Re: Traceroute keeps repeating (Routing loop)

SolidProfession · ‎03-12-2020

Hi,

I appear to have a rooting loop, and I've tried looking at the IP routes, as well as OSPF config, and nothing works. Some things make things...worse

I can't traceroute from one address to another. 10.13.0.0/24 lives in our internal infrastructure, and 10.14.0.0/24 lives in Azure, in our infrastructure too. Ultimately, I need these two subnets to talk to each other. We have a firewall in between too. All traffic should go through 10.22.1.254 but it doesn't

When trying to traceroute to the 14.0 network from the core switch (10.22.0.3), I get this:

cor-01#traceroute 10.22.14.6

Type escape sequence to abort.
Tracing the route to 10.22.14.6

1 * * *
2 10.22.1.253 0 msec 0 msec 0 msec
3 * * *
4 10.22.1.253 0 msec 9 msec 0 msec
5 * * *
6 10.22.1.253 0 msec 0 msec 9 msec
7 * * *
8 10.22.1.253 0 msec 0 msec 0 msec

This host exists in Azure, and I can connect to it via ScreenConnect, so I know it's there and alive too (It obviously won't respond to pings)

When trying to traceroute from our distribution switch, I get this:

dst-01#traceroute 10.22.14.6

Type escape sequence to abort.
Tracing the route to 10.22.14.6

1 10.22.1.1 0 msec 9 msec 0 msec
2 * * *
3 * * *

I will post the config of my core switch, and distribution switch in the posts below to make it a bit easier

SolidProfession · ‎03-12-2020

Core switch:

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cor-01
!
boot-start-marker
boot-end-marker
!
logging buffered 65535
logging console warnings
enable secret <secret>
!
username <user> secret 5 <secret>
!
no aaa new-model
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
switch 1 provision ws-c3750g-24ts-1u
switch 2 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name domain.net
!
no errdisable detect cause gbic-invalid
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
errdisable recovery cause small-frame
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
interface Loopback0
 description LOOP:: Loopback0
 ip address 10.22.1.65 255.255.255.255
!
interface Loopback1
 description LOOP:: Loopback1
 ip address 10.22.1.67 255.255.255.255
!
interface Port-channel1
 description AGG:: dst-01
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 800,801,803,816,818
 switchport mode trunk
 spanning-tree portfast trunk
!
interface Port-channel2
 description AGG:: fwl-01 (Company_A)
 switchport access vlan 810
 switchport mode access
 logging event spanning-tree
 logging event status
 logging event subif-link-status
 load-interval 30
 spanning-tree portfast
!
interface Port-channel3
 description AGG:: fwl-01 (ISP_A)
 switchport access vlan 812
 switchport mode access
 logging event spanning-tree
 logging event status
 logging event subif-link-status
 load-interval 30
 spanning-tree portfast
!
interface Port-channel4
 description AGG:: fwl-02 (Company_B)
 switchport access vlan 811
 switchport mode access
 logging event spanning-tree
 logging event status
 logging event subif-link-status
 load-interval 30
 spanning-tree portfast
!
interface Port-channel5
 description AGG:: fwl-02 (ISP_B)
 switchport access vlan 813
 switchport mode access
 logging event spanning-tree
 logging event status
 logging event subif-link-status
 load-interval 30
 spanning-tree portfast
!
interface GigabitEthernet1/0/1
 description DOWNLINK:: dst-01
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 800,801,803,816,818
 switchport mode trunk
 channel-group 1 mode on
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
 description LINK:: fwl-01 (Company_A)
 switchport access vlan 810
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 description LINK:: e0.fwl-01 (Company_A)
 switchport access vlan 812
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 description LINK:: e1.fwl-02 (Company_B)
 switchport access vlan 811
 switchport mode access
 channel-group 4 mode active
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 description LINK:: e2.02 (Company_B)
 switchport access vlan 813
 switchport mode access
 channel-group 5 mode active
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 description LINK:: ge0-1.ISP Router
 switchport access vlan 812
 switchport mode access
 logging event spanning-tree
 logging event status
 logging event subif-link-status
 load-interval 30
 no cdp enable
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description WAN - Used for testing connectivity
 switchport access vlan 812
 switchport mode access
 spanning-tree portfast

