Re: ISR 1100 connectivity problem

Sakura · ‎04-19-2023

Hi,

I'm trying to configure a ISR 1111 with two internet connections (one for backup).

Until now, VLAN 200 (Ge0/1/2 to Ge0/1/7 + WLANGe0/1/8) are accessing to internet by Cel0/2/0 (working correctly).

Now, I have a new connection (initiated by dhcp) on Ge0/0/0.

I've configured Ge0/0/0 with DHCP and is working, but I cannot get to internet on these interface.

I've attached running conf.

#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
2.0.0.0/32 is subnetted, 1 subnets
C <public> is directly connected, Cellular0/2/0
172.26.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.26.254.0/24 is directly connected, Vlan1
L 172.26.254.1/32 is directly connected, Vlan1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0/0
L 192.168.0.33/32 is directly connected, GigabitEthernet0/0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan200
L 192.168.10.1/32 is directly connected, Vlan200

#sh ip inter brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 192.168.0.33 YES DHCP up up
GigabitEthernet0/0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1.2 10.134.101.141 YES NVRAM administratively down down
GigabitEthernet0/0/1.3 unassigned YES NVRAM administratively down down
GigabitEthernet0/0/1.6 unassigned YES unset administratively down down
GigabitEthernet0/1/0 unassigned YES unset down down
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
GigabitEthernet0/1/4 unassigned YES unset up up
GigabitEthernet0/1/5 unassigned YES unset down down
GigabitEthernet0/1/6 unassigned YES unset up up
GigabitEthernet0/1/7 unassigned YES unset down down
Wl0/1/8 unassigned YES unset up up
Cellular0/2/0 <public> YES IPCP up up
Cellular0/2/1 unassigned YES NVRAM administratively down down
Dialer6 unassigned YES NVRAM administratively down down
Tunnel0 192.168.10.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Vlan1 172.26.254.1 YES NVRAM up up
Vlan200 192.168.10.1 YES NVRAM up up

Ping test:

#ping 8.8.8.8 source G0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.33
.....
Success rate is 0 percent (0/5)

#ping 192.168.0.1 source G0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.33
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Part of the configuration are created from web interface. If I connect a computer on the cable of G0/0/0 (instead of cisco router) I got IP (on 192.168.0.0/24) and I have internet access.

MHM Cisco World · ‎04-19-2023

I See pbr in your config but I dont get for what it use, can you more elaborate?

Sakura · ‎04-22-2023

@MHM Cisco World wrote:
I See pbr in your config but I dont get for what it use, can you more elaborate?

I've deleted pbr config and others non-related NAT configurations, leaving only this (list 2 is a copy of list 1):
ip nat inside source list 1 interface Cellular0/2/0 overload
ip nat inside source list 2 interface GigabitEthernet0/0/0 overload

But same result. Ping from G0/0/0 does not work.

#ping 8.8.8.8 source G0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.33
.....
Success rate is 0 percent (0/5)

#ping 8.8.8.8 source Cel0/2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of <public>
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/39/48 ms

Ping to 192.168.0.1 (gateway of G0/0/0) works correctly

Richard Burts · ‎04-22-2023

There were several things that I noticed in the config provided in the original post. I am glad that you have removed. I note in this most recent response that you have 2 simple ip nat inside source list statements. When you are doing nat for 2 interfaces it is generally necessary to do the nat with a route map (as was shown in the original post config). Would you post the complete current running config so that we get a better picture of what is going on?

HTH

Rick

Sakura · ‎04-19-2023

Interface G0/0/1 are configured for a FTTH service who requires VLAN tagging. G0/0/1 interface are administratively down.

Sakura · ‎04-20-2023

Another problem I've detected, are, on some cases connection loses IP address (G0/0/0) and didn't recover it.

Example from today:
.Apr 20 05:00:39.785: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
.Apr 20 05:00:43.864: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
.Apr 20 05:00:52.793: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
.Apr 20 05:00:53.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
.Apr 20 05:01:01.782: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
.Apr 20 05:01:03.799: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
.Apr 20 07:54:18.918: %WEBSERVER-5-LOGIN_PASSED: Login Successful from host 192.168.10.2 by user '******'

A working example:

Apr 19 16:20:51.766: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
Apr 19 16:20:52.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
Apr 19 16:20:58.098: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0/0 assigned DHCP address 192.168.0.33, mask 255.255.255.0, hostname *

paul driver · ‎04-22-2023

Hello
When you have two ISP circuits, and you wish to dynamic nat on both of them then you could use route-maps for the nat statements which should be applicable to resolve your issue.

Also suggest append some IPSLA with conditional static routing between the ISP Primary /Secondary links for the circuit resiliency.

