03-12-2020 05:32 AM - edited 03-12-2020 05:42 AM
Hi,
I appear to have a rooting loop, and I've tried looking at the IP routes, as well as OSPF config, and nothing works. Some things make things...worse
I can't traceroute from one address to another. 10.13.0.0/24 lives in our internal infrastructure, and 10.14.0.0/24 lives in Azure, in our infrastructure too. Ultimately, I need these two subnets to talk to each other. We have a firewall in between too. All traffic should go through 10.22.1.254 but it doesn't
When trying to traceroute to the 14.0 network from the core switch (10.22.0.3), I get this:
cor-01#traceroute 10.22.14.6 Type escape sequence to abort. Tracing the route to 10.22.14.6 1 * * * 2 10.22.1.253 0 msec 0 msec 0 msec 3 * * * 4 10.22.1.253 0 msec 9 msec 0 msec 5 * * * 6 10.22.1.253 0 msec 0 msec 9 msec 7 * * * 8 10.22.1.253 0 msec 0 msec 0 msec
This host exists in Azure, and I can connect to it via ScreenConnect, so I know it's there and alive too (It obviously won't respond to pings)
When trying to traceroute from our distribution switch, I get this:
dst-01#traceroute 10.22.14.6 Type escape sequence to abort. Tracing the route to 10.22.14.6 1 10.22.1.1 0 msec 9 msec 0 msec 2 * * * 3 * * *
I will post the config of my core switch, and distribution switch in the posts below to make it a bit easier
03-12-2020 05:33 AM
Core switch:
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname cor-01 ! boot-start-marker boot-end-marker ! logging buffered 65535 logging console warnings enable secret <secret> ! username <user> secret 5 <secret> ! no aaa new-model clock timezone gmt 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00 switch 1 provision ws-c3750g-24ts-1u switch 2 provision ws-c3750g-24ts-1u system mtu routing 1500 ip routing no ip domain-lookup ip domain-name domain.net ! no errdisable detect cause gbic-invalid errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig (STP) errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause sfp-config-mismatch errdisable recovery cause gbic-invalid errdisable recovery cause psecure-violation errdisable recovery cause port-mode-failure errdisable recovery cause dhcp-rate-limit errdisable recovery cause mac-limit errdisable recovery cause vmps errdisable recovery cause storm-control errdisable recovery cause inline-power errdisable recovery cause loopback errdisable recovery cause small-frame ! spanning-tree mode rapid-pvst spanning-tree loopguard default spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip ssh version 2 ! ! ! interface Loopback0 description LOOP:: Loopback0 ip address 10.22.1.65 255.255.255.255 ! interface Loopback1 description LOOP:: Loopback1 ip address 10.22.1.67 255.255.255.255 ! interface Port-channel1 description AGG:: dst-01 switchport trunk encapsulation dot1q switchport trunk allowed vlan 800,801,803,816,818 switchport mode trunk spanning-tree portfast trunk ! interface Port-channel2 description AGG:: fwl-01 (Company_A) switchport access vlan 810 switchport mode access logging event spanning-tree logging event status logging event subif-link-status load-interval 30 spanning-tree portfast ! interface Port-channel3 description AGG:: fwl-01 (ISP_A) switchport access vlan 812 switchport mode access logging event spanning-tree logging event status logging event subif-link-status load-interval 30 spanning-tree portfast ! interface Port-channel4 description AGG:: fwl-02 (Company_B) switchport access vlan 811 switchport mode access logging event spanning-tree logging event status logging event subif-link-status load-interval 30 spanning-tree portfast ! interface Port-channel5 description AGG:: fwl-02 (ISP_B) switchport access vlan 813 switchport mode access logging event spanning-tree logging event status logging event subif-link-status load-interval 30 spanning-tree portfast ! interface GigabitEthernet1/0/1 description DOWNLINK:: dst-01 switchport trunk encapsulation dot1q switchport trunk allowed vlan 800,801,803,816,818 switchport mode trunk channel-group 1 mode on spanning-tree portfast trunk ! interface GigabitEthernet1/0/2 description LINK:: fwl-01 (Company_A) switchport access vlan 810 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/3 description LINK:: e0.fwl-01 (Company_A) switchport access vlan 812 switchport mode access spanning-tree portfast ! interface GigabitEthernet1/0/4 description LINK:: e1.fwl-02 (Company_B) switchport access vlan 811 switchport mode access channel-group 4 mode active spanning-tree portfast ! interface GigabitEthernet1/0/5 description LINK:: e2.02 (Company_B) switchport access vlan 813 switchport mode access channel-group 5 mode active