Banging my head against a wall. Calling route experts!

WastedYouth

Hello everyone. I have been a long time lurker here and decided the collective know-how of the intelligent people of this forum might be able to help me gain some sanity from this 3-day long lab headache I seem to have developed.

I am studying for my CCNA and decided packet tracer was not enough so I purchased a lab containing the following:

2 1760 routers
2 2950 switches
1 2511 access server

I think the problem all revolves around this 2511. I can ping from anywhere to everywhere WITHIN the network including THROUGH the 2511 as long as it's not going OUT past my modem. This is what I CAN'T ping:


FROM anywhere within my network TO an outside address
TO a workstation FROM the 2511. The 2511 can however ping all DGs and switches, just not the desktop or laptop.


This is also weird; I can ping outside addresses FROM the 2511, including unresolved hostnames. But if I try to ping those same addresses or HNs from ANYWHERE else, no go.

It's like the 2511 can't route packets from a serial interface to the ethernet interface. I can't ping the little belkin all in one WAP/switch/router from anywhere EXCEPT the 2511.


I set up overloaded PAT/NAT on my router and have tried plugging the 2511 directly into the modem and modifying the 2511s route table, but still no dice. I am fairly certain my subnetting and addressing is fine. I set up DHCP for R1 and I'm doing static on R2. Same exact situation for both of them.


I have attached the running configs and route tables at the bottom from all the routers, including my network diagram. Edit: Scratch that can't upload the txt file even though it's a "valid extension" so I will post it here. Man this is gonna be long.

If anyone is kind enough to analyze all this data and try to help me, I would be very grateful! My head... it....... hurts......


TS2511#sh run
Building configuration...


Current configuration : 1303 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS2511
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip domain lookup source-interface Ethernet0
ip host R2 2002 10.10.10.10
ip host R1 2001 10.10.10.10
ip host S1 2003 10.10.10.10
ip host S2 2004 10.10.10.10
ip dhcp excluded-address 192.168.0.2
!
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
interface Ethernet0
ip address dhcp
ip nat outside
!
interface Serial0
ip address 192.168.3.2 255.255.255.252
ip nat inside
!
interface Serial1
ip address 192.168.4.2 255.255.255.252
ip nat inside
clock rate 9600
!
ip nat inside source list 1 interface Ethernet0


overload
ip http server
ip classless
ip route 10.0.0.0 255.0.0.0 10.97.112.1
ip route 192.168.0.0 255.255.255.240


192.168.3.1
ip route 192.168.0.16 255.255.255.240


192.168.4.1
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 1 permit 192.168.0.0 0.0.0.240
banner exec ^CYou now have the one ring.


Tread carefully, for the eye is ever


watchful.^C
banner motd ^C
THIS IS THE ONE RING TO RULE THEM ALL.
^C
!
line con 0
line 1 16
exec-timeout 12 0
no exec
transport input telnet
line aux 0
line vty 0 4
login
!
end




Gateway of last resort is 192.168.2.1 to


network 0.0.0.0


192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected,


Serial1
10.0.0.0/32 is subnetted, 1 subnets
C 10.10.10.10 is directly connected,


Loopback0
192.168.0.0/28 is subnetted, 2 subnets
S 192.168.0.0 [1/0] via 192.168.3.1
S 192.168.0.16 [1/0] via 192.168.4.1
C 192.168.2.0/24 is directly connected,


Ethernet0
192.168.3.0/30 is subnetted, 1 subnets
C 192.168.3.0 is directly connected,


Serial0
S* 0.0.0.0/0 [254/0] via 192.168.2.1
TS2511#




R1#sh run
Building configuration...


