dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6311
share rss forum feed

snowdogdb

join:2010-06-30
San Jose, CA

[Config] Unable to ping through OSPF neighbor router

Hello - I'm hoping someone can help me with a routing issue.

I have two sites connected via an ethernet point-to-point.
Both routers are running OSPF. Each router has an Internet connection, and LAN connection, and the point-to-point to the other.
From each router I can ping its neighbor's LAN IP, but I can't ping anything on the LAN iteself. For example, from ROUTERA I can ping 10.20.21.253 but not 10.20.21.1 but from ROUTERB I can ping 10.20.21.1.
If I can ping the neighbor routers LAN interface, why can't I ping anything else on that LAN subnet?
I figure I'm missing something obvious. Couldn't be NAT messing this up could it?
Please help

Here are the configs...

hostname routera_inet
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login vpn_xauth local
aaa authorization network vpn_group local
!
aaa session-id common
!
clock timezone CDT -5
!
no ipv6 cef
no ip source-route
ip cef
!
ip domain name routera_inet.xxxx.com
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3767145656
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3767145656
revocation-check none
rsakeypair TP-self-signed-3767145656
!
!
crypto pki certificate chain TP-self-signed-3767145656
certificate self-signed 01
3082025D > 04050030
quit

license udi pid CISCO1941/K9 sn xxxxxx
!
username xxxx privilege 15 password 0 xxxxx
username xxxx password 0 xxxxx
!
redundancy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxx
key xxxxx
pool xxxx
acl 120
netmask 255.255.255.0
crypto isakmp profile xxxxx
match identity group xxxxx
client authentication list vpn_xauth
isakmp authorization list vpn_group
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sxxxx
!
interface GigabitEthernet0/0
description ROUTERA LAN Interface
ip address 10.20.22.253 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description Process Network
encapsulation dot1Q 10
ip address 10.20.220.253 255.255.255.0
ip access-group 101 in
ip inspect ethernetin in
!
interface GigabitEthernet0/1
description Point-to-Point Link to ROUTERB
ip address 10.250.0.113 255.255.255.240
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no clock rate 2000000
!
interface FastEthernet0/1/0
description Internet Connection
ip address xx.xx.xx.xx 255.255.255.248
ip access-group 112 in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile1
!
!
router ospf 1
router-id 10.20.22.253
log-adjacency-changes
redistribute connected
network 10.20.22.0 0.0.0.255 area 0
network 10.250.0.112 0.0.0.15 area 0
default-information originate always metric 100
!
ip local pool xxxx 10.20.220.240 10.20.220.245
ip default-gateway 10.20.22.1
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool proc-nat-pool xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.248
ip nat inside source list 1 pool proc-nat-pool overload
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 10.20.1.0 255.255.255.0 10.20.22.1
!
access-list 1 permit 10.20.22.0 0.0.0.255
access-list 101 permit ip any any
access-list 112 permit ip any any
access-list 120 permit ip 10.20.220.0 0.0.0.255 10.20.220.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server pool.ntp.org
end

==============================
hostname routera_inet
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
!
clock timezone CDT -5
!
no ipv6 cef
no ip source-route
ip cef

!
ip domain name routera_inet.xxxx.com
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
!
multilink bundle-name authenticated
!
license udi pid CISCO1941/K9 sn xxxxxx
!
username xxxx privilege 15 password 0 xxxxx!
!
redundancy
!
interface GigabitEthernet0/0
description ROUTERB LAN Interface
ip address 10.20.21.253 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Point-to-Point Link to ROUTERA
ip address 10.250.0.126 255.255.255.240
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no clock rate 2000000
!
interface FastEthernet0/1/0
ip address xx.xx.xx.xx 255.255.255.248
ip access-group 112 in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
router ospf 1
router-id 10.20.21.253
log-adjacency-changes
redistribute connected
network 10.20.21.0 0.0.0.255 area 0
network 10.250.0.112 0.0.0.15 area 0
!
ip default-gateway 10.20.21.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool xxxxx xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.0
ip nat inside source list 1 pool xxxxx overload
ip route 0.0.0.0 0.0.0.0 74.212.188.161
ip route 10.20.1.0 255.255.255.0 10.20.21.1
!
access-list 1 permit 10.20.21.0 0.0.0.255
access-list 101 permit ip any any
access-list 112 permit ip any any
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end


HELLFIRE
Premium
join:2009-11-25
kudos:15

You may want to diagram this out to understand better what it is you
want to do. I did a rough sketch, and for starters I'm wondering why
you put a static route on routera to 10.20.22.1 when it's not in the
config of your routerb. Likewise, routerb has a static to 10.20.21.1
but it's not in the config of routera. What was the intent of this?

You may also want to do a "show ip ospf neighbor" on both routers.
Something tells me they don't even have an OSPF neighbor relationship,
and if they don't then you have to rethink your config.

Regards


snowdogdb

join:2010-06-30
San Jose, CA

Click for full size
downloadQuickSketch.pdf 205,744 bytes
Thanks for taking a look!
Attached is a rough diagram.
The static route to 10.20.1.x is for the datacenter out through MPLS. The 10.20.22.1 and 10.20.21.1 are the MPLS routers at each site.
The MPLS routers are managed by the provider and once I get OSPF working between the sites, I will request that they add OSPF to the MPLS router so the point-to-point to the sister site can be a backup path to the datacenter.