spanning-tree portfast ! interface GigabitEthernet1/0/6 description LINK:: ge0-1.ISP Router switchport access vlan 812 switchport mode access logging event spanning-tree logging event status logging event subif-link-status load-interval 30 no cdp enable spanning-tree portfast ! interface GigabitEthernet1/0/7 description WAN - Used for testing connectivity switchport access vlan 812 switchport mode access spanning-tree portfast interface GigabitEthernet2/0/1 description DOWNLINK:: g2-0-1.dst-01 switchport trunk encapsulation dot1q switchport trunk allowed vlan 800,801,803,816,818 switchport mode trunk channel-group 1 mode on spanning-tree portfast trunk ! interface GigabitEthernet2/0/2 description LINK:: e3.fwl-01 (Company_A NEW) switchport access vlan 810 switchport mode access channel-group 2 mode active spanning-tree portfast ! interface GigabitEthernet2/0/3 description LINK:: e4.fwl-01 (Company_A NEW) switchport access vlan 812 switchport mode access channel-group 3 mode active spanning-tree portfast ! interface GigabitEthernet2/0/4 description LINK:: e3.fwl-02 (Company_B) switchport access vlan 811 switchport mode access channel-group 4 mode active spanning-tree portfast ! interface GigabitEthernet2/0/5 description LINK:: e4.fwl-02 (Company_B) switchport access vlan 813 switchport mode access channel-group 5 mode active spanning-tree portfast ! interface GigabitEthernet2/0/6 description LINK:: ge-0.ISPB Router switchport access vlan 813 switchport mode access logging event spanning-tree logging event status logging event subif-link-status load-interval 30 no cdp enable spanning-tree portfast ! interface Vlan800 description SVI:: IDC - Network Management ip address 10.22.0.3 255.255.255.0 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache ip policy route-map inter no ip mroute-cache ! interface Vlan801 description SVI:: IDC - OSPF Routing ip address 10.22.1.1 255.255.255.192 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache ip policy route-map inter no ip mroute-cache ip ospf message-digest-key 1 md5 <key> ! interface Vlan803 description SVI:: IDC - Voice (Company_B) ip address 10.22.3.254 255.255.255.0 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache ip policy route-map inter no ip mroute-cache ! interface Vlan810 description SVI:: IDC - FW01 Linknet ip address 10.22.1.253 255.255.255.252 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan811 description SVI:: IDC - FW02 Linknet ip address 10.22.1.249 255.255.255.252 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! router ospf 1 router-id 10.22.1.65 log-adjacency-changes area 0 authentication message-digest redistribute connected redistribute static metric-type 1 subnets passive-interface default no passive-interface Vlan801 network 10.22.1.0 0.0.0.63 area 0 network 10.22.1.65 0.0.0.0 area 0 network 10.22.1.248 0.0.0.3 area 0 network 10.22.3.0 0.0.0.255 area 0 default-information originate ! ip classless ip route 0.0.0.0 0.0.0.0 Loopback1 ip route 10.22.8.0 255.255.255.0 10.22.1.250 ip route 10.22.14.0 255.255.255.0 10.22.1.254 ip route 10.22.15.0 255.255.255.0 10.22.1.254 ip route 192.168.103.0 255.255.255.0 10.22.1.250 ip route 192.168.104.0 255.255.255.0 10.22.1.254 ip route 212.50.160.56 255.255.255.255 10.22.1.3 no ip http server no ip http secure-server ! ! ip access-list extended Company_B_inter permit ip 192.168.0.0 0.0.0.255 any permit ip 10.22.0.0 0.0.0.255 any permit ip 10.22.3.0 0.0.0.255 any permit ip 10.22.13.0 0.0.0.255 any permit ip 192.168.1.0 0.0.0.63 any ip access-list extended Company_A_inter permit ip 172.22.0.0 0.0.255.255 any permit ip 128.2.0.0 0.0.255.255 any permit ip 10.46.111.0 0.0.0.255 any permit ip 172.23.0.0 0.0.0.63 any permit ip 172.23.2.0 0.0.1.255 any ! access-list 99 permit 10.22.0.1 route-map inter permit 5 match ip address Company_A_inter set ip next-hop 10.22.1.254 ! route-map inter permit 10 match ip address Company_B_inter set ip next-hop 10.22.1.250 ! ! snmp-server community xxxxxx RO 99 snmp-server trap-source Vlan800 snmp-server source-interface informs Vlan800 snmp-server location IDC snmp-server contact IT snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps transceiver all snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface-old snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps cluster snmp-server enable traps fru-ctrl snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps power-ethernet group 1-9 snmp-server enable traps power-ethernet police snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps auth-framework sec-violation snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps stackwise snmp-server enable