Current configuration : 1082 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.2
!
ip dhcp pool A
network 192.168.0.0 255.255.255.240
default-router 192.168.0.1
dns-server 8.8.8.8
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.240
speed auto
!
interface Serial0/0
ip address 192.168.3.1 255.255.255.252
no fair-queue
clock rate 9600
!
interface ATM1/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip route 192.168.0.16 255.255.255.240


192.168.3.2
ip route 192.168.4.0 255.255.255.252


192.168.3.2
!
no ip http server
no ip http secure-server
!
!
control-plane
!
banner motd ^Cottd ^Welco^C
!
line con 0
line aux 0
line vty 0 4
no login
transport input all
!
end


Gateway of last resort is 192.168.3.2 to


network 0.0.0.0


192.168.4.0/30 is subnetted, 1 subnets
S 192.168.4.0 [1/0] via 192.168.3.2
192.168.0.0/28 is subnetted, 2 subnets
C 192.168.0.0 is directly connected,


FastEthernet0/0
S 192.168.0.16 [1/0] via 192.168.3.2
192.168.3.0/30 is subnetted, 1 subnets
C 192.168.3.0 is directly connected,


Serial0/0
S* 0.0.0.0/0 [1/0] via 192.168.3.2


R2#sh run
Building configuration...


Current configuration : 809 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.17 255.255.255.240
speed auto
!
interface Serial0/0
ip address 192.168.4.1 255.255.255.252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.4.2
ip route 192.168.2.0 255.255.255.0


192.168.4.2
!
no ip http server
no ip http secure-server
!
!
control-plane
!
banner motd ^C
This is the bottom 1760 router. No touchy^C
!
line con 0
line aux 0
line vty 0 4
password telnet
login
transport input telnet ssh
transport output telnet ssh
!
end


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M -


mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF,


IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF


NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF


external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS


level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default,


U - per-user static route
o - ODR, P - periodic downloaded static


route


Gateway of last resort is 192.168.4.2 to


network 0.0.0.0


192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected,


Serial0/0
192.168.0.0/28 is subnetted, 1 subnets
C 192.168.0.16 is directly connected,


FastEthernet0/0
S 192.168.2.0/24 [1/0] via 192.168.4.2
S* 0.0.0.0/0 [1/0] via 192.168.4.2

NetworkVeteran

TO a workstation FROM the 2511. The 2511 can however ping all DGs and switches, just not the desktop or laptop.

You can ping: 2511-->R2--->S2
You can't ping: 2511-->R2-->S2-->Laptop.

1) Your CCNA course hopefully covered a nifty tool called traceroute that narrows down IP connectivity problems. Traceroute from the 2511 to the Laptop. ID the point of failure.

2) Now see why packets are failing on that device. "debug ip icmp" will likely be illuminating. I'd also pay attention to the interface configs and routing table.

3) Post what you learn from the above steps including output.

A good debugging process is at least as important as your solution.

WastedYouth

Thanks for the insightful suggestions. Yes traceroute is how I determined that the packets get to the inside interface of my 2511 router and then disappear when pinging out, I meant to post results. I completely forgot about ICMP debugging though, glad you brought that up. I'm only about halfway through studying for this exam so I'm no NetworkVeteran. Wish I was!

Here are traceroute results on my desktop-->S1-->R1-->2511

C:\Users\Blake>tracert 192.168.2.1


Tracing route to 192.168.2.1 over a maximum of 30 h


1 1 ms 1 ms 1 ms 192.168.0.1
2 145 ms 145 ms 202 ms 192.168.3.2
3 * * * Request timed out.
4 * * * Request timed out.

And here are the results on the 2511 with ICMP debugging turned on:

TS2511#debug ip icmp
ICMP packet debugging is on
TS2511#
*Mar 1 03:16:12.323: ICMP: time exceeded (time to live) sent to 192.168.0.3 (dest was 192.168.2.1)
*Mar 1 03:16:12.467: ICMP: time exceeded (time to live) sent to 192.168.0.3 (dest was 192.168.2.1)
*Mar 1 03:16:12.671: ICMP: time exceeded (time to live) sent to 192.168.0.3 (dest was 192.168.2.1)
*Mar 1 03:16:24.807: ICMP: dst (192.168.3.2) port unreachable sent to 192.168.0.3
*Mar 1 03:16:26.419: ICMP: dst (192.168.3.2) port unreachable sent to 192.168.0.3
*Mar 1 03:16:27.867: ICMP: dst (192.168.3.2) port unreachable sent to 192.168.0.3



I can't make much sense of this except that the necessary port to get to the destination is unreachable.

