I am a bit confused by your

gustavocearasc · ‎06-03-2015

Hello,

I have the problem that i believe to be in the router. My network is designed like this:

2 firewall HA (192.168.1.2) - router (192.168.1.1) router ( 10.1.30.254) - firewall ( 10.1.30.1)

I have executed the pings:

192.168.1.2 to 192.168.1.1 = ok

192.168.1.2 to 10.1.30.254 = problem. The firewall forward the icmp packet to router.

192.168.1.1 to 10.1.30.254= ok

10.1.30.254 to 192.168.1.1=ok

101.30.254 to 192.168.1.2=problem. The icmp packet arrived in router 192.168.1.1.

I enabled "debug ip icmp" in the 192.168.1.1 and it show me this error:

ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0

any ideia?

Markus Benz · ‎06-03-2015

Hi,

I don't fully understand how your setup is.
Is there just one router or two.

If you have a time out in TTL that could be a loop.

How is the routing between this devices configured? Static routes?

I would need a bit more information to help you.
What would help is a drawing and also the configured routes of the involved devices.

Regards,
Markus

gustavocearasc · ‎06-03-2015

Hi, Makus,

My setup is this:

firewall(192.168.1.2) - (192.168.1.1) router - (10.1.1.1) - (10.1.1.2) -router (10.1.30.254) - 10.1.30.1(firewall)

The routes are static:

Routes in 192.168.1.1 :

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C 10.1.1.0/30 is directly connected, GigabitEthernet0/0.1201
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0.1201
S 10.1.30.0/24 [1/0] via 10.1.1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1

Routes in 10.1.30.254

10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.1.1.0/30 is directly connected, GigabitEthernet0/0.1201
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0.1201
C 10.1.30.0/24 is directly connected, GigabitEthernet0/1
L 10.1.30.254/32 is directly connected, GigabitEthernet0/1
S 192.168.1.0/24 [1/0] via 10.1.1.1

Markus Benz · ‎06-03-2015

your routing looks correct so far.

Are you sure this ICMP timeout was caused by a ping and not by a trace?
For trace routes it is normal to see TTL time outs. For pings that would indicate a loop (except your firewall is sending pings with a TTL of 1)

For this ping: 101.30.254 to 192.168.1.2
Are you sure your firewall answers to ping?

For this ping: 192.168.1.2 to 10.1.30.254
I have no explanation why it does not work. Are you sure your routing on the firewalls is correct?
Is the ping sent out on the correct address? What source IP does the ping have?

Other questions:
- are there VRF's or access lists or the like involved in the router configs?

Regards,
Markus

gustavocearasc · ‎06-03-2015

Hi,

Yes, i'am sure that ICMP timeout. Here is the answer of the pings:

192.168.1.1 to 192.168.1.2:

Log router= Jun 3 16:20:39.671: ICMP: echo reply sent, src 128.1.254.1, dst 128.1.0.35, topology BASE, dscp 0 topoid 0

Log firewall = 64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.3 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=0.4 ms

192.168.1.1 to 10.1.30.1:

Log router= There is not messages

Log firewall = PING 10.1.30.254 (10.1.30.254): 56 data bytes

--- 10.1.30.254 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Traceroute router = Jun 3 16:32:52.695: ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0
Jun 3 16:32:54.455: ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0
Jun 3 16:32:54.455: ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0

Traceroute firewall= traceroute to 10.1.30.254 (10.1.30.254), 32 hops max, 72 byte packets
1 192.168.1.1 0.676 ms 0.397 ms 0.352 ms
2 * * *
3 * * *
4 * * *

192.168.1.1 to 10.1.30.254

Log Router 192.168.1.1 = ping 10.1.30.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.30.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Log Router 10.1.30.254 = ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

I don´t have VRF's or access lists.

Markus Benz · ‎06-03-2015

I am a bit confused by your outputs:

Log router= Jun 3 16:20:39.671: ICMP: echo reply sent, src 128.1.254.1, dst 128.1.0.35, topology BASE, dscp 0 topoid 0

These IP's are not mentioned in your design.

192.168.1.1 to 10.1.30.1:

Log router= There is not messages

Log firewall = PING 10.1.30.254 (10.1.30.254): 56 data bytes

--- 10.1.30.254 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Traceroute router = Jun 3 16:32:52.695: ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0
Jun 3 16:32:54.455: ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0
Jun 3 16:32:54.455: ICMP: time exceeded (time to live) sent to 192.168.1.2 (dest was 10.1.30.254), topology BASE, dscp 0 topoid 0

Traceroute firewall= traceroute to 10.1.30.254 (10.1.30.254), 32 hops max, 72 byte packets
1 192.168.1.1 0.676 ms 0.397 ms 0.352 ms
2 * * *
3 * * *
4 * * *

I don't understand these logs. You write 192.168.1.1 to 10.1.30.1
But these logs seem to be from the Firewall with IP 192.168.1.2.

Could we not give names to the devices, that would be easier to read.? Like Firewall 1, Firwewall 2, Router 1 and Rotuer 2?
As already stated, I think your router config is correct, from what I can see. So it is more likely a problem on the firewall.

Could you provide the ping results from "Firewall 1" for the following destinations:
(Please make sure your source address is 192.168.1.2)
192.168.1.1
10.1.1.1
10.1.1.2
10.1.30.254

Please also provide the ping results from "Firewall 2" for the following destinations:
(Please make sure your source address is 10.1.30.1)
10.1.1.2
10.1.1.1
192.168.1.1
192.168.1.2

Regards,
Markus

gustavocearasc · ‎06-03-2015

Sorry for the confusion. Your answer of the pings are below:

Firewall 1 (192.168.1.2):

192.168.1.1 : ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=3.0 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.3 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=0.3 ms

10.1.1.1 : ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes

--- 10.1.1.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

10.1.1.2 : ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2): 56 data bytes

--- 10.1.1.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

10.1.30.254 : ping 10.1.30.254
PING 10.1.30.254 (10.1.30.254): 56 data bytes

--- 10.1.30.254 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Firewall 2 ( 10.1.30.1)

10.1.30.254: ping 10.1.30.254
pinging '10.1.30.254'
host 10.1.30.254 is alive

10.1.1.2: ping 10.1.1.2
pinging '10.1.1.2'
destination 10.1.1.2 unreachable

10.1.1.1: ping 10.1.1.1
pinging '10.1.1.1'
destination 10.1.1.1 unreachable

192.168.1.1: ping 192.168.1.1
pinging '192.168.1.1'
destination 192.168.1.1 unreachable

192.168.1.2: ping 192.168.1.2
pinging '192.168.1.2'
destination 192.168.1.2 unreachable

Markus Benz · ‎06-03-2015

To me this looks like your firewalls only know the locally connected IP's.

How does the routing table of your firewalls look?
Do you have routes for the IP subnet of the remote firewall pointing to the local router interface?

Problem Routing