I have one problem doing a ping to a router lan interface,
I have 3 routers (2801) connected between each other (separated 1 mile each), the link is established trough microwave signals (connected to the 2801 fast ethernet interfaces), every router has a connection to a LAN. One of them is located at headquarters.
Last thursday I replace one of the router with a cisco 2901, i configure the router with the same configuration that was on the 2801, i power up the router and the 2 link were up without problems.
One day after the noc called me to tell me that after i replace the router they can't ping the router IP lan interface on the new 2901 (before the replacement the ping was sucessful). I called one user the lan connected to that 2901, and they can do a ping to the router's LAN IP address.
I can ping the 2901 IP wan interfaces, I can ping the LAN users ip address, but i cannot ping the router LAN IP address, from my desktop, and neither the 2 routers 2801 connected to the 2901.
I show the configuration on the 2901, I couldn't change it because i didn't have time to do that, but i'll change the configuration to use ipsec tunnels.
The configuration as you can see, has a crypto map, but the acl used by the crypto map, only permits the interfaces ip address, so i think that doesn't work, so the traffic doesn't get encrypted, but i don't know if that is the problem why i can't do a ping to the lan interface.
incrypto isakmp policy 1
crypto isakmp key 6 FgOYfLODWITGef`XfRghYLQaFgXShOEMf``SAAB address 10.10.10.2
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to10.10.10.2
set peer 10.10.10.2
set transform-set ESP-3DES-SHA1
match address 101
ip address 10.0.0.9 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination 10.10.10.2
crypto map SDM_CMAP_2
ip address 172.16.20.200 255.255.255.192
description "Lan interface"
description HACIA GERENCIA GENERAL
ip address 10.10.10.1 255.255.255.248
crypto map SDM_CMAP_2
access-list 101 remark SDM_ACL Category=4
access-list 101 permit gre host 10.10.10.1 host 10.10.10.2
router eigrp 100
network 10.0.0.4 0.0.0.3
network 10.0.0.8 0.0.0.3
network 10.10.10.0 0.0.0.7
network 172.16.20.192 0.0.0.63
network 18.104.22.168 0.0.0.7
The 10.10.10.2 router has the same configuration.
any ideas?.. I know this configuration has some errors, but i didn't configure it, and for now i could not change it.
did you try to ping from this router to any of the 2801 but specifying the local LAN interface as s source?
What about when you do a tracerout from 2801 to this LAN?
Maybe you have some ARP entry stuck on one of the devices with a wrong entry. I am not sure what you have in between
Reboot the switch connecting to router LAN interface, clear arp-cache of system from which you are trying to Ping LAN interface, looks like ping on Layer 2 is still searching for MAC address of previous router LAN interface.
Thanks for your replies,
About your questions and suggestions,
i can't do ping from lan/wan interface on the other router.
The sites are forwarding traffice between them, I can do a ping to a desktop on the lan interface (example: 172.16.20.196).
The deskptops connected to the router lan interface (172.16.20.200) are able to do ping to that IP address, so rebooting the switch is not going to solve the problem, the problem is from the wan side.
Let's say that the router with the problem is R3, so R1 and R2 are the other routers, if i do the traceroute from one desktop connected on the R1 lan, its stays on R1, (display his IP address) but that's it. The routes on the routing table are correct.
Inclusive i debug icmp on R3, but i got nothing, so i think maybe the problem it is an arp entry or acl in the microwave equipment, that are bridges/routers.
if you have another advice, i'll be apreciated.
Maybe configure an acl to replay to pings on R3, R1, and R2 just for testing puposes.
Example for R3:
access-list 101 permit icmp 172.16.20.0 0.0.0.255 any echo replay
and apply it to WAN interface out
Hope this helps