Here is the routing table for the 2511 again. I clearly set up a default route pointing to the next hop which is 192.168.2.1, and it craps it's pants when it tries to send any packets that do not originate from itself to that next hop.

Gateway of last resort is 192.168.2.1 to network 0.0.0.0


192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Serial1
10.0.0.0/32 is subnetted, 1 subnets
C 10.10.10.10 is directly connected, Loopback0
192.168.0.0/28 is subnetted, 2 subnets
S 192.168.0.0 [1/0] via 192.168.3.1
S 192.168.0.16 [1/0] via 192.168.4.1
C 192.168.2.0/24 is directly connected, Ethernet0
192.168.3.0/30 is subnetted, 1 subnets
C 192.168.3.0 is directly connected, Serial0
S* 0.0.0.0/0 [254/0] via 192.168.2.1


I'm pulling my hair out here. Thanks so much for your reply, it helped.

NetworkVeteran

Blake wrote:

The 2511 can however ping all DGs and switches, just not the desktop or laptop.

NetworkVeteran wrote:

You can ping: 2511-->R2--->S2
You can't ping: 2511-->R2-->S2-->Laptop.

Blake wrote:

Here are traceroute results on my desktop-->S1-->R1-->2511

Tracing route to 192.168.2.1 over a maximum of 30 h

1 1 ms 1 ms 1 ms 192.168.0.1
2145 ms 145 ms 202 ms 192.168.3.2

Per your diagram, IP 192.168.3.2 belongs to the 2511. My interpretation would be that connectivity between your desktop and the 2511 appears okay, but connectivity between your desktop and default gateway is broken.

The 2511's "debug ip icmp" messages provide extra confirmation that it responded to the traceroute with ICMP messages. More importantly, I don't see any messages about the same time indicating it had problems forwarding packets to the default gateway.

IOS wrote:

*Mar 1 03:16:12.323: ICMP: time exceeded (time to live) sent to 192.168.0.3 (dest was 192.168.2.1)
*Mar 1 03:16:12.467: ICMP: time exceeded (time to live) sent to 192.168.0.3 (dest was 192.168.2.1)
*Mar 1 03:16:12.671: ICMP: time exceeded (time to live) sent to 192.168.0.3 (dest was 192.168.2.1)

The 2511's routing table also confirms it has a route to the default gateway--

IOS wrote:

C 192.168.2.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [254/0] via 192.168.2.1

Now it's time to check your default gateway. Since you can't run "debug ip icmp" on a Linksys router, let's cut to the chase and check its routing table.

(Another good test would be to use extended ping. On the 2511, type "ping" by itself. Answer the questions, one-by-one, and choose the 2511's 192.168.3.2 interface as the source for the ping packets. The "debug ip icmp" output will be interesting!)

prtech

NAT is not working properly. Check your access-list on the 2511. 0.0.0.240 is not a valid wildcard mask.

WastedYouth

WOW... That was it. Freakin' wildcard mask... I'm connected! After 5 days of trying man, it feels good to have that settled. I have very limited work experience with this stuff and I just started studying for CCNA and using the CLI about 2-3 weeks ago, and I hadn't learned about access lists yet. DOH!

Such a small change makes so much difference. It makes sense too. I could ping external globals from the 2511, because the belkin all-in-one was handling NAT for that subnet (192.168.2.0), which the 2511 has an interface on. I guess this means that that POS belkin, although I have learned to appreciate it's versatility, efficiency and simplicity, cannot run NAT across multiple subnets while the 2511 can. Thank you so much for that small but priceless insight.

Network Vet; thanks so much for your help, and that empty ping command is cool, I played around with it, but am having difficulty discerning why I still can't ping the computers. I am lost on that front. Also I spent about an hour trying to find some way to view the routing table on the belkin, but it's apparently not able to show it. Other models can, but not this one (FD5-7320). I will continue using your tips to figure out the ping issue as even though I'm connected to the net now I still am curious.

Thanks guys!

WastedYouth

Now to the next issue at hand which is much simpler to explain. Although I am now connected, the connection is unusable at the inhumane speed at which it runs.