interface GigabitEthernet2/0/1
 description DOWNLINK:: g2-0-1.dst-01
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 800,801,803,816,818
 switchport mode trunk
 channel-group 1 mode on
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/2
 description LINK:: e3.fwl-01 (Company_A NEW)
 switchport access vlan 810
 switchport mode access
 channel-group 2 mode active
 spanning-tree portfast
!
interface GigabitEthernet2/0/3
 description LINK:: e4.fwl-01 (Company_A NEW)
 switchport access vlan 812
 switchport mode access
 channel-group 3 mode active
 spanning-tree portfast
!
interface GigabitEthernet2/0/4
 description LINK:: e3.fwl-02 (Company_B)
 switchport access vlan 811
 switchport mode access
 channel-group 4 mode active
 spanning-tree portfast
!
interface GigabitEthernet2/0/5
 description LINK:: e4.fwl-02 (Company_B)
 switchport access vlan 813
 switchport mode access
 channel-group 5 mode active
 spanning-tree portfast
!
interface GigabitEthernet2/0/6
 description LINK:: ge-0.ISPB Router
 switchport access vlan 813
 switchport mode access
 logging event spanning-tree
 logging event status
 logging event subif-link-status
 load-interval 30
 no cdp enable
 spanning-tree portfast

!
interface Vlan800
 description SVI:: IDC - Network Management
 ip address 10.22.0.3 255.255.255.0
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 ip policy route-map inter
 no ip mroute-cache
!
interface Vlan801
 description SVI:: IDC - OSPF Routing
 ip address 10.22.1.1 255.255.255.192
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 ip policy route-map inter
 no ip mroute-cache
 ip ospf message-digest-key 1 md5 <key>
!
interface Vlan803
 description SVI:: IDC - Voice (Company_B)
 ip address 10.22.3.254 255.255.255.0
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 ip policy route-map inter
 no ip mroute-cache
!
interface Vlan810
 description SVI:: IDC - FW01 Linknet
 ip address 10.22.1.253 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan811
 description SVI:: IDC - FW02 Linknet
 ip address 10.22.1.249 255.255.255.252
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
router ospf 1
 router-id 10.22.1.65
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute connected
 redistribute static metric-type 1 subnets
 passive-interface default
 no passive-interface Vlan801
 network 10.22.1.0 0.0.0.63 area 0
 network 10.22.1.65 0.0.0.0 area 0
 network 10.22.1.248 0.0.0.3 area 0
 network 10.22.3.0 0.0.0.255 area 0
 default-information originate
!
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback1
ip route 10.22.8.0 255.255.255.0 10.22.1.250
ip route 10.22.14.0 255.255.255.0 10.22.1.254
ip route 10.22.15.0 255.255.255.0 10.22.1.254
ip route 192.168.103.0 255.255.255.0 10.22.1.250
ip route 192.168.104.0 255.255.255.0 10.22.1.254
ip route 212.50.160.56 255.255.255.255 10.22.1.3
no ip http server
no ip http secure-server
!
!
ip access-list extended Company_B_inter
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 10.22.0.0 0.0.0.255 any
 permit ip 10.22.3.0 0.0.0.255 any
 permit ip 10.22.13.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.63 any
ip access-list extended Company_A_inter
 permit ip 172.22.0.0 0.0.255.255 any
 permit ip 128.2.0.0 0.0.255.255 any
 permit ip 10.46.111.0 0.0.0.255 any
 permit ip 172.23.0.0 0.0.0.63 any
 permit ip 172.23.2.0 0.0.1.255 any
!
access-list 99 permit 10.22.0.1
route-map inter permit 5
 match ip address Company_A_inter
 set ip next-hop 10.22.1.254
!
route-map inter permit 10
 match ip address Company_B_inter
 set ip next-hop 10.22.1.250
!
!
snmp-server community xxxxxx RO 99
snmp-server trap-source Vlan800
snmp-server source-interface informs Vlan800
snmp-server location IDC
snmp-server contact IT
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cluster
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1-9
snmp-server enable traps power-ethernet police
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps license
snmp-server enable traps bgp
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
!
banner login ^C
!! WARNING: You have accessed a Computer System operated by Company_Group !!
You are required to have a personal authorisation from the System
Administrator before you use this system and you are strictly limited
to the use set out in that written authorisation. Unauthorised access
of a computer constitutes an offence under the Computer Misuse Act 1990.
-
If you understand this message and have been authorised to use this
system please enter your username and password below to continue this
session.
-
Otherwise, you must disconnect from this session IMMEDIATELY.
^C
banner motd ^C
*********************************************************************************************
*                                                                                           *
*            !! WARNING: You have accessed a Computer System operated by Company_Group !!   *
*            You are required to have a personal authorisation from the System              *
*            Administrator before you use this system and you are strictly limited          *
*            to the use set out in that written authorisation. Unauthorised access          *
*            of a computer constitutes an offence under the Computer Misuse Act 1990.       *
*                                                                                           *
*            If you understand this message and have been authorised to use this            *
*            system please enter your username and password below to continue this          *
*            session.                                                                       *
*                                                                                           *
*            Otherwise, you must disconnect from this session IMMEDIATELY.                  *
*                                                                                           *
*********************************************************************************************
^C
!
line con 0
 logging synchronous
 login local
 transport preferred none
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
 transport preferred none
 transport input ssh
line vty 5 15
 logging synchronous
 login local
 transport preferred none
 transport input ssh
!
ntp clock-period 36028835
ntp source Vlan800
ntp server 10.22.0.1 source Vlan800
end

