Two 2901 routers routing over fiber.

Colby Collier · ‎01-14-2013

Here is a diagram of the connection:

The good:

- Can ping from Holiday 2901 to local lan

- Can ping from P10 2901 to local lan

- Can ping from Holiday 2901 to 10.10.50.2 and 192.168.146.250

- Can ping from P10 2901 to 10.10.50.1 and 192.168.102.250

The bad:

- Cannot ping from Holiday 2901 to anything past P10 interfaces

- Cannot ping from P10 2901 to anything past Holiday interfaces

Knows issues:

- tracert from P10 to 192.168.102.1

Peak10.2901(config)#do tracer 192.168.102.1

Type escape sequence to abort.

Tracing the route to 192.168.102.1

VRF info: (vrf in name/id, vrf out name/id)

1 10.10.50.1 4 msec 0 msec 0 msec

2 *

This is coming out and dying on the incorrect interface and I am not sure how to fix.

Peak10.2901(config)#do sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.50.0/24 is directly connected, GigabitEthernet0/0

L 10.10.50.2/32 is directly connected, GigabitEthernet0/0

D 192.168.102.0/24 [90/28416] via 10.10.50.1, 00:16:09, GigabitEthernet0/0

192.168.146.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.146.0/24 is directly connected, GigabitEthernet0/1

L 192.168.146.250/32 is directly connected, GigabitEthernet0/1

Peak10.2901(config)#

holiday.2901#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.50.0/24 is directly connected, GigabitEthernet0/0

L 10.10.50.1/32 is directly connected, GigabitEthernet0/0

192.168.102.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.102.0/24 is directly connected, GigabitEthernet0/1

L 192.168.102.250/32 is directly connected, GigabitEthernet0/1

D 192.168.146.0/24 [90/28416] via 10.10.50.2, 00:16:53, GigabitEthernet0/0

holiday.2901#

I have attached configs from both routers as well. Any and all help is much appreciated.

John Blakley · ‎01-14-2013

On a whim and haven't looked too deep into it, are the default gateways on the devices set to something other than the routers? If so, my first guess is that the device is getting your return traffic and sending it to its default route, but the default doesn't know how to get to the 10.10.50.0/29 or the 192.168.102.250.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Colby Collier · ‎01-14-2013

No, there are no default static or gateways of last resort configured.

Sent from Cisco Technical Support iPhone App

John Blakley · ‎01-14-2013

On PC2824, what's the default gateway configured as?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Colby Collier · ‎01-14-2013

It's configured as 192.168.X.1 on the appropriate subnet on each switch.

Sent from Cisco Technical Support iPhone App

John Blakley · ‎01-14-2013

According to your diagram, if I'm understanding, your default gateway on the PC is pointing to the Fortinet appliance? Does the Fortinet, being on the 192.168.146.1/24 subnet, have a route back to the 192.168.102.x or 10.10.50.x subnet?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Colby Collier · ‎01-14-2013

Yes it does, what's concerning me is that the trace route isn't getting past the interface of the remote 2901.

Sent from Cisco Technical Support iPhone App

mnorwood · ‎01-14-2013

Colby,

Some of these things you have done based on our Twitter conversation, but I am listing them anyway for the benefit of others.

1) Plug a workstation/laptop into the switch on one end.

2) Point that workstation to the router as its gateway.

3) From the workstation, try to ping the router's Gi0/1 IP on the far end. ie If your workstation is on the Peak10 side(192.168.146.x), from a command prompt/shell ping 192.168.102.250.

4) If that is successful, ping something else on the 192.168.102.x network other than the router. Hopefully there is a workstation or some other device. You could even try the Fortinet(.1).

5) Post the results of "show ip arp" from both routers.

Matthew

Colby Collier · ‎01-14-2013

From a workstation on the 192.168.102.x subnet a ping to ge0/1(192.168.146.250) was successful. Pings to the switch on the opposite subnet (192.168.146.249) was unsuccessful.

holiday.2901#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.50.1 - 6c20.56a3.1c00 ARPA GigabitEthernet0/0

Internet 10.10.50.2 34 6c20.56b5.58c8 ARPA GigabitEthernet0/0

Internet 192.168.102.1 0 0009.0f27.39a6 ARPA GigabitEthernet0/1

Internet 192.168.102.2 0 0024.e850.8563 ARPA GigabitEthernet0/1

Internet 192.168.102.3 0 0011.43fc.f10a ARPA GigabitEthernet0/1

Internet 192.168.102.15 221 0017.c590.c4b2 ARPA GigabitEthernet0/1

Internet 192.168.102.95 4 d067.e591.95e0 ARPA GigabitEthernet0/1

Internet 192.168.102.113 0 d067.e515.8bce ARPA GigabitEthernet0/1

Internet 192.168.102.163 0 0023.ae70.adbe ARPA GigabitEthernet0/1

Internet 192.168.102.169 0 0025.64c7.df74 ARPA GigabitEthernet0/1

Internet 192.168.102.173 0 d4be.d9d3.0eb1 ARPA GigabitEthernet0/1

Internet 192.168.102.250 - 6c20.56a3.1c01 ARPA GigabitEthernet0/1

holiday.2901#

Peak10.2901#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.50.1 27 6c20.56a3.1c00 ARPA GigabitEthernet0/0

Internet 10.10.50.2 - 6c20.56b5.58c8 ARPA GigabitEthernet0/0

Internet 192.168.146.249 13 d067.e5b0.6732 ARPA GigabitEthernet0/1

Internet 192.168.146.250 - 6c20.56b5.58c9 ARPA GigabitEthernet0/1

Peak10.2901#

mnorwood · ‎01-14-2013

From the P10 router, can you ping the workstation on the 102 subnet at Holiday?

Colby Collier · ‎01-14-2013

Yes I can, but ping to other hosts (switch, fortinet, other servers) are failing. The .173 is the host that I ran the ping from in the previous reply.

Peak10.2901#ping 192.168.102.173

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.102.173, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Peak10.2901#ping 192.168.102.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Peak10.2901#ping 192.168.102.95

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.102.95, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Peak10.2901#

Colby Collier · ‎01-14-2013

This will probably be relevant also....Both 2901 routers and the fiber are a new install as of today. All hosts on the 192.168.102.X subnet are configured with a default gateway of 192.168.102.1 with the exception of the host that I have been running the pings with.

Our end goal here is (once the setup is complete) have all traffic destined for the 192.168.146.X subnet route over the fiber, everything else route out .1

mnorwood · ‎01-14-2013

Point everything on both ends to the router as their default gateway. Either 192.168.102.250 or 192.168.146.250, depending on which location the systems reside. The 2901 routers will also need to have a default route pointing to the Fortinet(.1). As much as I hate static routes, you'll want to use one for the 0.0.0.0 route pointing to the Fortinet. Since it is a managed firewall, getting someone to spin up OSPF might take awhile, and if you are replacing those boxes with ASA's, it probably isn't worth the trouble for the time being. Plus, you would also need to spin up OSPF on your routers to avoid having to redistribute. On a network this small, it would be easier to run OSPF if you were peering with the Fortinet boxes.

I suspect the Fortinet boxes are not routing traffic to the 2901 router from the end hosts because they have no route for the subnets across the link.