Example:
access-list 100 permit icmp host <source ip> host 8.8.8.8 echo

route-map ipsla
match ip address 100
set interface Cellular0/2/0
set interface Null0

ip local policy route-map ipsla

ip sla 1
icmp-echo 8.8.8.8 source-interface Cellular0/2/0
timeout 1000
frequency 15

ip sla schedule 1 start now life forever
track 10 rtr1 reachability

ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 track10 name primary link
ip route 0.0.0.0 0.0.0.0 Gig0/0 dhcp 10 name backup link
ip route 8.8.8.8 255.255.255.255 Null0 2

ip access-list extended NAT_ACL
permit ip 172.26.254.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any

route-map ISP1_rm
match ip address NAT_ACL
match interface Cellular0/2/0

route-map ISP2_rm
match ip address NAT_ACL
match interface Gig0/0

ip nat inside source route-map ISP1_rm interface Cellular0/2/0
ip nat inside source route-map ISP2_rm interface Gig0/0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mawillis · ‎04-22-2023

It looks like gi0/0/0 is connected to an internet circuit but the ip is 192.168.0.33, is that right? It has a "ip nat outside", so you would be NATing your users to 192.168.0.33. That doesn't seem right. Is that interface behind another NAT?

Sakura · ‎04-23-2023

Hi,

I'll try to reply to all questions here:

First, I've applied route_map configuration from @paul driver. Connection looks OK on Cel0/2/0, but Gig0/0/0 does not work.

Also, access-list 100 cannot be applied because as I've told, Gig0/0/0 have a DHCP address.

Also, main connection will be Gig0/0/0

Second, @mawillis, yes, is correct. The infraestructure now are: Cisco (192.168.10.1) -> Domestic router (192.168.0.1) -> ONT (unknown IP from range 100.0.0.0/16) -> ISP. Because the configuration of domestic router seems to be the same as ONT (get IP from dhcp and work), I'm trying with the domestic router. I have a computer connected to router with another IP (192.168.0.34) and get internet without problems.

Third @Richard Burts I've uploaded a updated configuration.

The problem are the same as on first post. Ping from Gig0/0/0 to internet does not work (ping to 192.168.0.1 works OK).

#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/52/60 ms

#ping 8.8.8.8 source G0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.33
.....
Success rate is 0 percent (0/5)

#ping 8.8.8.8 source Cel0/2/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 2.142.163.30
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/42/52 ms

Richard Burts · ‎04-24-2023

Thanks for posting the current running config. I have these comments about it:

- the very early part of the config is missing. I hope that there was not anything significant in it (and believe there probably was not)

- your configuration of nat uses 2 route maps, which I believe should be the correct approach. But neither of the route maps is in the posted config. If nat is not working that could explain why track is showing the connection as down.

- your staic route with track uses the wrong digit. You indicate that this has been fixed.

- your ip sla specifies source interface g0/0/0. I suggest that it is less important what is the source and more important to make sure that the outbound interface is g0/0/0. What would be the result if icmp-echo to 8.8.8.8 were sent out the cellular interface and was successful? You need to make sure that the icmp-echo for track is sent out g0/0/0. For that I suggest a static route for the /32 destination address specifying g0/0/0 as the outbound interface. And I would suggest that if you are going to do this you might not want to use 8.8.8.8 as the destination. You want to assure that g0/0/0 is working so you might want to test a destination a hop or two into the provider network of g0/0/0.

HTH

Rick

mawillis · ‎04-23-2023

OK so you have a triple NAT situation. Not ideal but it should work. Can you log in to the domestic router?

You said you can plug a PC into the domestic router and it works, so it seems like the domestic router is ok.

Look at your default route via gi0/0/0 - you have track 10 but there is only track 1.

Sakura · ‎04-23-2023

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
2.0.0.0/32 is subnetted, 1 subnets
C <public> is directly connected, Cellular0/2/0
172.26.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.26.254.0/24 is directly connected, Vlan1
L 172.26.254.1/32 is directly connected, Vlan1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0/0
L 192.168.0.33/32 is directly connected, GigabitEthernet0/0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan200
L 192.168.10.1/32 is directly connected, Vlan200

As you can see, there's no default route to Gi0/0/0.

I've tried to create a route to Gi0/0/0 directly (without track). In that case, I lost internet connection, and ping from router using source Gi0/0/0 also does not work.

mawillis · ‎04-23-2023

You have no default route on gi0/0/0 because the track is wrong on the route. Fix that and send the route table and show ip sla sum. and show track.

Sakura · ‎04-23-2023

Ok, I've changed route to Gi0/0/0 to track 1.

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 name primary track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 10 name backup

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
2.0.0.0/32 is subnetted, 1 subnets
C 2.142.163.30 is directly connected, Cellular0/2/0
172.26.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.26.254.0/24 is directly connected, Vlan1
L 172.26.254.1/32 is directly connected, Vlan1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0/0
L 192.168.0.33/32 is directly connected, GigabitEthernet0/0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan200
L 192.168.10.1/32 is directly connected, Vlan200

#sh ip sla sum
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending
All Stats are in milliseconds. Stats with u are in microseconds

ID Type Destination Stats Return Last
Code Run
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 - Timeout 8 seconds ago

#sh track
Track 1
IP SLA 1 reachability
Reachability is Down
1 change, last change 04:27:23
Latest operation return code: Timeout
Tracked by:
Static IP Routing 0

mawillis · ‎04-23-2023

Ok so the way to troubleshoot this is to remove all the features, test, then put the features back one by one. Remove the nat and the service policy. Check the interface negotiated matching speed & duplex. If it's good, start putting feature back on.