Re: routing problem

graham robinson · ‎04-02-2011

I am a network engineer and have a problem with a LAN at work when i change the default gateway on any of the pc's. I am not sure if this problem is down to the windows xp sp3 pc's or the cisco 3750 switch they are connected to so please bear with me.

the pc's are on subnet 10.181.1.0/24 with d/g 10.181.1.11 [this default gateway is a checkpoint firewall]. With this config the routing table on each pc functions as expected [e.g. it stores a route to its own subnet [10.181.1.0/24] but no routes to other subnets [e.g. it wont store a route to 10.180.1.0/24, it will simply send traffic for this network to its default gateway].

However, because of a network re-design i need to change the default gateway for this lan to 10.181.1.254 [this IP is a vlan interface on a c3750. I can telnet onto this vlan interface so I believe the config on the switch is good].The pc's connect to this switch which connects to our firewalls. When i change the default gateway on the PC's something strange happens. The windows routing table on each pc starts storing routes to the entire 10.0.0.0/8 network, even though the current config on the pc is still a /24 network [e.g. 10.181.1.21/24, d/g 10.181.1.254]. its as if when i change the pc's default gateway the windows routing table treats the 10.181.1.0/24 subnet as if its a classful 10.0.0.0/8 network. The routes to these other network devices are stored as /32 [e.g. if I change the default gateway to 10.181.1.254, ping 10.180.1.1 from the PC then do a "route print" there is a route to 10.180.1.1/32 with a metric of 1 in the pc's routing table].

So what, right? I can still connect to these other networks, the pc is just using a route stored in its local routing table rather than sending the traffic to its default gateway. The problem is that we have a backup default gateway of 10.181.1.12 which we failover to if the primary gateway goes down. when we test the failover to 10.181.1.12 the pcs are still sending non-local traffic to 10.181.1.11 [since they still have these routes stored locally in their windows routing tables]. i want them to send the traffic to 10.181.1.254 [the layer 3 core switch, which then either routes traffic to 10.181.1.11 or .12 which are checkpoint firewalls].

i have tried changing the default gateway to a whole range of ip's and the same problem occurs each time. i have rebooted each pc after changing its d/g and the problem remains the same. i have tried deleting all ip address information off the pc, then re-entering it with the new d/g, then rebooting
the pc but the problem remains the same.

so, to sum up, when i change the d/g of any pc on subnet 10.181.1.0/24, the pcs routing table starts storing routes in its local routing table to the classful 10.0.0.0/8 network, instead of just the classless 10.181.1.0/24 network.

Has anyone come across anything like this before? Any help would be much appreciated as I am tearing my hair out here.

Richard Burts · ‎04-02-2011

Graham

I have not experienced anything like this but have a couple of questions about it. Would it be possible to post the output of ipconfig and the output of route print for a PC with the Checkpoint as DG and then change the DG to 254 access one or two devices and then post the output of ipconfig and of route print?

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

graham robinson · ‎04-03-2011

Here is a copy of the output using the d/g=10.181.1.11 [checkpoint firewall]. Everything functions as expected [the PC stores a route to its local subnet only]:

C:\Documents and Settings\admin>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix . :
        IP Address. . . . . . . . . . . . : 10.181.1.48
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.181.1.11

C:\Documents and Settings\admin>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 01 80 7a 07 5c ...... Intel(R) 82577LM Gigabit Network Connection - Pa
cket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      10.181.1.11     10.181.1.48       20
       10.181.1.0    255.255.255.0      10.181.1.48     10.181.1.48       20
      10.181.1.48 255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     199.7.48.190 255.255.255.255      10.181.1.11     10.181.1.48       1
        224.0.0.0        240.0.0.0      10.181.1.48     10.181.1.48       20
255.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       1
Default Gateway:       10.181.1.11
===========================================================================
Persistent Routes:
None

C:\Documents and Settings\admin>ping 10.180.7.1

Pinging 10.180.7.1 with 32 bytes of data:

Reply from 10.180.7.1: bytes=32 time=31ms TTL=253
Reply from 10.180.7.1: bytes=32 time=22ms TTL=253
Reply from 10.180.7.1: bytes=32 time=30ms TTL=253
Reply from 10.180.7.1: bytes=32 time=22ms TTL=253

Ping statistics for 10.180.7.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 31ms, Average = 26ms