cor-01#

SolidProfession · ‎03-12-2020

Distribution switch:

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dst-01
!
boot-start-marker
boot-end-marker
!
logging buffered 65535
logging console warnings
enable secret <secret>
!
username engineer secret 5 <secret>
!
!
no aaa new-model
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
switch 1 provision ws-c3750g-24ts-1u
switch 2 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip routing
no ip domain-lookup
ip domain-name domain.net
!
!
!
!
!
!
!
!
no errdisable detect cause gbic-invalid
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
errdisable recovery cause small-frame
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
interface Loopback0
 description LOOP:: Loopback0
 ip address 10.22.1.66 255.255.255.255
!
interface Port-channel1
 description AGG:: cor-01
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 800,801,803,816,818
 switchport mode trunk
 spanning-tree portfast trunk
interface GigabitEthernet1/0/1
 description UPLINK:: g1-0-1.cor-01
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 800,801,803,816,818
 switchport mode trunk
 channel-group 1 mode on
 spanning-tree portfast trunk

interface GigabitEthernet2/0/1
 description UPLINK:: g2-0-1.cor-01
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 800,801,803,816,818
 switchport mode trunk
 channel-group 1 mode on
 spanning-tree portfast trunk

interface Vlan796
 description SVI:: IDC - Company_C Network
 ip address 10.46.111.1 255.255.255.0
 ip access-group Company_A_acl in
 ip helper-address 172.22.100.14
 ip helper-address 172.22.100.15
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan797
 description SVI:: Company_A Converged Network
 ip address 128.2.100.1 255.255.0.0
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan798
 description SVI:: Company_A Legacy Network
 ip address 172.22.100.1 255.255.0.0
 ip access-group Company_A_acl in
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan799
 description SVI:: Company_B Legacy Network
 ip address 192.168.0.254 255.255.255.0
 ip access-group Company_B_acl in
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan800
 description SVI:: IDC - Network Management
 ip address 10.22.0.254 255.255.255.0
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan801
 description SVI:: IDC - OSPF Routing
 ip address 10.22.1.2 255.255.255.192
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 ip ospf message-digest-key 1 md5 <key>
!
interface Vlan802
 description SVI:: IDC - Voice (Company_Group)
 ip address 172.23.3.254 255.255.254.0
 ip access-group Company_A_acl in
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan814
 description SVI:: IDC - Company_D Data
 ip address 10.22.12.254 255.255.255.0
 ip access-group xxx_acl in
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan815
 description SVI:: IDC - Shared Services
 ip address 10.22.13.254 255.255.255.0
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan817
 description SVI:: IDC - Security
 ip address 10.22.1.189 255.255.255.192
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan819
 description SVI:: Company_B Printers
 ip address 192.168.1.62 255.255.255.192
 ip access-group Company_B_acl in
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface Vlan820
 description SVI:: Company_A Printers
 ip address 172.23.0.62 255.255.255.192
 ip access-group Company_A_acl in
 no ip redirects
 no ip proxy-arp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
