Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
10
Replies

Can't ping from interface connected to ISP

ps0000000
Level 1
Level 1

‎05-20-2019 06:17 AM

Hello,

I have configured 3845 router with dual fail-over ISP. For users in internal network everything is working perfectly. But I have noticed that IP SLA rule 2 is not working as far as from router itself I can't ping any host (including interface IP address 7.1.0.46 itself) and also can't ssh 3845 from outside on interface IP address (7.1.0.46 in my case) with reject result code. But

ping 8.8.8.8 source Gi0/0.2
ping 8.8.8.8 source Gi0/1.10

is working perfectly.

!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
ip cef
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
redundancy
!
track 22 ip sla 2 reachability
!
interface Tunnel1
 description T1
 ip address 10.170.171.1 255.255.255.252
 ip mtu 1400
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 tunnel source GigabitEthernet0/0.2
 tunnel destination 18.12.19.15
!
interface Tunnel99
 description T99
 ip address 10.170.170.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 tunnel source GigabitEthernet0/0.2
 tunnel destination 8.22.16.20
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.2
 description ISP1
 encapsulation dot1Q 2
 ip address 7.2.2.127 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.3
 description ISP2
 encapsulation dot1Q 3
 ip address 7.1.0.46 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.10
 description LAN_TO_3750
 encapsulation dot1Q 10
 ip address 10.153.70.2 255.255.255.192
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.3 overload
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.2 overload
ip nat inside source static udp 10.153.70.9 17566 7.2.2.127 17566 extendable
ip nat inside source static udp 10.153.70.9 17566 7.1.0.46 17566 extendable
ip route 0.0.0.0 0.0.0.0 7.1.0.45 10 track 22
ip route 0.0.0.0 0.0.0.0 7.2.2.1 171
ip route 10.10.117.0 255.255.255.0 10.170.170.2 name H
ip route 10.129.122.0 255.255.255.128 10.170.171.2 name K
ip route 10.153.70.64 255.255.255.192 10.153.70.1
ip route 17.5.7.189 255.255.255.255 7.2.2.1 name kb
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.2
 frequency 50000
 timeout 100000
 threshold 60000
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.3
 frequency 10
 timeout 10000
 threshold 10000
ip sla schedule 2 life forever start-time now
logging esm config
logging trap notifications
logging facility local3
logging source-interface GigabitEthernet0/1.10
logging 10.153.70.9
access-list 69 permit 10.153.70.9
!
route-map ISP2 permit 10
 match interface GigabitEthernet0/0.3
!
route-map ISP1 permit 10
 match interface GigabitEthernet0/0.2
!
snmp-server community orel RO 69
snmp-server location O
!
control-plane
!
mgcp profile default
!
line con 0
 login local
line aux 0
line vty 0 4
 login local
 transport input ssh
line vty 5 796
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 85.21.78.8 source GigabitEthernet0/0.2
ntp server 192.36.133.17 source GigabitEthernet0/0.2
end

Any idea hat is wrong here?

Thanks in advance.

Labels:
0 Helpful
10 Replies 10

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎05-20-2019 06:54 AM - edited ‎05-20-2019 06:57 AM

Hello,

 

interface GigabitEthernet0/0.3
description ISP2
encapsulation dot1Q 3
ip address 7.1.0.46 255.255.255.252  it is correctly?
ip nat outside
ip virtual-reassembly in
!

ip route 0.0.0.0 0.0.0.0 7.2.2.1 171  < change it from 171 to 11 and test your track again.


if not works, try remove ip sla 2 and track 22 and add it again. Maybe it is a bug.

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

ps0000000
Level 1
Level 1
In response to Jaderson Pessoa

‎05-20-2019 07:44 AM - edited ‎05-20-2019 07:49 AM

Hi Jaderson Pessoa,
thank you for the answer.
7.1.0.46 255.255.255.252 - yes it's IP given by main ISP
changed to ip route 0.0.0.0 0.0.0.0 7.2.2.1 11
delete and create ip sla 2 and track 22
nothing changes - still no ping from gi0/0.3

3845#ping 8.8.8.8 so gi 0/0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.2.2.127
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
3845#ping 8.8.8.8 so gi 0/0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 7.1.0.46
.....
Success rate is 0 percent (0/5)

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to ps0000000

‎05-20-2019 07:49 AM

@ps0000000 hello,

 

interface GigabitEthernet0/0.3
 description ISP2
 encapsulation dot1Q 3
 ip address 7.1.0.46 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
! 

This interface has a vlan 3 configured, this interface is connected directly to ISP device or pass trough internal device?

Because if you cant ping it from itself, router doesn't the problem. 

1. Maybe interfaces that is connect from this interface doesn't has the vlan 3 allowed trough the trunk yet.

2. Maybe address is wrong.

 

Could you confiirm the simple topology?

 

Thanks in advance.

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

ps0000000
Level 1
Level 1
In response to Jaderson Pessoa

‎05-20-2019 07:55 AM

Hi,
1. ISP connected with my 3750 switch - here is config on trunk port connected to 3845:
interface GigabitEthernet1/0/5
description UPLINKS_TO_3845
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3
switchport mode trunk
2. address is correct (here I modify it a little). I can ping 7.1.0.46 from Internet but not ssh.
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to ps0000000

‎05-20-2019 09:06 AM

Does your router has an acl allowing this traffic from external devices?
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

ps0000000
Level 1
Level 1
In response to Jaderson Pessoa

‎05-20-2019 09:33 AM

No, full config in first message
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to ps0000000

‎05-20-2019 12:09 PM

ok, try it;

ip access-list extended ssh_allow
permit tcp any host 7.1.0.46 eq 22

and apply it under wan interface that you need access ssh.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

ps0000000
Level 1
Level 1
In response to Jaderson Pessoa

‎05-20-2019 11:29 PM

Hi,
not helped, even more - when list applied to interface temporarily i have lost connection to internal VPN. Deleting application allows connect again.
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to ps0000000

‎05-21-2019 05:41 AM

well, this ip address "7.1.0.46 255.255.255.252" is caming from your ISP or local firewall?
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

ps0000000
Level 1
Level 1
In response to Jaderson Pessoa

‎05-21-2019 07:26 AM

It comes from ISP directly.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card