Here's the ping, OSPF, and show route info:
routera_inet#ping 10.250.0.126

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.0.126, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
routera_inet#ping 10.20.21.253

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.21.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
routera_inet#ping 10.20.21.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.21.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
routera_inet#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.20.21.253 1 FULL/DR 00:00:33 10.250.0.126 GigabitEthernet0/1
routera_inet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 74.212.188.161 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 74.212.188.161
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
S 10.20.1.0/24 [1/0] via 10.20.22.1
O 10.20.21.0/24 [110/2] via 10.250.0.126, 1d12h, GigabitEthernet0/1
C 10.20.22.0/24 is directly connected, GigabitEthernet0/0
L 10.20.22.253/32 is directly connected, GigabitEthernet0/0
C 10.20.220.0/24 is directly connected, GigabitEthernet0/0.10
L 10.20.220.253/32 is directly connected, GigabitEthernet0/0.10
C 10.250.0.112/28 is directly connected, GigabitEthernet0/1
L 10.250.0.113/32 is directly connected, GigabitEthernet0/1
74.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 74.212.188.160/29 is directly connected, FastEthernet0/1/0
L 74.212.188.162/32 is directly connected, FastEthernet0/1/0

subnetzero

join:2010-07-01
Hollywood, FL
reply to snowdogdb

use eigrp



phantasm11b
Premium
join:2007-11-02

said by subnetzero:

use eigrp
Why?

HELLFIRE
Premium
join:2009-11-25
kudos:15
reply to snowdogdb

Thanks for the output snowdogdb. Looks like the two routers are
forming an OSPF adjacency, and routera knows about the 10.20.21.253
network via OSPF as expected.

Something else I'm thinking about, since the 10.20.21.1 and 10.20.21.1
routes are static, you may need to do a "redist static" in your ospf
statements to get the routers to share that information.

Regards


snowdogdb

join:2010-06-30
San Jose, CA

The issue is resolved!
Well, mostly resolved.

Turned out that the devices on the LAN had the MPLS router as their default GW. The MPLS router (not yet being in OSPF with the Internet Router) did not know how to get back to the P2P subnet (10.250.0.112), and would prefer its BGP route for the sister-site's subnet. Ugh! It never fails, the hardest problems to resolve end up being bone-head simple

So I went ahead and had the service provider enable OSPF on the MPLS router and add a static for the P2P subnet. But it still would prefer BGP for Internet (default) traffic. This is because BGP has a significantly lower administrative distance then OSPF. So I then had them add the following to BGP:

network 0.0.0.0 backdoor
This effectively raised the AD for BGP default route to 200 and the MPLS router then correctly routed Internet traffic through the Internet router. And will still route Internet traffic through MPLS if the default route from the Internet router goes away (i.e. the Inet link goes down).

This still left me with the problem of getting the MPLS router to prefer the P2P for traffic to the sister site. We tried a
network 10.20.22.0 backdoor
command, but the backdoor directive is made for default routes and I don¡¦t think it is classless.
Any suggestions on how I tell the MPLS router to prefer the OSPF route over a BGP route as long as the route from OSPF is there?
I don't want to do a static because it doesn't fail-over/fail-back.

HELLFIRE
Premium
join:2009-11-25
kudos:15
reply to snowdogdb

I'm rather weak when it comes to routing protocols, so I can't make any suggestions. And it sounds
like there's a whole lot more involved than just two routers and the configs you've provided. At
this point you'd REALLY need to sit down and diagram / document your own gear and their configs,
and do the same thing with the provider's as well, and figure out EXACTLY what it is you want to
do so you don't introduce something in that you didn't intent.

Stuff like this I've learned long ago you don't do piecemeal unless you're looking to screw things
up royally at the worst possible times.

Regards


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to snowdogdb

I notice there is a design issue that you need to resolve.

Issue #1:
LAN devices' GW points to MPLS router

When you don't have R/W access to this MPLS router, then it is in general a bad idea of have LAN devices' GW points to the router. Since the LAN devices are within your control, then the LAN devices' GW should also point to a network device that you control.

Issue #2:
Implementing network 0.0.0.0 backdoor

Such solution is more of bandage solution rather than long-term one. Since your MPLS router is talking BGP and you have no R/W access to it, then it is suggested that your routers (the ones that you control and have R/W access to) should also talk BGP to match up.

I assume the following based on typical MPLS implementation

* Your MPLS provider assigns specific BGP AS # to the MPLS router
* The MPLS router talks eBGP to the MPLS cloud

Based on such assumption, discuss with your MPLS provider to do BGP between the MPLS router and your routers. Since you want to have control of how traffic flow should be going, then you want your own BGP AS # assigned to your routers.

Ask your MPLS provider which BGP AS # you can use for your routers to do eBGP between your routers and MPLS router. Since the network would be private one, then usually your MPLS provider assign you Private BGP AS # although Public BGP AS # should work as well.

Once you have this BGP AS #, setup eBGP peer between your routers and the MPLS router. Since you have eBGP peer with network that is not within your control, you may want to consider setting up BGP Community List between your routers and the MPLS router to ensure proper routing is in place.

Note that you keep using OSPF as the IGP for your BGP AS #. You will also need design combination between OSPF and BGP to ensure the traffic flow is as your expectation.