though as packet debugging can crash the router, but if used carefully it will tell you the reason the packet is being dropped. I will advice the debugging to be done at a non-critical hour.
In the configuration posted you have mentioned that static routes as
ip route 192.168.77.197 255.255.255.255 10.1.22.250
ip route 192.168.77.198 255.255.255.255 10.1.22.250
Also u have tell that
192.168.77.193 is reachable by 10.1.20.21 (the default gateway). How exactly is the network 192.168.77.x connected behind the firewall? Are the firewalls working in Active/Active mode? why have you given the route to hosts in the same subnet to different gateways?
Please share with us your brief network diagram, so that we may understand the issue completely.