After waiting 5 minutes for the speedtest.net page to load, I was mortified to see the pathetic speed in a visible measurable standard: During the 35 minute test that usually takes 30 seconds, it eventually hung after showing .01 throughout which was obviously a lot less than .01 even but 0.1 is the lowest it goes.


The only weak point I can see is that I am using one of those old transceivers that converts AUI ethernet to an RJ45 ethernet port. I'm supposed to get 15Mbps and I know that transceiver is going to cut me off at 10 max, but something is obviously wrong here.


Any ideas on this?

lantech

Check the configuration of your serial interfaces.

There is a reason you are getting such a slow speed.

prtech

WastedYouth wrote: »

Such a small change makes so much difference. It makes sense too. I could ping external globals from the 2511, because the belkin all-in-one was handling NAT for that subnet (192.168.2.0), which the 2511 has an interface on. I guess this means that that POS belkin, although I have learned to appreciate it's versatility, efficiency and simplicity, cannot run NAT across multiple subnets while the 2511 can. Thank you so much for that small but priceless insight.

The reason it didn't work is because the linksys router doesn't have a route to 192.168.0.0/24. It knows 192.168.2.0 because it is a directly connected route. That's why you can ping the linksys from the 2511 but not anything else. Once you got NAT on the 2511 working properly, the source address is translated to 192.168.2.x which the linksys recognizes.

Now the reason why it's extremely slow is because of your Ethernet interface and your serial interfaces. Keep in mind that ethernet operates at 10mbps and your serial interfaces are much slower. Look at your traceroute:

1 1 ms 1 ms 1 ms 192.168.0.1
2 145 ms 145 ms 202 ms 192.168.3.2

It takes 145 ms just to reach the 2511. That's extremely slow.

WastedYouth

Yes I noticed that myself that is way too long. I posted the interfaces for anyone who still is paying attention. I know my responses have been of epic length and I'm sorry for that.

I see that encapsulation is correct, as my belkin can't handle HDLC, or ciscos version anyway. I also notice that Serial 0 on my access server (points to R1) says available bandwitch is 1.1 kilobytes under output queue.

That is clearly a problem if it means 1.1KB is my connection speed, but as to the method to fix it, I am stumped.

I've posted the full show interfaces for 3 gateways on the right side of diagram. If anyone cares to chime in that would be sweet! You've all helped so much already I hate asking more questions, but I'm stuck.

TS2511#sh int s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 192.168.3.2/30
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:07, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 14/1000/64/0 (size/max total/threshold/drops)
Conversations 3/7/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 6000 bits/sec, 3 packets/sec
5 minute output rate 8000 bits/sec, 3 packets/sec
313 packets input, 49908 bytes, 0 no buffer
Received 100 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
265 packets output, 52398 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
5 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up



TS2511#sh int eth0
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0010.7be8.7645 (bia 0010.7be8.7645)
Internet address is 192.168.2.10/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:09, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 65/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 9000 bits/sec, 1 packets/sec
5 minute output rate 2000 bits/sec, 0 packets/sec
552 packets input, 226652 bytes, 0 no buffer
Received 245 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
414 packets output, 74979 bytes, 0 underruns
0 output errors, 1 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
TS2511#r1
Translating "r1"...domain server (192.168.2.1)
(192.168.2.1)Trying R1 (10.10.10.10, 2001)... Open


R1>en
R1#sh int s0
% Incomplete command.


R1#sh int s0/0
Serial0/0 is up, line protocol is up
Hardware is PowerQUICC Serial
Internet address is 192.168.3.1/30
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 9000 bits/sec, 1 packets/sec
5 minute output rate 2000 bits/sec, 0 packets/sec
546 packets input, 248462 bytes, 0 no buffer
Received 121 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort
648 packets output, 104739 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
3 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up

WastedYouth

Haha ok I thought "clock rate" just meant the speed at which the interfaces synchronize and not the actual speed at which data transfers lol. I changed it up from 9600 to 4000000 and now I'm getting 4mbps speeds with my full upload speed of 2mbps. SWEET! I feel a little dumb now but this is how we learn right? She's runnin' like a dream, thanks again for all your help guys! Hopefully within the next month I'll be posting "CCNA" under my name to go with my lonely A+.

prtech

Good luck! I'm sure you'll get it.