traps license snmp-server enable traps bgp snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps event-manager snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps isis snmp-server enable traps msdp snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps bridge newroot topologychange snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency snmp-server enable traps syslog snmp-server enable traps rtr snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable ! banner login ^C !! WARNING: You have accessed a Computer System operated by Company_Group !! You are required to have a personal authorisation from the System Administrator before you use this system and you are strictly limited to the use set out in that written authorisation. Unauthorised access of a computer constitutes an offence under the Computer Misuse Act 1990. - If you understand this message and have been authorised to use this system please enter your username and password below to continue this session. - Otherwise, you must disconnect from this session IMMEDIATELY. ^C banner motd ^C ********************************************************************************************* * * * !! WARNING: You have accessed a Computer System operated by Company_Group !! * * You are required to have a personal authorisation from the System * * Administrator before you use this system and you are strictly limited * * to the use set out in that written authorisation. Unauthorised access * * of a computer constitutes an offence under the Computer Misuse Act 1990. * * * * If you understand this message and have been authorised to use this * * system please enter your username and password below to continue this * * session. * * * * Otherwise, you must disconnect from this session IMMEDIATELY. * * * ********************************************************************************************* ^C ! line con 0 logging synchronous login local transport preferred none line vty 0 4 exec-timeout 0 0 logging synchronous login local transport preferred none transport input ssh line vty 5 15 logging synchronous login local transport preferred none transport input ssh ! ntp clock-period 36028835 ntp source Vlan800 ntp server 10.22.0.1 source Vlan800 end cor-01#
03-12-2020 05:34 AM - edited 03-12-2020 05:36 AM
Distribution switch:
version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname dst-01 ! boot-start-marker boot-end-marker ! logging buffered 65535 logging console warnings enable secret <secret> ! username engineer secret 5 <secret> ! ! no aaa new-model clock timezone gmt 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00 switch 1 provision ws-c3750g-24ts-1u switch 2 provision ws-c3750g-24ts-1u system mtu routing 1500 ip routing no ip domain-lookup ip domain-name domain.net ! ! ! ! ! ! ! ! no errdisable detect cause gbic-invalid errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig (STP) errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause sfp-config-mismatch errdisable recovery cause gbic-invalid errdisable recovery cause psecure-violation errdisable recovery cause port-mode-failure errdisable recovery cause dhcp-rate-limit errdisable recovery cause mac-limit errdisable recovery cause vmps errdisable recovery cause storm-control errdisable recovery cause inline-power errdisable recovery cause loopback errdisable recovery cause small-frame ! spanning-tree mode rapid-pvst spanning-tree loopguard default spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip ssh version 2 ! ! ! interface Loopback0 description LOOP:: Loopback0 ip address 10.22.1.66 255.255.255.255 ! interface Port-channel1 description AGG:: cor-01 switchport trunk encapsulation dot1q switchport trunk allowed vlan 800,801,803,816,818 switchport mode trunk spanning-tree portfast trunk interface GigabitEthernet1/0/1 description UPLINK:: g1-0-1.cor-01 switchport trunk encapsulation dot1q switchport trunk allowed vlan 800,801,803,816,818 switchport mode trunk channel-group 1 mode on spanning-tree portfast trunk interface GigabitEthernet2/0/1 description UPLINK:: g2-0-1.cor-01 switchport trunk encapsulation dot1q switchport trunk allowed vlan 800,801,803,816,818 switchport mode trunk channel-group 1 mode on spanning-tree portfast trunk interface Vlan796 description SVI:: IDC - Company_C Network ip address 10.46.111.1 255.255.255.0 ip access-group Company_A_acl in ip helper-address 172.22.100.14 ip helper-address 172.22.100.15 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan797 description SVI:: Company_A Converged Network ip address 128.2.100.1 255.255.0.0 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan798 