router ospf 1
 router-id 10.22.1.66
 log-adjacency-changes
 area 0 authentication message-digest
 passive-interface default
 no passive-interface Vlan801
 network 10.22.0.0 0.0.0.255 area 0
 network 10.22.1.0 0.0.0.63 area 0
 network 10.22.1.66 0.0.0.0 area 0
 network 10.22.1.128 0.0.0.63 area 0
 network 10.22.12.0 0.0.0.255 area 0
 network 10.22.13.0 0.0.0.255 area 0
 network 10.46.111.0 0.0.0.255 area 0
 network 128.2.0.0 0.0.255.255 area 0
 network 172.22.0.0 0.0.255.255 area 0
 network 172.23.0.0 0.0.0.63 area 0
 network 172.23.2.0 0.0.1.255 area 0
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.63 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
ip access-list extended Company_B_acl
 deny   ip 192.168.0.0 0.0.0.255 128.2.0.0 0.0.255.255
 deny   ip 192.168.0.0 0.0.0.255 172.22.0.0 0.0.255.255
 deny   ip 192.168.0.0 0.0.0.255 10.22.12.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 10.46.111.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.63 128.2.0.0 0.0.255.255
 deny   ip 192.168.1.0 0.0.0.63 172.22.0.0 0.0.255.255
 deny   ip 192.168.1.0 0.0.0.63 172.23.0.0 0.0.0.63
 deny   ip 192.168.1.0 0.0.0.63 10.22.12.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.63 10.46.111.0 0.0.0.255
 permit ip any any
ip access-list extended xxx_acl
 deny   ip 10.22.12.0 0.0.0.255 128.2.0.0 0.0.255.255
 deny   ip 10.22.12.0 0.0.0.255 172.22.0.0 0.0.255.255
 deny   ip 10.22.12.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 10.22.12.0 0.0.0.255 10.46.111.0 0.0.0.255
 deny   ip 10.22.12.0 0.0.0.255 172.23.0.0 0.0.0.63
 deny   ip 10.22.12.0 0.0.0.255 192.168.1.0 0.0.0.63
 permit ip any any
ip access-list extended Company_A_acl
 deny   ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.0.255
 deny   ip 172.22.0.0 0.0.255.255 10.22.12.0 0.0.0.255
 deny   ip 10.46.111.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 10.46.111.0 0.0.0.255 10.22.12.0 0.0.0.255
 deny   ip 172.22.0.0 0.0.0.255 192.168.1.0 0.0.0.63
 deny   ip 172.23.0.0 0.0.0.63 192.168.0.0 0.0.0.255
 deny   ip 172.23.0.0 0.0.0.63 192.168.1.0 0.0.0.63
 deny   ip 172.23.0.0 0.0.0.63 10.22.12.0 0.0.0.255
 deny   ip 10.46.111.0 0.0.0.255 192.168.1.0 0.0.0.63
 permit ip any any
!
access-list 99 permit 10.22.0.1
!
snmp-server community xxxxx RO 99
snmp-server trap-source Vlan800
snmp-server source-interface informs Vlan800
snmp-server location IDC
snmp-server contact IT
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps transceiver all
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cluster
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1-9
snmp-server enable traps power-ethernet police
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps stackwise
snmp-server enable traps license
snmp-server enable traps bgp
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps rtr
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
!
banner login ^C
!! WARNING: You have accessed a Computer System operated by Company_Group !!
You are required to have a personal authorisation from the System
Administrator before you use this system and you are strictly limited
to the use set out in that written authorisation. Unauthorised access
of a computer constitutes an offence under the Computer Misuse Act 1990.
-
If you understand this message and have been authorised to use this
system please enter your username and password below to continue this
session.
-
Otherwise, you must disconnect from this session IMMEDIATELY.
^C
banner motd ^C

