troubleshooting for network availability

fb_webuser · ‎02-03-2012

i want to check whether traffic for a particular port i,e, http(80),https(443),dns(53) is available on router or there is a problem from ISP end ? which command should i use and result would i be expecting.

---

Posted by WebUser Muhammad Margub Mahfuz

Leo Laohoo · ‎02-03-2012

Depends on whether or not you have configured Access Control List (ACL).

Gautam Renjen · ‎02-03-2012

Hi Muhammad,

If I understood you correctly, you're trying to isolate the issue to customer side or isp side for some traffic streams.

------Inside LAN--------Router-----Outside-----ISP

There are three parts you can look into:

1. Inside LAN switch / PC / FW to Router: Check with pings etc, and like leolaohoo above wrote, you can configure ACLs specifically permitting these ports with any any, to see if you get matches on the inside interface ACL.

2. Router itself: Check ACLs, PBR, QoS, and other interface / routing features.

3. Router to ISP: If the check in point 1. above passes, but your LAN users still can't get to the internet, check with a direct ping / trace from the router to say 4.2.2.2 or google etc.

If this fails, you need to ping your next-hop IP (default route gateway / ISP Router IP) and see if your last mile connectivity is fine.

If ping etc works fine, but you still can't access services, you should try a telnet to www.google.com on port 80 from the router.

Router#telnet www.google.com 80

This should atleast bring up a connection and when you type something you should see garbage. You can do the same with other TCP ports. For dns, the best way is to configure a dns server IP on your router, and try to ping a domain name, and see if the router can resolve it.

If the above are working fine, issue could be on the inside of the network.

Also, to ensure natting is fine, and if it's happening on the router, try sourcing your pings / traceroutes / telnets from the inside interface.

Lets say Fa0/0 is connected to Inside LAN switch, and Fa0/1 to ISP router:

Router#ping 4.2.2.2 source Fa0/0

Router#telnet www.google.com 80 /source-interface Fa0/0

------

Configure ACLs as follows to see if you see matches:

ip access-list ext fa0/0in

permit tcp any any eq 80 443 53

permit udp any any eq 53

permit ip any any

ip access-list ext fa0/1in

permit tcp any eq 80 443 53 any

permit udp any eq 53 any

permit ip any any

(You can also apply the above as follows, Fa0/0in can be same as Fa0/1 out, and Fa0/1in can be same as Fa0/0out)

int fa0/0

ip access-group fa0/0in

int fa0/1

ip access-group fa0/1in

--

show access-list fa0/0in

show access-list fa0/1in

--

You can also configure basic netflow to monitor traffic passing through the router:

int fa0/0

ip flow ingress

int fa0/1

ip flow ingress

show ip cache flow

fb_webuser · ‎02-05-2012

@leolaohoo: acl is applied only on ip not protocols.....

@grenjen: thnx........ i think find the answer.....its telnet the 80 port.if no connection established then is it definitely not router issue but isp issue? i faced this kind of problem some days ago.it was later confirmed that isp has fault but i couldn't prove to client as solution provider representative.

---

Posted by WebUser Muhammad Margub Mahfuz

ebarticel · ‎02-05-2012

Create an access list that permits http, https, dns form any to any

access-list 100 permit tcp any any eg http

access-list 100 permit tcp any any eg https

access-list 100 permit udp any any eg bootpc

use the access list for a debug command

debug ip packet 100 detail

Eugen