Re: Not being able to ping router

Shawnw4401 · ‎09-02-2017

Some of the information is sensitive, so I will briefly describe the problem I am having.

Below is an example of network topology:

Router <-> Switch <-> Encryptor-><-Encryptor <-> Switch

Currently, the network is running OSPF through IPSec tunneling. The management IP address that directly connects all these devices together cannot be joined in OSPF, due to recursive routing. All IPs that are being advertised via OSPF can reach the router. The management IP cannot reach the router, except on the switch next to the router. The Gateway of Last resort is learned via OSPF.

This network cannot go down, but this issue must be resolved as it affects several users but not the whole network.

There are several things I want to try, but I don't know if it'll take users down. Can someone let me know if these solutions seem viable and if they have the possibility of taking down the current working users?

Proposed solution #1:
Add an ip route statement 0.0.0.0 0.0.0.0 router . Will this statement make my other network lose their gateway of last resort if they learn it via from the router?

Proposed solution #2:
Could I use a route-map to block the management IP address on the switch next to the router for the static route statement that points it back to the encryptors? for an example: access-list 1 deny 1.1.1.0 0.0.0.255 / route-map MYMAP deny 10 / match ip address 1 / route ospf 10 / redistribute static route-map 10

Georg Pauwen · ‎09-02-2017

Hello,

my first thought is: why not resolve the recursive routing problem by adding a static route just for the management IP (address space), with the physical (and not the tunnel) interface being the next hop ?

Shawnw4401 · ‎09-06-2017

Georg,

The issue is not in the fact on the end switches, which this is doable. The issue lies on the core switch connecting to the router. We are wanting to move away from static routing every route because it will turn out to be over 120 static routes and every time we would need to re-add a new static route for each new device. Trying to move away from this.

paul driver · ‎09-07-2017

Hello

Can you elaborate a bit more on your topology.
You mention router, core switchs and ipsec tunnels, OSPF, if this a DMVPN topology?
res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Shawnw4401 · ‎09-07-2017

Paul,

No, this is not quite a DMVPN topology. I can explain as much as possible.
The router is controlled by an outside source. The swith connected to the router is the starting point of our connection of what I control. We are using OSPF via GRE tunnelling to go out to all of our sites, except the current site that is having an issue. Everything that isn't on the management IP address can communicate back with the router. Everything that isn't being advertised by OSPF cannot reach the router. The problem at the end device for this situation, we cannot establish OSPF, due to other reasons (yes it is possible, but the customer is refusing to do it).

Georg Pauwen · ‎09-07-2017

Hello,

can you post the full configs of two devices that cannot reach each other's management IP address (as that is the problem as far as I understand) ?

Shawnw4401 · ‎09-07-2017

Georg,

I am sorry. I cannot post these configurations. I can only describe the situation to a certain state.