Router will only forward with host routes

jeremys8137 · ‎01-02-2013

we have a 2800 series router functioning as our internet router and it will only forward packets to addresses with host entries in the routing table even if the network is directly connected. any ideas?

csco11257494 · ‎01-02-2013

can you please ellaborate further on this issue. because to what i understand about what you are saying here is that your 2800 router is your gefault gateway to your ISP? try and check you wan configuartion and probably the routing protocols used and use show cdp command to see your neighbour routers if they have route to there neighbours.

jeremys8137 · ‎01-02-2013

the 2800 router is connected to our isp and is also connected to our asa. we have a /28 network on the inside interface connected to our asa. i can ping the inside interface and the interface of our asa but but any other addresses in the /28 i cant reach from that router unless it has a host entry in the routing table.

Elton Babcock · ‎01-02-2013

Does the ISP connection connect to the ASA and then to your router? I'm not getting a good picture of what your network looks like.

This subnet only allows for 14 hosts. What other devices do you have in this subnet?

Elton

Sent from Cisco Technical Support iPhone App

jeremys8137 · ‎01-02-2013

No the isp only connects to the 2800 router. we use this subnet to nat private addresses to our publicly available services and one of those addresses also for our internet traffic

x.x.x.66/28 x.x.x.65/28

ASA=======2800=======ISP

x.x.y.190/30 x.x.y.189/30

jeremys8137 · ‎01-02-2013

Gateway of last resort is y.y.y.189 to network 0.0.0.0

x.0.0.0/8 is variably subnetted, 14 subnets, 3 masks

C x.x.y.188/30 is directly connected, FastEthernet0/1

S x.x.x.76/32 [1/0] via x.x.x.66

S x.x.x.77/32 [1/0] via x.x.x.66

S x.x.x.78/32 [1/0] via x.x.x.66

S x.x.x.72/32 [1/0] via x.x.x.66

S x.x.x.73/32 [1/0] via x.x.x.66

S x.x.x.74/32 [1/0] via x.x.x.66

S x.x.x.75/32 [1/0] via x.x.x.66

S x.x.x.68/32 [1/0] via x.x.x.66

S x.x.x.69/32 [1/0] via x.x.x.66

S x.x.x.70/32 [1/0] via x.x.x.66

S x.x.x.71/32 [1/0] via x.x.x.66

C x.x.x.64/28 is directly connected, FastEthernet0/0

S x.x.x.67/32 [1/0] via x.x.x.66

S* 0.0.0.0/0 [1/0] via x.x.y.189

John Blakley · ‎01-02-2013

Jeremy,

I'm having a hard time understanding what's going on. The x.x.x.64/28 sits between the wan side of the ASA and the internal side of the router, correct? I'm assuming that nat is happening on the ASA. I'm assuming that, for example .71, is a static route that points to the ASA and the ASA is natting that to a private address? If that's the case, are you saying that if you were to remove the static route to .71, you won't be able to pass traffic to .71 any longer?

Is there a way that you can run a debug in off hours? I would remove a static route for testing. Create an acl for that host:

access-list 101 permit ip any host x.x.x.71

Then debug on just this:

debug ip packet 101

Watch the traffic flow. You'll need to remove the static in order to get it to give you a true reading of what's going on. I don't see anything wrong as of yet, but the /32 will take precedence over the /28 that's directly connected even though their next hop is the same. So removing the static will shed some light while debugging the issue.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

jeremys8137 · ‎01-02-2013

John,

Yes all your assumptions are correct. heres more information as of 12/28/12 this was working fine without these static routes then for some reason at 10pm all traffic to the /28 is no longer forwarding except for the addresses assigned to the interfaces of the asa and the router. my first guess that something ion this router was wrong was when i did a show ip arp and got this:

Router#show ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet x.x.56.189 1 000e.843b.e540 ARPA FastEthernet0/1

Internet x.x.56.190 - 0023.33ed.297b ARPA FastEthernet0/1

Internet x.x.62.65 - 0023.33ed.297a ARPA FastEthernet0/0

Internet x.x.62.66 1 0023.044b.62da ARPA FastEthernet0/0

Internet x.x.62.67 0 Incomplete ARPA

Internet x.x.62.69 0 Incomplete ARPA

Internet x.x.62.70 0 Incomplete ARPA

Internet x.x.62.72 0 Incomplete ARPA

Internet x.x.62.73 0 Incomplete ARPA

Internet x.x.62.74 0 Incomplete ARPA

Internet x.x.62.75 0 Incomplete ARPA

Internet x.x.62.77 0 Incomplete ARPA

I'll see if we have any addresses that aren't used in that space and do a debug on it to see what happens, unfortunately we're a 24/7 shop and getting an outage window here is like pulling teeth

Reza Sharifi · ‎01-02-2013

Also, take a look at this doc since you have incomplete ARP entries.

https://supportforums.cisco.com/docs/DOC-2094

HTH

John Blakley · ‎01-02-2013

I agree with Reza. The router doesn't seem to be getting arp responses back. Has anything changed on the switch that this is connected to, or do you have it directly connected to the Asa? You could clear the current arp entries and the debug arp to see if it's sending an arp request when trying to resolve these addresses. You could also try clearing arp on the switch to see if it helps.