description SVI:: Company_A Legacy Network ip address 172.22.100.1 255.255.0.0 ip access-group Company_A_acl in no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan799 description SVI:: Company_B Legacy Network ip address 192.168.0.254 255.255.255.0 ip access-group Company_B_acl in no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan800 description SVI:: IDC - Network Management ip address 10.22.0.254 255.255.255.0 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan801 description SVI:: IDC - OSPF Routing ip address 10.22.1.2 255.255.255.192 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ip ospf message-digest-key 1 md5 <key> ! interface Vlan802 description SVI:: IDC - Voice (Company_Group) ip address 172.23.3.254 255.255.254.0 ip access-group Company_A_acl in no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan814 description SVI:: IDC - Company_D Data ip address 10.22.12.254 255.255.255.0 ip access-group xxx_acl in no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan815 description SVI:: IDC - Shared Services ip address 10.22.13.254 255.255.255.0 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan817 description SVI:: IDC - Security ip address 10.22.1.189 255.255.255.192 no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan819 description SVI:: Company_B Printers ip address 192.168.1.62 255.255.255.192 ip access-group Company_B_acl in no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! interface Vlan820 description SVI:: Company_A Printers ip address 172.23.0.62 255.255.255.192 ip access-group Company_A_acl in no ip redirects no ip proxy-arp no ip route-cache cef no ip route-cache no ip mroute-cache ! router ospf 1 router-id 10.22.1.66 log-adjacency-changes area 0 authentication message-digest passive-interface default no passive-interface Vlan801 network 10.22.0.0 0.0.0.255 area 0 network 10.22.1.0 0.0.0.63 area 0 network 10.22.1.66 0.0.0.0 area 0 network 10.22.1.128 0.0.0.63 area 0 network 10.22.12.0 0.0.0.255 area 0 network 10.22.13.0 0.0.0.255 area 0 network 10.46.111.0 0.0.0.255 area 0 network 128.2.0.0 0.0.255.255 area 0 network 172.22.0.0 0.0.255.255 area 0 network 172.23.0.0 0.0.0.63 area 0 network 172.23.2.0 0.0.1.255 area 0 network 192.168.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.63 area 0 ! ip classless no ip http server no ip http secure-server ! ! ip access-list extended Company_B_acl deny ip 192.168.0.0 0.0.0.255 128.2.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.0.255 172.22.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.0.255 10.22.12.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.46.111.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.63 128.2.0.0 0.0.255.255 deny ip 192.168.1.0 0.0.0.63 172.22.0.0 0.0.255.255 deny ip 192.168.1.0 0.0.0.63 172.23.0.0 0.0.0.63 deny ip 192.168.1.0 0.0.0.63 10.22.12.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.63 10.46.111.0 0.0.0.255 permit ip any any ip access-list extended xxx_acl deny ip 10.22.12.0 0.0.0.255 128.2.0.0 0.0.255.255 deny ip 10.22.12.0 0.0.0.255 172.22.0.0 0.0.255.255 deny ip 10.22.12.0 0.0.0.255 192.168.0.0 0.0.0.255 deny ip 10.22.12.0 0.0.0.255 10.46.111.0 0.0.0.255 deny ip 10.22.12.0 0.0.0.255 172.23.0.0 0.0.0.63 deny ip 10.22.12.0 0.0.0.255 192.168.1.0 0.0.0.63 permit ip any any ip access-list extended Company_A_acl deny ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.0.255 deny ip 172.22.0.0 0.0.255.255 10.22.12.0 0.0.0.255 deny ip 10.46.111.0 0.0.0.255 192.168.0.0 0.0.0.255 deny ip 10.46.111.0 0.0.0.255 10.22.12.0 0.0.0.255 deny ip 172.22.0.0 0.0.0.255 192.168.1.0 0.0.0.63 deny ip 172.23.0.0 0.0.0.63 192.168.0.0 0.0.0.255 deny ip 172.23.0.0 0.0.0.63 192.168.1.0 0.0.0.63 deny ip 172.23.0.0 0.0.0.63 10.22.12.0 0.0.0.255 deny ip 10.46.111.0 0.0.0.255 192.168.1.0 0.0.0.63 permit ip any any ! access-list 99 permit 10.22.0.1 ! snmp-server community xxxxx RO 99 snmp-server trap-source Vlan800 snmp-server source-interface informs Vlan800 snmp-server location IDC snmp-server contact IT snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps transceiver all snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface-old snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps cluster snmp-server enable traps fru-ctrl snmp-server enable traps entity snmp-server enable traps cpu threshold snmp-server enable traps power-ethernet group 1-9 snmp-server enable traps power-ethernet police snmp-server enable traps vtp snmp-server enable traps vlancreate snmp-server enable traps vlandelete snmp-server enable traps flash insertion removal snmp-server enable traps port-security snmp-server enable traps auth-framework