Options
Q - Why can't I ping a particular IP over the 'net?
Hi Guys,
I'm trying to troubleshoot an issue in work and I've hit a wall. We have a client with several locations around the UK. Every location has a Draytek 2710 router and a Cisco ASA5505 on site which we support (there is other equipment connected but we only look after the router & ASA). The router is connected to a standard BT Broadband line and the site is allocated a /29.
About a week ago, our monitoring server was unable to reach one site (router and ASA). We went through the usual troubleshooting (lights on the router, reboots etc), BT confirmed the router was logged in and authenticated however we couldn't "see it" or the ASA. Replacement Draytek was sent out but the same problem.
We have a /26 range at work (x.x.x.192/26). On Sunday I did some further digging and found I could ping, telnet and web browse to the Draytek from my workstation (which is NAT'd to x.x.x.252 on our ASA). I can't reach the ASA at site though.
From the Draytek on site, I can ping the outside address of our ASA and the outside IP (x.x.x.195) that is NAT'd to our monitoring server.
I sent traceroutes to BT as the traceroute from us dies at the hop just before the Draytek. BT said there was nothing wrong with the traceroute and it was a security / access-list problem on our equipment. The Draytek is configured to allow access from x.x.x.192/26 and this matches other sites.
Here's a copy of the traceroutes - Traceroute from Draytek (81.x.x.70) to our monitoring server (x.x.x.195): ===== - Pastebin.com
Can anyone offer any advice? I don't think it's an access-list / security issue as I can access the Draytek (but not the ASA, although the Draytek can ping the ASA on its public IP) from my PC which is NAT'd to an IP in the range allowed in the access list. BT are saying there's nothing wrong on their side.
I'm trying to troubleshoot an issue in work and I've hit a wall. We have a client with several locations around the UK. Every location has a Draytek 2710 router and a Cisco ASA5505 on site which we support (there is other equipment connected but we only look after the router & ASA). The router is connected to a standard BT Broadband line and the site is allocated a /29.
About a week ago, our monitoring server was unable to reach one site (router and ASA). We went through the usual troubleshooting (lights on the router, reboots etc), BT confirmed the router was logged in and authenticated however we couldn't "see it" or the ASA. Replacement Draytek was sent out but the same problem.
We have a /26 range at work (x.x.x.192/26). On Sunday I did some further digging and found I could ping, telnet and web browse to the Draytek from my workstation (which is NAT'd to x.x.x.252 on our ASA). I can't reach the ASA at site though.
From the Draytek on site, I can ping the outside address of our ASA and the outside IP (x.x.x.195) that is NAT'd to our monitoring server.
I sent traceroutes to BT as the traceroute from us dies at the hop just before the Draytek. BT said there was nothing wrong with the traceroute and it was a security / access-list problem on our equipment. The Draytek is configured to allow access from x.x.x.192/26 and this matches other sites.
Here's a copy of the traceroutes - Traceroute from Draytek (81.x.x.70) to our monitoring server (x.x.x.195): ===== - Pastebin.com
Can anyone offer any advice? I don't think it's an access-list / security issue as I can access the Draytek (but not the ASA, although the Draytek can ping the ASA on its public IP) from my PC which is NAT'd to an IP in the range allowed in the access list. BT are saying there's nothing wrong on their side.
Regards,
CCNA R&S; CCNP R&S
CCNA R&S; CCNP R&S
Comments
-
Options
demonfurbie
Member Posts: 1,819
ping the last thing that you can see on the traceroute and see what the ttl is on that packet
also try a pathping see if that gives you more infowgu undergrad: done ... woot!!
WGU MS IT Management: done ... double woot :cheers: -
Options
aquilla
Member Posts: 148 ■■■□□□□□□□
I'm not in work at the moment so I have to RDP in to a server.
Ping shows the TTL is 245 at the last hop that responds.
U:\>ping 213.120.182.145
Pinging 213.120.182.145 with 32 bytes of data:
Reply from 213.120.182.145: bytes=32 time=11ms TTL=245
Reply from 213.120.182.145: bytes=32 time=10ms TTL=245
Reply from 213.120.182.145: bytes=32 time=10ms TTL=245
Reply from 213.120.182.145: bytes=32 time=10ms TTL=245
Ping statistics for 213.120.182.145:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 11ms, Average = 10ms
Pathping shows 100% successful replies from all hops that respond.Regards,
CCNA R&S; CCNP R&S -
Optionsdemonfurbie
Member Posts: 1,819
last i checked max ttl was 255 and your already at 245 with about 10 hops to go, i dont think it will make itwgu undergrad: done ... woot!!
WGU MS IT Management: done ... double woot :cheers: -
Optionsaquilla
Member Posts: 148 ■■■□□□□□□□
... and just like that both devices start replying to ICMP ping again in the middle of the night when queried by our monitoring server! Weird.
Nobody is working on the devices and no config changes were made. I suspect BT suddenly found something and corrected it - although they will never admit to it.
Regards,
CCNA R&S; CCNP R&S
