Solved: Routing between data centers

cindy.palmer · ‎02-16-2023

Hello,
Need some assistance. Inherent network routing issues. Trying to connect from a router in one data center to an on-prem SmartNet Software Manager server in another data center. The routers are connected via L2VPLS (10.255.x.x), then the core is either 3750s or a 2960XR. We are using OSPF. Ping works, telnet to port does not.



#traceroute 10.10.254.34
Tracing the route to (10.10.254.34)
VRF info: (vrf in name/id, vrf out name/id)
1 10.248.150.6 1 msec * 1 msec
2 10.255.150.241 1 msec 0 msec 1 msec
3 10.255.10.244 [MPLS: Label 44 Exp 0] 82 msec 82 msec 82 msec
4 10.255.10.241 82 msec 82 msec 84 msec
5 ? ? ?

What's more perplexing is that this IP works


#traceroute 10.10.254.24
Tracing the route to USJC-NSMP-MGT04.fsg-gxp.local (10.10.254.24)
VRF info: (vrf in name/id, vrf out name/id)
1 10.248.150.6 1 msec * 1 msec
2 10.255.150.241 1 msec 1 msec 1 msec
3 10.255.10.244 [MPLS: Label 44 Exp 0] 82 msec 82 msec 82 msec
4 10.255.10.241 82 msec 83 msec 93 msec
5 (10.10.254.24) 82 msec 82 msec 82 msec

I'm pretty positive the issue is on the 3750 switch in the US. I'd like to put a static route in to force the intended result but am unclear as to what and where.

<sigh>

mlund · ‎02-22-2023

When you ssh to the router (10.150.254.16) that doesn't imply that the router will use that ip as source when you ping or telnet further. The router will use the ip of the interface that the router will use to reach the destination. That is why we suggest that you specify which interface to use as source. example

telnet 10.150.254.16 /source-interface gig0/1

or if you want to test ssh use

telnet 10.150.254.16 443 /source-interface gig0/1

also when doing ping or traceroute, specify the source. Sometimes only one of the ip address ranges on a router is allowed through a firewall, that's why it is important to test with correct interface as source.

View solution in original post

balaji.bandi · ‎02-16-2023

Ping works that means that routing looks ok for me high level.

, telnet to port does not. - this more related to device you are connecting to what device is this post the configuration of that device ? or check any ACL or VTY Lines config. (is this telnet works locally ?)

what is this IP address you tracerouting to ? 10.10.254.34 and 10.10.254.24 ?

what is the source IP you trying to traceroute, and where that reside? from what device are you trying to connect Telnet ? (have you tried SSH ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cindy.palmer · ‎02-17-2023

Thank you for the reply. I am attempting to connect from a Cisco ISR4451 router to a virtual server, which is the On-site Smart Software Manager (SSM). The https connection from the other two routers in different data centers.
I attempted the trace from the router (10.10.254.16 in Germany) to both 10.10.254.34 (On-site SSM) and an alternate server. Both in the US data center.

No, I had not tried SSH since I need to be able to communicate via https for the licensing.

balaji.bandi · ‎02-21-2023

So you sure SSM working for other devices, and only this device having issue ?

i try using telnet SSMIP port 443 see is that works ?

if you have any PC in the lan same subnet IP, you can use pstool - psping ip and port, see you can reach.

I am thinking something blocking between for the port 443 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-17-2023

SiteA(x.x.x.1)-l2vpn-SiteB(x.x.x2)

Telnet x.x.x.1 source x.x.x.2

This sure work.

cindy.palmer · ‎02-17-2023

So I mis-spoke, the router in Germany is 10.150.254.16
Telnet from 10.150.256.16 to SSM (10.10.254.34 - does not work.
[cid:image001.png@01D942C7.81071370]

MHM Cisco World · ‎02-20-2023

you need to add source to

telnet

command

cindy.palmer · ‎02-21-2023

I am ssh'd into the source (10.150.254.16) when I do the telnets to the US server.

mlund · ‎02-20-2023

When you ping what source did you use. If you did not specify the source, router will pick the ip that is used for reaching to destination. The same is for telnet by default. However for telnet this can be changed with

telnet source <interface>.

To be sure, use the method provided by @MHM Cisco World for telnet and use same source address for ping. If both ping and telnet uses the same source, then we can invetigate more if it is a routing problem or an acl or firewall rule.

cindy.palmer · ‎02-21-2023

Hello,

When I execute either the pings or the telnets, I am ssh'd into the source (Germany router/ 10.150.254.16) that I need to connect from.

paul driver · ‎02-20-2023

Hello
First of all is HTTPS enabled on the end host,
is their a FW in-between that could be denying tcp 443 from that Germany subnet?

On the US L3 device that this server is attached to can you connect via port 443.

Telnet x.x.x.x 443 /source xxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cindy.palmer · ‎02-21-2023

I've already worked with Cisco TAC. Nothing from the pings or telnets is hitting ANY interface on the firewalls. This appears to traversing the L2VPLS connection.
On the L3 switch your command does not work.

Telnet 10.10.254.34 443 /source ? Not sure what xxxx is. There is no /source parameter, only /source-interface.

mlund · ‎02-22-2023

When you ssh to the router (10.150.254.16) that doesn't imply that the router will use that ip as source when you ping or telnet further. The router will use the ip of the interface that the router will use to reach the destination. That is why we suggest that you specify which interface to use as source. example

telnet 10.150.254.16 /source-interface gig0/1

or if you want to test ssh use

telnet 10.150.254.16 443 /source-interface gig0/1

also when doing ping or traceroute, specify the source. Sometimes only one of the ip address ranges on a router is allowed through a firewall, that's why it is important to test with correct interface as source.