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***

jeremys8137 · ‎01-02-2013

Reza - thanks but i took a look at that document before i posted

John - the asa is directly connected to the 2800, to the best of my knowledge nothing has changed.

John Blakley · ‎01-02-2013

I would try a reload. What iOS version is the router running?

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***

jeremys8137 · ‎01-03-2013

tried a reload the day the issue started same thing was happening after. the ios verson is :

c2801-entbasek9-mz.124-24.T7.bin

John Blakley · ‎01-03-2013

Can you post your config masking public information?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

jeremys8137 · ‎01-03-2013

Building configuration...

Current configuration : 5547 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash:c2801-entbasek9-mz.124-24.T7.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 8192

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

aaa session-id common

dot11 syslog

ip source-route

!

ip vrf Internet

rd 10:10

!

ip cef

no ip domain lookup

ip domain name company.com

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1918729234

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1918729234

!

quit

!

username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxx.

username xxxxx secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx

!

class-map match-any All_Traffic

match any

!

policy-map Traffic_Shape_50mb

class All_Traffic

shape average 50000000

policy-map Traffic_Shape

class All_Traffic

shape average 20000000

!

interface FastEthernet0/0

description TO FIREWALL

ip address x.x.62.65 255.255.255.240

ip flow ingress

ip policy route-map ISP

duplex auto

speed auto

!

interface FastEthernet0/1

description TO ISP1

ip address x.x.56.190 255.255.255.252

ip flow ingress

speed 100

full-duplex

!

interface FastEthernet0/3/0

description TO ISP2

ip address y.y.23.6 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/3/1

description TO ISP3

ip address z.z.141.2 255.255.255.224

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.56.189

ip route x.x.62.64 255.255.255.240 x.x.62.66

ip route x.x.62.67 255.255.255.255 x.x.62.66

ip route x.x.62.68 255.255.255.255 x.x.62.66

ip route x.x.62.69 255.255.255.255 x.x.62.66

ip route x.x.62.70 255.255.255.255 x.x.62.66

ip route x.x.62.71 255.255.255.255 x.x.62.66

ip route x.x.62.72 255.255.255.255 x.x.62.66

ip route x.x.62.73 255.255.255.255 x.x.62.66

ip route x.x.62.74 255.255.255.255 x.x.62.66

ip route x.x.62.75 255.255.255.255 x.x.62.66

ip route x.x.62.76 255.255.255.255 x.x.62.66

ip route x.x.62.77 255.255.255.255 x.x.62.66

ip route x.x.62.78 255.255.255.255 x.x.62.66

ip route y.y.23.11 255.255.255.255 x.x.62.66

ip route y.y.23.16 255.255.255.255 x.x.62.66

ip route y.y.23.17 255.255.255.255 x.x.62.66

ip route y.y.23.18 255.255.255.255 x.x.62.66

ip route y.y.23.27 255.255.255.255 x.x.62.66

ip route y.y.23.69 255.255.255.255 x.x.62.66

ip route y.y.23.100 255.255.255.255 x.x.62.66

ip route y.y.23.111 255.255.255.255 x.x.62.66

ip route y.y.23.126 255.255.255.255 x.x.62.66

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip flow-export source FastEthernet0/0

ip flow-export version 5

ip flow-export destination x.x.62.69 2055

!

access-list 1 permit x.x.62.64 0.0.0.15

access-list 2 permit y.y.23.0 0.0.0.255

access-list 3 permit z.z.141.0 0.0.0.31

access-list 20 remark SNMP

access-list 20 permit x.x.62.69

access-list 20 permit y.y.23.0 0.0.0.255

access-list 24 permit x.x.0.155

access-list 24 remark TELNET ACCESS

access-list 24 permit x.x.62.64 0.0.0.15

access-list 24 permit y.y.23.0 0.0.0.255

access-list 24 permit z.z.141.0 0.0.0.31

route-map ISP permit 10

match ip address 1

set ip next-hop x.x.56.189

!

route-map ISP permit 20

match ip address 2

set ip next-hop y.y.23.1

!

route-map ISP permit 30

match ip address 3

set ip next-hop z.z.141.1

!

snmp-server community xxxxxx RO 20

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 24 in

exec-timeout 0 0

privilege level 15

transport input ssh

line vty 5 15

access-class 24 in

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

end