********************************************************************************************
*                                                                                          *
*          !! WARNING: You have accessed a Computer System operated by Company_Group !!    *
*          You are required to have a personal authorisation from the System               *
*          Administrator before you use this system and you are strictly limited           *
*          to the use set out in that written authorisation. Unauthorised access           *
*          of a computer constitutes an offence under the Computer Misuse Act 1990.        *
*                                                                                          *
*          If you understand this message and have been authorised to use this             *
*          system please enter your username and password below to continue this           *
*          session.                                                                        *
*                                                                                          *
*          Otherwise, you must disconnect from this session IMMEDIATELY.                   *
*                                                                                          *
********************************************************************************************
^C
!
line con 0
 logging synchronous
 login local
 transport preferred none
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
 transport preferred none
 transport input ssh
line vty 5 15
 logging synchronous
 login local
 transport preferred none
 transport input ssh
!
ntp clock-period 36029452
ntp source Vlan800
ntp server 10.22.0.1 source Vlan800
end

dst-01#

balaji.bandi · ‎03-12-2020

Do you have any high level network diagram how these device connected ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SolidProfession · ‎03-12-2020

Hi,

Is this one OK for you?

https://ibb.co/0QZCJ8m

Cristian Matei · ‎03-12-2020

Hi,

If you can connect to it from the inside network, but ping/traceroute does not work to it, it means that something in the path prohibits these flows (like the firewall you mentioned).

Regards,

Cristian Matei.

SolidProfession · ‎03-12-2020

Hi,

But we can't connect to inside our network? I'm using screenconnect to connect to it externally. I'm not sure why the hop would go to 10.22.1.253, timeout, and then go..back to itself? That interface is one on the L3 switch

SolidProfession · ‎03-12-2020

When tracing a route to 10.22.14.6 on the firewall, it says

traceroute to 10.22.14.6 (10.22.14.6), 30 hops max, 48 byte packets
 1  10.22.1.253  1 ms  2 ms  2 ms
 2  * * *
 3

But say to 8.8.8.8 it says this:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 48 byte packets
 1  aa.aaa.aaa.aa  1 ms  0 ms  0 ms
 2  bbb.bbb.bbb.bbb  9 ms  9 ms  7 ms
 3  cc.cc.ccc.ccc  7 ms  7 ms  7 ms
 4  dd.dd.ddd.dd  13 ms  12 ms  13 ms
 5  * * *
 6  8.8.8.8  13 ms  13 ms  12 ms

I guess that means the firewall (10.22.1.254) has a route to 10.22.1.253, and the issue, therefore, lies there?

SolidProfession · ‎03-12-2020

It looks like the 10.22.13.0 network can ping to the 10.22.1.0 network internally too. Could it mean that the firewall has a route to 10.22.1.0/24 (or 10.22.1.253's IP to be specific), and then vice versa?

dst-01#ping
Protocol [ip]:
Target IP address: 10.22.1.254
Repeat count [5]: ]
% A decimal number between 1 and 2147483647.
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Vlan815
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.22.13.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
gb-bfd-idc-dst-01#

gb-bfd-idc-dst-01#ping
Protocol [ip]:
Target IP address: 10.22.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.22.13.254
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.22.13.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
gb-bfd-idc-dst-01#

. Why