cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
0
Helpful
1
Replies

New Frame Relay WAN Sites: Can't access network resources

Andy Koehler
Level 1
Level 1

Hello,

I'm relatively new to the networking world, having been a server/systems admin for the past 12 years, and recently changing roles.  So please bear with me if this is a newbie question. 

I'm working on setting up a couple of new WAN sites with 256K frame relay circuits back to our main building.  Each new site has a new PVC, and both are pointing back to a PVC on a T1 at the main building.  The main site has a 2801 with a single CSU/DSU WIC, and each new site has a 1841 with a 3560 connected to fa0/1.  At both sites, I'm able to get the circuit up, and the serial interfaces at both new sites show up/up, and the subinterfaces at the main site also show up/up for both sites.  Routing is being done by EIGRP, and both sites are able to establish the 2801 as an EIGRP neighbor, and I'm able to ping/tracert anywhere on our network by name or IP, so routing and DNS appear to be working.  I can also ping both new routers from the main site.  However, that's about all I can do.  I'm not able to access any resources on our network (email/shares/internet/intranet/etc) from the two new sites.  I can ping the new routers/switches from the main site, but can't ssh to them.  I can ssh to them locally.  There are no firewalls in the equation, and I don't think there are any ACL's in the picture either.  I can post configs tomorrow if that would be helpful. 

Here is a list of the symptoms that I'm seeing based on testing I've done:

From remote sites:

  • Can ping and tracert just fine anywhere on our network (from both the 1841, a PC plugged into the 3560, or a PC plugged directly into the fa0/1 port on the 1841), including  out to the internet, by name or ip.
  • Can ssh to local router, but not to anything that isn't local
  • DNS is working
  • DHCP not working using  ip helper pointing to DHCP scope on server at main site, have to use static IP
  • Can't rdp to anything
  • Can't get email
  • Can't browse windows  shares
  • Can't get to any websites, external or intranet.  IE says "Website found, waiting for reply..." but eventually times out.

I did some testing for communication over certain port numbers using telnet and nmap, and found the following:

  • Can telnet to www.google.com and local intranet webserver on port  80 (http)
  • Can telnet to two of our Exchange Servers on port 25 (SMTP)
  • If I run an nmap scan on www.google.com, or our intranet webserver, it confirms that 80 and 443 are open, but the pages will not load. 
  • I am able to telnet (port 23) to a state mainframe via the internet that some of our employees use, and I do get the expected login screen. 

I tried erasing the config one of the new routers, and just added back the bare minimum config to get the circuits up (serial/ethernet interface configs, eigrp), but saw the same symptoms. 

One other thing to note: the 2801 at the main site has three other frame relay sites connected to it on the same WIC as the new sites, all of which are working fine. 

I just don't understand why I can ping everywhere I need to be able to ping, and port scans show that communication is open over needed ports, but the applications don't work.  Any help would be appreicated. 

Thanks,

Andy

1 Reply 1

Andy Koehler
Level 1
Level 1

I realized I wrote a book in my first post, so let me boil down my problem a little more concisely: 

  • Two new 256K frame relay sites pointing back to main site
  • Can ping/tracert from new sites to anywhere on network, both from router or PC
  • Can ping/tracert to router or PC at both new sites.
  • From remote sites, can't access any resources over the WAN, such as email, internet, intranet, Windows shares.
  • From main site, can't map to C drive or RDP into PCs at new sites, but can locally. 
  • Port scans show that I am able to communicate over the needed ports for a given resource.  For example, if I port scan our intranet server from remote site PC, it shows that 80 and 443 are open, but the browser just times out.  Same with RDP:  From the main site, I can port scan a remote PC, and see that 3389 is open,but an RDP session acts like it wants to connect but then just disconnects. 

I just can't understand why everything seems to be working up to and including layer 3, and I can verify with a port scan that communication is open over a given port, but then nothing actually works. 

If anyone has any suggestions, it would be greatly appreciated.  I'm at my wits end on this. 

Here's the router config for one of the new satellite sites:

Little-Star-HS-1841#sh run

Building configuration...

Current configuration : 4370 bytes

!

! Last configuration change at 16:12:06 MST Wed Nov 28 2012

! NVRAM config last updated at 16:26:52 MST Wed Nov 28 2012

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname Little-Star-HS-1841

!

boot-start-marker

boot system flash:c1841-ipbasek9-mz.124-12.bin

boot-end-marker

!

logging buffered 16384 notifications

enable secret 5 XXXXXXXXXXXX

!

aaa new-model

!

!

aaa authentication login default group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

clock timezone MST -7

clock summer-time MST recurring

ip cef

!

!

!

!

no ip domain lookup

ip domain name admin.adams.county

ip ssh version 2

!

key chain Adams-County-keychain-short

key 1

  key-string 7 XXXXXXXXXXXX

!

!

!

!

class-map match-any voice-control

match access-group name Voice-control

class-map match-any Voice-bearer

!

!

policy-map 128K-CIR-QOS

class Voice-bearer

!

!

!

interface FastEthernet0/0

ip address 10.39.1.1 255.255.255.0

ip helper-address 10.20.2.203

speed 100

full-duplex

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

description 256K Frame Relay to Honnen

ip address 10.1.254.78 255.255.255.252

ip hello-interval eigrp 7 5

ip hold-time eigrp 7 15

ip authentication mode eigrp 7 md5

ip authentication key-chain eigrp 7 Adams-County-keychain-short

encapsulation frame-relay

no fair-queue

service-module t1 timeslots 1-4

cdp enable

frame-relay traffic-shaping

frame-relay interface-dlci 16

frame-relay lmi-type ansi

!

router eigrp 7

redistribute static

passive-interface FastEthernet0/0

network 10.0.0.0

no auto-summary

!

no ip http server

no ip http secure-server

!

!

map-class frame-relay 128K_Class

!

map-class frame-relay 256KCLASS

frame-relay fragment 160

frame-relay ip rtp priority 16384 16383 45

frame-relay traffic-rate 256000 256000

frame-relay adaptive-shaping becn

frame-relay cir 256000

frame-relay bc 2560

frame-relay be 0

frame-relay mincir 256000

service-policy output 128K-CIR-QOS

!

map-class frame-relay 1500KCLASS

frame-relay traffic-rate 1544000 1544000

frame-relay adaptive-shaping becn

frame-relay cir 15360000

frame-relay bc 15360

frame-relay be 0

frame-relay mincir 1536000

service-policy output 768K-CIR-QOS

!

map-class frame-relay 128KCLASS

frame-relay fragment 160

frame-relay ip rtp priority 16384 16383 45

frame-relay traffic-rate 128000 128000

frame-relay adaptive-shaping becn

frame-relay cir 128000

frame-relay bc 1280

frame-relay be 0

frame-relay mincir 128000

service-policy output 128K-CIR-QOS

logging facility local5

logging 10.1.2.180

snmp-server community XXXXXXXXXXXX RO

snmp-server community XXXXXXXXXXXX RW

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps envmon

snmp-server enable traps flash insertion removal

snmp-server enable traps icsudsu

snmp-server enable traps aaa_server

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server host XXXXXXXXXXXX XXXXXXXXXXXX

tacacs-server host XXXXXXXXXXXX

tacacs-server host XXXXXXXXXXXX

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXX

!

control-plane

!

banner motd ^CC

"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device.

All activities performed on this device may be logged,

and violations of this policy may result in disciplinary action,

and may be reported to law enforcement.

There is no right to privacy on this device." ^C

!

line con 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

password 7 XXXXXXXXXXXX

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178118

ntp server XXXXXXXXXXXX

end

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: