Need Help with Routing Issue.

jagkalkal · ‎01-12-2015

hi Everyone,

this is my first post so please excuse any formatting / procedral errors.

Problem description.

1. I have a multisite network which uses Cisco Switches at each site.

2. WAN network is provided by service provider as an MPLS vrf dedicated to our business.

3. at one of our site (Site B) we have connectivity issues as described below.

a. All end user communications are fine (data, video , voice)

b. no site is able to establish a ssh or telnet session to any of the switches onsite at Site B

c. we are able to establish ssh sessions to switching infrastructure across sites as needed for all other sites.

d. we are able to establish ssh and telnet sessions to the network infrastructure at Site B from local subnets in Site B.

e. as we are able to establish connections from local subnets we do not believe the issue is related to authentication.

we are using Cisco 3750 in the network.

troublshooting so far.

1. we have removed all ACL's from Site B and Site A (test site) in the performance of our tests to exclude the possiblility of a poorly formed ACL causing issues.

2. we have tried to regenerate Self signed certificates on the switches onsite.

3. we have tried to skip ssh and enable telnet to site switches.

4. we have tried access via SNMP and HTTP / HTTPS as well.

any insight would be helpful. happy to provide relevant config from infrastructure if required.

Regards

Jag

ahmeterdogan · ‎01-13-2015

Hi,

Can you ping the switches in site B? Have you considered to review routing to switch management IP addresses?

jagkalkal · ‎01-13-2015

hi Mate,

yes i have tried multiple Site B options and multiple Devices on Site A including changing the IP address on Site A networks. same result.

ping does work end to end from all sites so does tracert.

JK

ahmeterdogan · ‎01-14-2015

Hi there,

Can you ping the device from where you want to telnet or ssh to it? You may be able to ping end to end from the devices behind the network devices but maybe the ip addresses of the network devices are not routed properly.

Do you have a network diagram?

Cheers,

jagkalkal · ‎01-20-2015

hi Mate,

yes I can ping the devices. from Site A to B and Vice Versa. from Site B I can also Telnet and SSH to the devices in Site B as well as all other devices in Site A .

we have a service provider network so i am not sure if a diagram will help as i don't control anything beyond my switches that are doing layer 3 routing.

I can however telnet upto the service provider router on Site B

I have tried everything i could think of in addition to searching online.

Regards

Jag

Jon Marshall · ‎01-21-2015

The only thing I can think of is the SP router in site B.

Can you confirm it is not doing anything that could be blocking access ?

Just to clarify exactly where you are -

1) you can ping anything and everything from anywhere ?

2) you have tried to telnet/ssh to any of the L3 SVIs in site B and they all fail ?

Jon

jagkalkal · ‎01-21-2015

hi Jon,

i answer to the question about pings above. yes pings works across the board from all sites to all ips in site b and vice versa.

also the telnet ssh to any of the l3 svi in site B all fail no exceptions when attempted across the wan.

further troubleshooting did help me determine the issue though. I think i still need some expert guidance on this but here goes.

we recieve a default route incoming on the 3750 on site B as shown below.

D*EX 0.0.0.0/0 [170/3072] via 10.107.141.1, 04:26:35, GigabitEthernet2/0/48

the 3750 only seems to honor this route for ping / http / https. not ssh / telnet.

we tried putting in static routes to one of the other sites Site A and both telnet and ssh started working like a charm.

Regards

Jag

Jon Marshall · ‎01-22-2015

Jag

Do you have any other 3750s in other sites receiving a default route ?

If so are they running the same IOS version.

I have not come across telnet/ssh not being able to use a default route and I'm pretty sure I would remember if I had.

That said the last network I worked on different use a default route so maybe I was just lucky :-)

I really can't see the logic in it though.

Jon

SATISH KATTIKA · ‎01-22-2015

Did u tried access with Diffrenet Vlan IP's I see many vlans are configured on SITE B Core.

And more over i would like to know is that problem with all switches ? Would able to login core first.. from other sites.. , I see ssh is not enabled on Sited atleast telnet should work..

Would able to telnet to site b core with other vlan ID.

Cisco Freak · ‎01-13-2015

Hi jagkalkal,

Are you getting the authentication page when you try to SSH/telnet the devices at site B.

Did you try to do SSH/telnet from different sources offices? Just to isolate if it is something specific with Site A.

Also, is ther any firewall/any other device which blocks specific ports?

Can you please post the configuration of the one of device from Site B.

CF

jagkalkal · ‎01-13-2015

hi,

nope no Authentication page are presented.

I have 14 sites in total and i have tried from every site same results :(

we do not have any firewalls in the internal network only on the network edge which is not relevant to this scenario as the network is point to point and does not use the ASA to go through.

configuration for core switch on Sites A and B attached.

both sites get a default route out to the MPLS VRF as shown in ip route

JK

Muzaffar Iyad Boukai · ‎01-14-2015

so your issue is that you are not able to ssh or telnet switches on site b from your PC ? is that correct

if yes then :

are you able to ping 10.103.243.254 or 10.103.243.254 from your PC ??

if no then its isp issue

if yes then we have to troubleshoot more can you post a diagram for your network

regards