11-27-2012 07:55 PM - edited 03-04-2019 06:15 PM
Hello,
I'm relatively new to the networking world, having been a server/systems admin for the past 12 years, and recently changing roles. So please bear with me if this is a newbie question.
I'm working on setting up a couple of new WAN sites with 256K frame relay circuits back to our main building. Each new site has a new PVC, and both are pointing back to a PVC on a T1 at the main building. The main site has a 2801 with a single CSU/DSU WIC, and each new site has a 1841 with a 3560 connected to fa0/1. At both sites, I'm able to get the circuit up, and the serial interfaces at both new sites show up/up, and the subinterfaces at the main site also show up/up for both sites. Routing is being done by EIGRP, and both sites are able to establish the 2801 as an EIGRP neighbor, and I'm able to ping/tracert anywhere on our network by name or IP, so routing and DNS appear to be working. I can also ping both new routers from the main site. However, that's about all I can do. I'm not able to access any resources on our network (email/shares/internet/intranet/etc) from the two new sites. I can ping the new routers/switches from the main site, but can't ssh to them. I can ssh to them locally. There are no firewalls in the equation, and I don't think there are any ACL's in the picture either. I can post configs tomorrow if that would be helpful.
Here is a list of the symptoms that I'm seeing based on testing I've done:
From remote sites:
I did some testing for communication over certain port numbers using telnet and nmap, and found the following:
I tried erasing the config one of the new routers, and just added back the bare minimum config to get the circuits up (serial/ethernet interface configs, eigrp), but saw the same symptoms.
One other thing to note: the 2801 at the main site has three other frame relay sites connected to it on the same WIC as the new sites, all of which are working fine.
I just don't understand why I can ping everywhere I need to be able to ping, and port scans show that communication is open over needed ports, but the applications don't work. Any help would be appreicated.
Thanks,
Andy
11-29-2012 07:44 AM
I realized I wrote a book in my first post, so let me boil down my problem a little more concisely:
I just can't understand why everything seems to be working up to and including layer 3, and I can verify with a port scan that communication is open over a given port, but then nothing actually works.
If anyone has any suggestions, it would be greatly appreciated. I'm at my wits end on this.
Here's the router config for one of the new satellite sites:
Little-Star-HS-1841#sh run
Building configuration...
Current configuration : 4370 bytes
!
! Last configuration change at 16:12:06 MST Wed Nov 28 2012
! NVRAM config last updated at 16:26:52 MST Wed Nov 28 2012
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Little-Star-HS-1841
!
boot-start-marker
boot system flash:c1841-ipbasek9-mz.124-12.bin
boot-end-marker
!
logging buffered 16384 notifications
enable secret 5 XXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
ip cef
!
!
!
!
no ip domain lookup
ip domain name admin.adams.county
ip ssh version 2
!
key chain Adams-County-keychain-short
key 1
key-string 7 XXXXXXXXXXXX
!
!
!
!
class-map match-any voice-control
match access-group name Voice-control
class-map match-any Voice-bearer
!
!
policy-map 128K-CIR-QOS
class Voice-bearer
!
!
!
interface FastEthernet0/0
ip address 10.39.1.1 255.255.255.0
ip helper-address 10.20.2.203
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description 256K Frame Relay to Honnen
ip address 10.1.254.78 255.255.255.252
ip hello-interval eigrp 7 5
ip hold-time eigrp 7 15
ip authentication mode eigrp 7 md5
ip authentication key-chain eigrp 7 Adams-County-keychain-short
encapsulation frame-relay
no fair-queue
service-module t1 timeslots 1-4
cdp enable
frame-relay traffic-shaping
frame-relay interface-dlci 16
frame-relay lmi-type ansi
!
router eigrp 7
redistribute static
passive-interface FastEthernet0/0
network 10.0.0.0
no auto-summary
!
no ip http server
no ip http secure-server
!
!
map-class frame-relay 128K_Class
!
map-class frame-relay 256KCLASS
frame-relay fragment 160
frame-relay ip rtp priority 16384 16383 45
frame-relay traffic-rate 256000 256000
frame-relay adaptive-shaping becn
frame-relay cir 256000
frame-relay bc 2560
frame-relay be 0
frame-relay mincir 256000
service-policy output 128K-CIR-QOS
!
map-class frame-relay 1500KCLASS
frame-relay traffic-rate 1544000 1544000
frame-relay adaptive-shaping becn
frame-relay cir 15360000
frame-relay bc 15360
frame-relay be 0
frame-relay mincir 1536000
service-policy output 768K-CIR-QOS
!
map-class frame-relay 128KCLASS
frame-relay fragment 160
frame-relay ip rtp priority 16384 16383 45
frame-relay traffic-rate 128000 128000
frame-relay adaptive-shaping becn
frame-relay cir 128000
frame-relay bc 1280
frame-relay be 0
frame-relay mincir 128000
service-policy output 128K-CIR-QOS
logging facility local5
logging 10.1.2.180
snmp-server community XXXXXXXXXXXX RO
snmp-server community XXXXXXXXXXXX RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps aaa_server
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host XXXXXXXXXXXX XXXXXXXXXXXX
tacacs-server host XXXXXXXXXXXX
tacacs-server host XXXXXXXXXXXX
tacacs-server directed-request
tacacs-server key 7 XXXXXXXXXXXX
!
control-plane
!
banner motd ^CC
"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device.
All activities performed on this device may be logged,
and violations of this policy may result in disciplinary action,
and may be reported to law enforcement.
There is no right to privacy on this device." ^C
!
line con 0
password 7 XXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXX
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178118
ntp server XXXXXXXXXXXX
end
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide