03-15-2012 07:31 AM - edited 03-07-2019 05:35 AM
Hi all,
We have a hub and spoke network with all spoke routers connecting to two hubs (for redundency) over Tunnel0 and Tunnel1.
Each hub is connected to one another via a common switch.
Hub 1's Tunnel IP is 10.10.200.1 /24
Hub 2's Tunnel IP is 10.10.201.1 /24
We have our Cisco Secure ACS server (IP 172.18.120.230/24) connecting to the same common switch (Layer 3 stack) between the 2 hubs.
Each hub can ping the IP address of this server and knows it via the interface connecting to the switch.
On the spoke side, a show ip eigrp topology identifies Hub on Tunnel0 to be the successor and Tunnel1 to be the Feasible Successor to network 172.18.120.0/24
Also on the spoke side, a show ip route 172.18.120.230 returns that it has a route to this host via Tunnel0 which validates the previous statement.
Now here is the problem. I can't ping 172.18.120.230 from the spoke router. I tried to source the ping from Tunnel0 and Tunnel1 but it still fails.
I CAN ping 172.18.120.230 from each hub without an issues.
There are no filters or ACLs in place on the hubs or the spoke that would block this connection.
Although sometimes it works where I can ping without any issues. Also this is not the case with every spoke where I CAN successfully ping the host from them without any issues.
Below is a capture of the configuration from spoke side and ping from both hubs. I would really appreciate any help anyone can provide.
r-exp-lab-1#sh ip route 172.18.120.230
Routing entry for 172.18.120.0/24
Known via "eigrp 1", distance 170, metric 2560256, type external
Redistributing via eigrp 1
Last update from 10.10.200.1 on Tunnel0, 21:18:24 ago
Routing Descriptor Blocks:
* 10.10.200.1, from 10.10.200.1, 21:18:24 ago, via Tunnel0
Route metric is 2560256, traffic share count is 1
Total delay is 50010 microseconds, minimum bandwidth is 2000 Kbit
Reliability 255/255, minimum MTU 1400 bytes
Loading 1/255, Hops 1
r-exp-lab-1#
r-exp-lab-1#
r-exp-lab-1#
r-exp-lab-1#
r-exp-lab-1#sh ip eigrp nei
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.10.200.1 Tu0 10 22:27:47 169 1014 0 244617
0 10.10.201.1 Tu1 14 22:27:49 14 138 0 49093
r-exp-lab-1#
r-exp-lab-1#
r-exp-lab-1#
r-exp-lab-1#sh ip eigrp top 172.18.120.0/24
EIGRP-IPv4 Topology Entry for AS(1)/ID(1.1.1.150) for 172.18.120.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2560256
Descriptor Blocks:
10.10.200.1 (Tunnel0), from 10.10.200.1, Send flag is 0x0
Composite metric is (2560256/2816), route is External
Vector metric:
Minimum bandwidth is 2000 Kbit
Total delay is 50010 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1400
Hop count is 1
External data:
Originating router is 1.1.1.1
AS number of route is 0
External protocol is Static, external metric is 0
Administrator tag is 0 (0x00000000)
10.10.201.1 (Tunnel1), from 10.10.201.1, Send flag is 0x0
Composite metric is (3840256/2816), route is External
Vector metric:
Minimum bandwidth is 1000 Kbit
Total delay is 50010 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1400
Hop count is 1
External data:
Originating router is 1.1.1.2
AS number of route is 0
External protocol is Static, external metric is 0
Administrator tag is 0 (0x00000000)
r-exp-lab-1#ping
Protocol [ip]:
Target IP address: 172.18.120.230
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Tunnel0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:
Packet sent with a source address of 10.10.200.150
.....
Success rate is 0 percent (0/5)
r-exp-lab-1#
r-exp-lab-1#ping
Protocol [ip]:
Target IP address: 172.18.120.230
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Tunnel1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:
Packet sent with a source address of 10.10.201.150
.....
Success rate is 0 percent (0/5)
R-HUB-1#ping 172.18.120.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R-HUB-2#ping 172.18.120.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.120.230, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R-Q9-2#
03-15-2012 10:43 AM
Hi,
you did your extended ping sourcinf from tunnel1 but in the RIB it is installed via Tunnel0, a feasible successor is not installed in the RIB unless the successor fails. What is happening sourcinf from Tunnel0 ?
Regards.
Alain
03-16-2012 06:16 AM
Hi Alain, I just wanted to show from Tunnel1 for comparison. I have posted an extended ping output from Tunnel0 just above that.
03-19-2012 06:10 AM
Anybody?
03-19-2012 07:05 AM
If you use a static route at the spoke does it work. The routing part is un-explainable and I cannot see why it is not working, unless there is an acl or filter, of which you have said you don't have?
03-23-2012 11:01 AM
Hi Mandlenkosi, if I use a static route at the spoke it works. Yea it's strange to me as well as it doesn't make any sense. No ACLs or Filters exist as I have checked it over and over again.
I have attached a screenshot of running continous pings from one spoke to another. It times out for a long time and then all of a sudden it starts to respond again.
03-23-2012 11:25 AM
Could this offer any clues? Below is an output from the Tunnel interface on my hub and spoke router. I am still new to this so I might be missing something.
Tunnel Interface on HUB side
interface Tunnel0
bandwidth 1000
ip address 10.10.201.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication xxxx
ip nhrp map multicast dynamic
ip nhrp network-id 201
ip nhrp holdtime 600
no ip split-horizon eigrp 1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 201
tunnel protection ipsec profile IPSECPROF1
--------------------------------------------------
Tunnel interface on SPOKE side
interface Tunnel1
bandwidth 8000
ip address 10.10.201.24 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip hello-interval eigrp 1 60
ip hold-time eigrp 1 180
no ip next-hop-self eigrp 1
ip flow ingress
ip nhrp authentication xxxx
ip nhrp map multicast dynamic
ip nhrp map multicast xxx.xxx.xxx.xxx
ip nhrp map 10.10.201.1 xxx.xxx.xxx.xxx
ip nhrp network-id 201
ip nhrp holdtime 600
ip nhrp nhs 10.10.201.1
ip nhrp registration no-unique
ip tcp adjust-mss 1380
load-interval 30
delay 100
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 201
tunnel protection ipsec profile IPSECPROF1 shared
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide