Re: Linux not passing traffic through 1721/1841 - Page 2

jscott · ‎01-07-2011

I folks. I'm hoping one of the experts around here can help me figure out what is going wrong.

I run a network that uses MPLS circuits to connect all of the companies different stores. Internet access is through a Cisco ASA5500 here at the corp headquarters.

To make all of this work, we use a little 1721 gateway router to move traffic as needed. All the clients in our corporate office use 10.10.99.1 (Cisco 1721) as a gateway. The 1721 routes the traffic either to the internet (10.10.99.106 Cisco ASA5500) or the MPLS router (159.61.54.30).

For some reason, anything that runs on Linux (Ubuntu server, ReadyNAS boxes, Thecus NAS) will not pass traffic beyond the 1721 gateway router.

I've poured over the config for that router, and I can't find anything that could be causing this not to work. Thinking that the 1721 was bad, I put an 1841 online in it's place, and it did the same thing. I'm a noob when it comes to Cisco configs, but am learning as I go along.

Can someone help me figure out this problem? Ive attached a txt file of the 1721 config.

Thanks.

jscott · ‎01-07-2011

Hi Alain,

THe ping was successful, but that's probably becaue they are on the same subnet. The traffic doesn't go through the gateway router unless it's hitting something outside of 10.10.99.xxx. I tried to ping the router at one of the other stores (10.10.2.1), but I got no response.

I did a sh ip arp 10.10.2.1, but received an error "cannot open IP".

Thanks..

cadet alain · ‎01-07-2011

Hi,

try: sh arp 10.10.2.1

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

sh: can't open arp

Response on the Ubuntu linux box.

Thanks.

cadet alain · ‎01-07-2011

Hi,

these commands must be done on router : sh ip arp or sh arp

Regards.

Alain

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Whoops. My apologies about that.

I ran the commands on the router and this is what they returned.

Ubuntu Linux box 10.10.99.163 tried to ping 10.10.2.1 (no response)

Went to router and ran sh ip arp 10.10.99.163 and the response was blank. It just returned a router prompt.

Thanks,

J.

NOTE: sh arp 10.10.99.163 returns an invalid input detected at marker error.

EDIT: Another interesting thing, if I reboot the 1721, the Linux boxes work just fine for about ten minutes. Then they all quit.

cadet alain · ‎01-07-2011

Hi,

Went to router and ran sh ip arp 10.10.99.163 and the response was blank. It just returned a router prompt.

ok so it couldn't get the mac address of the linux box because it didn't get reply to arp requests.

Another interesting thing, if I reboot the 1721, the Linux boxes work just fine for about ten minutes. Then they all quit.

but by default arp entries in cisco routers stay for 4 hrs. so if it receives an arp reply it should stay for 4 hrs.

when it fails and that ARP doesn't work can you sniff with tcpdump on linux machine to see if it gets the arp request and if it replies.

if you reboot and it works then do a show ip arp without specifying ip address and post here.

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Rantoul-Gateway#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.99.102 8 001f.2925.4195 ARPA FastEthernet0/0

Internet 159.61.54.145 4 0021.b7e8.baa8 ARPA FastEthernet0/0

Internet 10.10.99.101 0 0800.3729.4fe6 ARPA FastEthernet0/0

Internet 159.61.54.147 0 a4ba.db15.54e9 ARPA FastEthernet0/0

Internet 10.10.99.106 34 001c.58d3.dbe6 ARPA FastEthernet0/0

Internet 10.10.99.105 0 0023.aea4.ee83 ARPA FastEthernet0/0

Internet 10.10.99.104 28 0022.3fa9.e440 ARPA FastEthernet0/0

Internet 10.10.99.111 55 000f.1ffa.af4b ARPA FastEthernet0/0

Internet 159.61.54.134 55 0060.350c.d840 ARPA FastEthernet0/0

Internet 159.61.54.135 55 0021.5a96.426b ARPA FastEthernet0/0

Internet 159.61.54.129 - 001c.58e8.6baa ARPA FastEthernet0/0

Internet 159.61.54.130 19 0004.0049.6301 ARPA FastEthernet0/0

Internet 159.61.54.141 9 0004.007e.51e5 ARPA FastEthernet0/0

Internet 159.61.54.143 29 001b.78f2.46f0 ARPA FastEthernet0/0

Internet 159.61.54.138 0 Incomplete ARPA

Internet 159.61.54.139 23 0004.009e.485b ARPA FastEthernet0/0

Internet 10.10.99.66 1 0014.fd14.b894 ARPA FastEthernet0/0

Internet 10.10.99.65 23 1cc1.de13.618b ARPA FastEthernet0/0

Internet 10.10.99.70 20 0022.6b97.cf03 ARPA FastEthernet0/0

Internet 10.10.99.34 2 0023.ae8f.07aa ARPA FastEthernet0/0

Internet 10.10.99.32 0 a4ba.dbbe.7029 ARPA FastEthernet0/0

Internet 10.10.99.38 0 0024.e8ac.6e0e ARPA FastEthernet0/0

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.99.43 4 d49a.20c4.e408 ARPA FastEthernet0/0

Internet 10.10.99.47 0 001e.c93b.e1de ARPA FastEthernet0/0

Internet 10.10.99.45 0 001c.23da.5a33 ARPA FastEthernet0/0

Internet 10.10.99.51 0 a4ba.dbbe.7ffb ARPA FastEthernet0/0

Internet 10.10.99.50 0 0021.70ed.48c0 ARPA FastEthernet0/0

Internet 10.10.99.55 0 001e.c93c.1eee ARPA FastEthernet0/0

Internet 10.10.99.52 1 0024.e8d6.a947 ARPA FastEthernet0/0

Internet 10.10.99.56 11 0024.e89b.55f6 ARPA FastEthernet0/0

Internet 10.10.99.63 0 a4ba.db15.54e8 ARPA FastEthernet0/0

Internet 10.10.99.1 - 001c.58e8.6baa ARPA FastEthernet0/0

Internet 10.10.99.5 0 001e.c93c.1e97 ARPA FastEthernet0/0

Internet 10.10.99.11 10 0023.694d.bf36 ARPA FastEthernet0/0

Internet 10.10.99.10 0 001d.09db.f51c ARPA FastEthernet0/0

Internet 10.10.99.14 0 0022.190d.8bd8 ARPA FastEthernet0/0

Internet 10.10.99.12 0 0026.b9cb.d6f6 ARPA FastEthernet0/0

Internet 10.10.99.18 0 c03f.0eb1.3dad ARPA FastEthernet0/0

Internet 10.10.99.17 51 68b5.9940.9d0c ARPA FastEthernet0/0

Internet 10.10.99.16 1 001e.c93b.e1e6 ARPA FastEthernet0/0

Internet 10.10.99.20 0 001e.c93c.2160 ARPA FastEthernet0/0

Internet 10.10.99.26 0 001e.c93b.e1d0 ARPA FastEthernet0/0

Internet 10.10.99.31 0 001e.c93c.23a7 ARPA FastEthernet0/0

Internet 10.10.99.29 0 001e.c93c.1ea4 ARPA FastEthernet0/0

Internet 10.10.99.195 52 001c.58d3.dbe6 ARPA FastEthernet0/0

Internet 159.61.54.53 0 001b.2530.aaf5 ARPA FastEthernet0/0

Internet 10.10.99.194 48 001c.58d3.dbe6 ARPA FastEthernet0/0

Internet 159.61.54.48 4 0021.5e18.beb0 ARPA FastEthernet0/0

Internet 159.61.54.49 55 0021.5e18.beb1 ARPA FastEthernet0/0

Internet 10.10.99.196 55 001c.58d3.dbe6 ARPA FastEthernet0/0

Internet 159.61.54.60 0 0027.0d95.6240 ARPA FastEthernet0/0

Internet 159.61.54.61 3 001e.c93c.2064 ARPA FastEthernet0/0

Internet 159.61.54.56 51 0024.e89b.55f6 ARPA FastEthernet0/0

Internet 159.61.54.33 - 001c.58e8.6baa ARPA FastEthernet0/0

Internet 159.61.54.35 43 0023.7d82.2198 ARPA FastEthernet0/0

Internet 159.61.54.44 55 0021.5e18.bea1 ARPA FastEthernet0/0

Internet 159.61.54.45 2 001c.23da.5a31 ARPA FastEthernet0/0

Internet 159.61.54.40 0 Incomplete ARPA

Internet 159.61.54.41 2 001c.ee94.d94f ARPA FastEthernet0/0

Internet 10.10.99.175 0 001d.09db.3eb7 ARPA FastEthernet0/0

Internet 10.10.99.140 0 0024.e8ab.aad4 ARPA FastEthernet0/0

Internet 10.10.99.150 1 0022.3fa9.e066 ARPA FastEthernet0/0

cadet alain · ‎01-07-2011

Hi,

you said

THe Linux machines are on the 10.10.99.xxx subnet (255.255.255.0). 10.10.99.104, 10.10.99.150, 10.10.99.66, 10.10.99.130.

Ubuntu Linux box 10.10.99.163 tried to ping 10.10.2.1 (no response)

But where is the .163 in the linux machines above

I don't see the mapping for this ip address in the arp cache of router you posted.

Internet 10.10.99.104          28   0022.3fa9.e440 ARPA   FastEthernet0/0
Internet 10.10.99.150            1   0022.3fa9.e066 ARPA   FastEthernet0/0
Internet 10.10.99.66             1   0014.fd14.b894 ARPA   FastEthernet0/0

Can you ping from 10.10.99.104?

Regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Hi Alain,

.163 was .130 in the list. IT's a test box another developer is using and he decided to change the IP.

I do not have the ability to ping from .104 (NAS device running Linux, no prompt, only web interface).

The only way I have to test the NAS devices is to logon to the web interface and have them try to pass an alert email to our mail server, or try to have them check for new updates to their firmware.

Thanks.

cadet alain · ‎01-07-2011

ok,

so do the testing with the .150 , is it ok?

Can you get access to ASA?

Because I focused on router but it is communication with ASA that fails for linux boxes, no?

so we need to find what is the difference with another box.

So from .150 can you ping as the ASA? no then is this box receiving arp requests from the ASA

Can you also post a diagram please because your topology with one port only is a little bit weird to understand for me without a diagram.

Regards.

Alain

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

If I set the gateway on each of the Linux devices to 10.10.99.106, they will pass traffic to the outside work just fine.

It seems to be limited to the 1721 (10.10.99.1) router.

I've attached a diagram of our local network.

The only box I can ping from is the .163 Ubuntu box, and it is not able to ping the ASA (.106) with the gateway set to 10.10.99.1.

Thanks.

cadet alain · ‎01-07-2011

ok, let me collect all infos we got so far and I will post my findings tomorrow as it's a bit late for me now.

regards.

Alain.

Don't forget to rate helpful posts.

jscott · ‎01-07-2011

Thanks for all your help!!!!

--J

jscott · ‎01-11-2011

Hello Alain,

Did you happen to find anything out?

Thanks,

J

cadet alain · ‎01-11-2011

Hi Jay,

I'm sorry but I had a lot of work and I haven't had the time for now.

You have this problem only with linux hosts but with other hosts this is ok? and these other hosts on a different subnet? and which OSes?

Regards.

Alain.

Don't forget to rate helpful posts.