sec-violation snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan snmp-server enable traps envmon fan shutdown supply temperature status snmp-server enable traps stackwise snmp-server enable traps license snmp-server enable traps bgp snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps event-manager snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps isis snmp-server enable traps msdp snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps bridge newroot topologychange snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency snmp-server enable traps syslog snmp-server enable traps rtr snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable ! banner login ^C !! WARNING: You have accessed a Computer System operated by Company_Group !! You are required to have a personal authorisation from the System Administrator before you use this system and you are strictly limited to the use set out in that written authorisation. Unauthorised access of a computer constitutes an offence under the Computer Misuse Act 1990. - If you understand this message and have been authorised to use this system please enter your username and password below to continue this session. - Otherwise, you must disconnect from this session IMMEDIATELY. ^C banner motd ^C ******************************************************************************************** * * * !! WARNING: You have accessed a Computer System operated by Company_Group !! * * You are required to have a personal authorisation from the System * * Administrator before you use this system and you are strictly limited * * to the use set out in that written authorisation. Unauthorised access * * of a computer constitutes an offence under the Computer Misuse Act 1990. * * * * If you understand this message and have been authorised to use this * * system please enter your username and password below to continue this * * session. * * * * Otherwise, you must disconnect from this session IMMEDIATELY. * * * ******************************************************************************************** ^C ! line con 0 logging synchronous login local transport preferred none line vty 0 4 exec-timeout 0 0 logging synchronous login local transport preferred none transport input ssh line vty 5 15 logging synchronous login local transport preferred none transport input ssh ! ntp clock-period 36029452 ntp source Vlan800 ntp server 10.22.0.1 source Vlan800 end dst-01#
03-12-2020 06:20 AM
Do you have any high level network diagram how these device connected ?
03-12-2020 07:59 AM
03-12-2020 06:54 AM
Hi,
If you can connect to it from the inside network, but ping/traceroute does not work to it, it means that something in the path prohibits these flows (like the firewall you mentioned).
Regards,
Cristian Matei.
03-12-2020 07:59 AM
Hi,
But we can't connect to inside our network? I'm using screenconnect to connect to it externally. I'm not sure why the hop would go to 10.22.1.253, timeout, and then go..back to itself? That interface is one on the L3 switch
03-12-2020 08:55 AM
When tracing a route to 10.22.14.6 on the firewall, it says
traceroute to 10.22.14.6 (10.22.14.6), 30 hops max, 48 byte packets 1 10.22.1.253 1 ms 2 ms 2 ms 2 * * * 3
But say to 8.8.8.8 it says this:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 48 byte packets 1 aa.aaa.aaa.aa 1 ms 0 ms 0 ms 2 bbb.bbb.bbb.bbb 9 ms 9 ms 7 ms 3 cc.cc.ccc.ccc 7 ms 7 ms 7 ms 4 dd.dd.ddd.dd 13 ms 12 ms 13 ms 5 * * * 6 8.8.8.8 13 ms 13 ms 12 ms
I guess that means the firewall (10.22.1.254) has a route to 10.22.1.253, and the issue, therefore, lies there?
03-12-2020 08:16 AM - edited 03-12-2020 08:43 AM
It looks like the 10.22.13.0 network can ping to the 10.22.1.0 network internally too. Could it mean that the firewall has a route to 10.22.1.0/24 (or 10.22.1.253's IP to be specific), and then vice versa?
dst-01#ping Protocol [ip]: Target IP address: 10.22.1.254 Repeat count [5]: ] % A decimal number between 1 and 2147483647. Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Vlan815 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.22.1.254, timeout is 2 seconds: Packet sent with a source address of 10.22.13.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms gb-bfd-idc-dst-01#
gb-bfd-idc-dst-01#ping Protocol [ip]: Target IP address: 10.22.1.254 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.22.13.254 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.22.1.254, timeout is 2 seconds: Packet sent with a source address of 10.22.13.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms gb-bfd-idc-dst-01#
. Why
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide