Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2915
Views
0
Helpful
5
Replies

Problem with ping to router LAN interface

Juan Pablo Hidalgo Villacres
Level 1
Level 1

‎02-08-2012 07:47 AM - edited ‎03-04-2019 03:11 PM

Hi everybody,

I have one problem doing a ping to a router lan interface,

I have 3 routers (2801) connected between each other (separated 1 mile each), the link is established trough microwave signals (connected to the 2801 fast ethernet interfaces), every router has a connection to a LAN. One of them is located at headquarters.

Last thursday I replace one of the router with a cisco 2901, i configure the router with the same configuration that was on the 2801, i power up the router and the 2 link were up without problems.

One day after the noc called me to tell me that after i replace the router they can't ping the router IP lan interface on the new 2901 (before the replacement the ping was sucessful). I called one user the lan connected to that 2901, and they can do a ping to the router's LAN IP address.

I can ping the 2901 IP wan interfaces, I can ping the LAN users ip address, but i cannot ping the router LAN IP address, from my desktop, and neither the 2 routers 2801 connected to the 2901.

I show the configuration on the 2901, I couldn't change it because i didn't have time to do that, but i'll change the configuration to use ipsec tunnels.

The configuration as you can see, has a crypto map, but the acl used by the crypto map, only permits the interfaces ip address, so i think that doesn't work, so the traffic doesn't get encrypted, but i don't know if that is the problem why i can't do a ping to the lan interface.

incrypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key 6 FgOYfLODWITGef`XfRghYLQaFgXShOEMf``SAAB address 10.10.10.2
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to10.10.10.2
set peer 10.10.10.2
set transform-set ESP-3DES-SHA1
match address 101
!
!
interface Tunnel1
ip address 10.0.0.9 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination 10.10.10.2
tunnel path-mtu-discovery
crypto map SDM_CMAP_2

interface GigabitEthernet0/0

ip address 172.16.20.200 255.255.255.192

description "Lan interface"

interface GigabitEthernet0/1
description HACIA GERENCIA GENERAL
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
crypto map SDM_CMAP_2
!

access-list 101 remark SDM_ACL Category=4

access-list 101 permit gre host 10.10.10.1 host 10.10.10.2

router eigrp 100

network 10.0.0.4 0.0.0.3

network 10.0.0.8 0.0.0.3

network 10.10.10.0 0.0.0.7

network 172.16.20.192 0.0.0.63

network 172.168.16.0 0.0.0.7

The 10.10.10.2 router has the same configuration.

any ideas?.. I know this configuration has some errors, but i didn't configure it, and for now i could not change it.

regards,

Juan Pablo

Labels:
0 Helpful
5 Replies 5

Dejan Puhar
Cisco Employee
Cisco Employee

‎02-08-2012 12:39 PM

Hi Juan,

did you try to ping from this router to any of the 2801 but specifying the local LAN interface as s source?

What about when you do a tracerout from 2801 to this LAN?

Maybe you have some ARP entry stuck on one of the devices with a wrong entry. I am not sure what you have in between

cheers

Dejan

0 Helpful

ahmad82pkn
Level 2
Level 2

‎02-08-2012 03:31 PM

Reboot the switch connecting to router LAN interface, clear arp-cache of system from which you are trying to Ping LAN interface, looks like ping on Layer 2 is still searching for MAC address of previous router LAN interface.

0 Helpful

ebarticel
Level 4
Level 4

‎02-08-2012 03:51 PM

What about network traffic between sites? Is going thru, or failing same as the pings?

Eugen

0 Helpful

Juan Pablo Hidalgo Villacres
Level 1
Level 1
In response to ebarticel

‎02-08-2012 04:04 PM

Thanks for your replies,

About your questions and suggestions,

i can't do ping from lan/wan interface on the other router.

The sites are forwarding traffice between them, I can do a ping to a desktop on the lan interface (example: 172.16.20.196).

The deskptops connected to the router lan interface (172.16.20.200) are able to do ping to that IP address, so rebooting the switch is not going to solve the problem, the problem is from the wan side.

Let's say that the router with the problem is R3, so R1 and R2 are the other routers, if i do the traceroute from one desktop connected on the R1 lan, its stays on R1, (display his IP address) but that's it. The routes on the routing table are correct.

Inclusive i debug icmp on R3, but i got nothing, so i think maybe the problem it is an arp entry or acl in the microwave equipment, that are bridges/routers.

if you have another advice, i'll be apreciated.

Regards,

0 Helpful

ebarticel
Level 4
Level 4
In response to Juan Pablo Hidalgo Villacres

‎02-08-2012 04:54 PM

Maybe configure an acl to replay to pings on R3, R1, and R2 just for testing puposes.

Example for R3:

access-list 101 permit icmp 172.16.20.0 0.0.0.255 any echo replay

and apply it to WAN interface out

Hope this helps

Eugen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card