Solved: Routing one way, but not the other? - Page 2

Kgrevemberg · ‎07-25-2018

**************************************************************************

Update to problem on Page 2

********************************************************************

Hey guys, hoping I can get some help with a little issue I'm having.

So recently we deployed a switch to "Zone B" to extend a slice of our network to that zone for certain services.

From Router B, we can ping and traceroute to the switch no problem.

From Router A, pings and trace stops at Router B.

Router A shows that it know to go to Rtr B to get to the switch.

If I place a static route in RTR A I get the same results.

I also have no control over Zone B Cloud, they are tracking the issue and also looking into possible problems.

Any ideas about this?

On a basic level, I can't seem to figure out why a traceroute would stop at a router that can successfully traceroute to the switch.

Any ideas are greatly appreciated

Kgrevemberg · ‎07-25-2018

SWEET MERCY THAT WORKED!

I can now ping and trace from RTR A.

So new problem now. We have the large distribution switch before Rtr A. My workstation and network analyzing suite is all connected to that. I cant ping or trace to the Zone B switch from the Distribution switch before Rtr A?

Would this just be another addition to the same problem?

thanks for your help.

************************************************Update to Problem******************

Meheretab Mengistu · ‎07-25-2018

I believe you used the NAT to resolve the issue. However, I assumed you need the NAT for testing purpose. That is why I provided you with "access-list 100 permit ip x.x.254.0 0.0.0.3 any". You can add you IP addresses to the access-list, and you will be able to ping or trace from the distribution switch.
Eg.
access-list 100 permit ip x.x.254.0 0.0.0.3 any
access-list 100 permit ip THE_DISTRIBUTION_SWITCH_SUBNET any ! Enter the correct subnet instead of THE_DISTRIBUTION_SWITCH_SUBNET

The other alternative solution will be to check whether you have the correct route on Router B, and also add default-gateway on the remote Switch.

HTH,
Meheretab

HTH,
Meheretab

Kgrevemberg · ‎07-25-2018

Thanks for your advise!

I will continue forth.

Big Help.

Meheretab Mengistu · ‎07-25-2018

You are very welcome : )

Do not forget to rate helpful answers and mark it as solved once the problem is resolved!

HTH,
Meheretab

pchiava · ‎07-26-2018

Glad to see that the NAT helped prove that the switch had no default-gateway set. This should not be used as a solution as it only helps identify and prove the problem, as you can see you have the same issue with another switch.

Now that we know there's no defualt-gateway set we can continue to ajust the switch configuration.

It's important that all your layer2 switches point to a default-gateway allowing you to manage them remotely.

Use the command on layer2 switches,
"ip default-gateway x.x.x.x"

Hope this helps you out, great work everyone.
- Piero

Francesco Molino · ‎07-25-2018

Hi

I understand that you can't share your routers configs.
If I recap, you can reach switch from router B using outside interface and inside interface (the one facing router A), but nothing works from router A. Am I correct?

Do you manage router B?

You also talked about sub-interfaces. Where are these sub interfaces? On router A or B?

You said no acls. Does this mean no acl on router A and router B ?

Does router B have vrfs?
Does it have done firewall rules (ZBF)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Kgrevemberg · ‎07-25-2018

Do you manage router B? We manage it but it was shipped to a location that told us how to configure it to pass through their cloud. Witch turned out to be, make a trunk port and and interface vlan.

You also talked about sub-interfaces. Where are these sub interfaces? On router A or B? There are sub interfaces on both routers but the gateway for the switch is on router B

You said no acls. Does this mean no acl on router A and router B ? Both routers technically have ACLs but none that relate to this that would hinder traffic.

Does router B have vrfs? None
Does it have done firewall rules (ZBF)? None that are zone base. Also, all FW's in play have been tested with any/any permit rules turned on for testing.

Thanks for your reply

Francesco Molino · ‎07-25-2018

Are you able to do a debug ip packet filtered with an acl that'll catch icmp traffic between rtr A and switch on router B and then try ping from rtr A to switch.
Share please this output of you can.

Also dumb question. Is there any nat on router B?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Kgrevemberg · ‎07-25-2018

Thanks for your response.

I did debugging on rtr A and saw packets successfully being sent to Rtr B.

Via access list tracking.

Also, I am not logged into the switch via another commenter's suggestion on adding NAT.

Thanks for your help though

Francesco Molino · ‎07-25-2018

With Nat on interface of rtr B facing cloud, it works?

The switch is layer 3 or layer2? If layer 3, you'll need to add a route pointing to rtr B to reach rtr A subnets.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question