C:\Documents and Settings\admin>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 01 80 7a 07 5c ...... Intel(R) 82577LM Gigabit Network Connection - Pa
cket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      10.181.1.11     10.181.1.48       20
       10.181.1.0    255.255.255.0      10.181.1.48     10.181.1.48       20
      10.181.1.48 255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     199.7.48.190 255.255.255.255      10.181.1.11     10.181.1.48       1
        224.0.0.0        240.0.0.0      10.181.1.48     10.181.1.48       20
255.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       1
Default Gateway:       10.181.1.11
===========================================================================
Persistent Routes:
None

C:\Documents and Settings\admin>

graham robinson · ‎04-03-2011

And here is a copy of the output once the d/g=10.171.1.254 [c3750 switch]. You can see that once I have pinged a host in another subnet the PC has stored a route to it in its local routing table:

C:\Documents and Settings\admin>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix . :
        IP Address. . . . . . . . . . . . : 10.181.1.48
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.181.1.254

C:\Documents and Settings\admin>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 01 80 7a 07 5c ...... Intel(R) 82577LM Gigabit Network Connection - Pa
cket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0     10.181.1.254     10.181.1.48       20
       10.181.1.0    255.255.255.0      10.181.1.48     10.181.1.48       20
      10.181.1.48 255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     199.7.48.190 255.255.255.255      10.181.1.11     10.181.1.48       1
        224.0.0.0        240.0.0.0      10.181.1.48     10.181.1.48       20
255.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       1
Default Gateway:      10.181.1.254
===========================================================================
Persistent Routes:
None

C:\Documents and Settings\admin>ping 10.180.7.1

Pinging 10.180.7.1 with 32 bytes of data:

Reply from 10.180.7.1: bytes=32 time=27ms TTL=253
Reply from 10.180.7.1: bytes=32 time=23ms TTL=253
Reply from 10.180.7.1: bytes=32 time=27ms TTL=253
Reply from 10.180.7.1: bytes=32 time=22ms TTL=253

Ping statistics for 10.180.7.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 27ms, Average = 24ms

C:\Documents and Settings\admin>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 01 80 7a 07 5c ...... Intel(R) 82577LM Gigabit Network Connection - Pa
cket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0     10.181.1.254     10.181.1.48       20
       10.180.7.1 255.255.255.255      10.181.1.11     10.181.1.48       1
       10.181.1.0    255.255.255.0      10.181.1.48     10.181.1.48       20
      10.181.1.48 255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     199.7.48.190 255.255.255.255      10.181.1.11     10.181.1.48       1
        224.0.0.0        240.0.0.0      10.181.1.48     10.181.1.48       20
255.255.255.255 255.255.255.255      10.181.1.48     10.181.1.48       1
Default Gateway:      10.181.1.254
===========================================================================
Persistent Routes:
None

C:\Documents and Settings\admin>

hobbe · ‎04-03-2011

Hi

If you look at the 3750 where does it route the 10.180.7.1

I am thinking this could be an icmp redirect that sets up the route to the router 10.181.1.11 for the 10.180.7.1

you can read more about it here.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

Good luck

HTH

Richard Burts · ‎04-03-2011

Graham

Thank you for the output that I requested. It is quite helpful.

Hobbe

Congratulations. You beat me to it

I am pretty convinced that it is an issue with redirect. Especially in looking at the extra route in the route print info that Graham posted:

10.180.7.1 255.255.255.255 10.181.1.11 10.181.1.48 1

note that the gateway for this router is 10.181.1.11 and not 10.181.1.254.

Graham

Can you confirm that the switch is going to forward these packets on to the firewall? In which case a redirect is quite appropriate.

If you want to make the effort to verify this, you might do a packet capture (Wireshark or whatever you like) on the PC and look for the redirects. Or you could go onto the switch and enable debug for ICMP.

I would suggest configuring the switch VLAN interface with no ip redirect. This should resolve the problem.

HTH

Rick

HTH

Rick

graham robinson · ‎04-03-2011

Hi, you guys were correct this was down to ip redirect, I simply had to use the "no ip redirect" command on the vlan interface and it solved the problem, thanks a lot for your help, it was a real life saver!

Richard Burts · ‎04-03-2011

Graham

I am glad that you have resolved the problem and that our suggestions pointed the way to the solution.

Thanks for posting back to the forum indicating that the problem was solved and how you solved it. It makes the forum more useful when people can read about a problem and can then read what the problem turned out to be and what solved the problem. You have contributed to that process.

And +5 to Hobbe for being the first one to post about the ip redirect.

HTH

Rick

HTH

Rick