Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4662
Views
0
Helpful
8
Replies

Unable to ping router's WAN interface but can ping modem connected to the interface from a PC

byungkook
Level 1
Level 1

‎04-01-2019 01:22 PM

Hi,

 

I have CISCO891-K9 in production and I can't pinging router's Backup WAN interface G0 interface IP YYY.YYY.YYY.YYY from internal computer 192.168.204.99.

 

I can ping the Backup WAN cable modem connected to G0 which is ZZZ.ZZZ.ZZZ.ZZZ . 

 

I can also ping Primary WAN interface IP BBB.BBB.BBB.BBB and Primary WAN modem IP CCC.CCC.CCC.CCC.

 

I can ping Backup WAN interface G0 from VLAN1 interface.

 

Traceroute to Backup WAN cable modem ZZZ.ZZZ.ZZZ.ZZZ below confirms that it is getting the reply straight from the router.

However, traceroute to Backup WAN interface G0 IP YYY.YYY.YYY.YYY times out and vice versa.

 

Router cannot ping from G0 interface to 192.168.204.99

 

Note: I did remove configurations should not related to this ping issue.

 

Thank you very much

 

From PC(192.168.204.99)

C:\>tracert ZZZ.ZZZ.ZZZ.ZZZ

Tracing route to ZZZ.ZZZ.ZZZ.ZZZ over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.204.252
2 36 ms 28 ms 34 ms ZZZ.ZZZ.ZZZ.ZZZ

C:\>tracert YYY.YYY.YYY.YYY

Tracing route to YYY.YYY.YYY.YYY over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 ^C

 

R1#traceroute
Protocol [ip]:
Target IP address: 192.168.204.99
Source address: YYY.YYY.YYY.YYY
Numeric display [n]: y
Timeout in seconds [3]: 1
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]: 3
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 192.168.204.99

1 * * *
2 * * *
3 * * *

 

 

 

R1(config)#do ping
Protocol [ip]:
Target IP address: YYY.YYY.YYY.YYY
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to YYY.YYY.YYY.YYY, timeout is 2 seconds:
Packet sent with a source address of 192.168.204.252
!!!!!

 

 

 

 

 

 


!
! Last configuration change at 13:42:16 UTC Mon Mar 18 2019 by anon
! NVRAM config last updated at 13:30:18 UTC Tue Mar 12 2019 by anon
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
!
!
!
!


ip source-route
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9
!
!
!
!
!
track 10 ip sla 1 reachability
delay down 4 up 90
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key key address AAA.AAA.AAA.AAA
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map MAP 20 ipsec-isakmp
set peer AAA.AAA.AAA.AAA
set transform-set TS
match address 110
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $Primary_WAN$
ip address BBB.BBB.BBB.BBB 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MAP
!
!
interface GigabitEthernet0
description $Backup_WAN$
ip address YYY.YYY.YYY.YYY 255.255.255.252
ip broadcast-address 0.0.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MAP
!
!
interface Vlan1
description $VLAN_Configuration$
ip address 192.168.204.252 255.255.255.0
ip broadcast-address 0.0.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
ip broadcast-address 0.0.0.0
encapsulation slip
!
!
ip local policy route-map Gi0RouteBack
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 CCC.CCC.CCC.CCC track 10
ip route 0.0.0.0 0.0.0.0 ZZZ.ZZZ.ZZZ.ZZZ 200

!
ip sla 1
icmp-echo DDD.DDD.DDD.DDD source-interface FastEthernet8
timeout 300
threshold 150
frequency 2
ip sla schedule 1 life forever start-time now
logging 192.168.204.99
ccess-list 100 remark CCP_ACL Category=2
access-list 100 deny ip 192.168.204.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 100 deny ip 192.168.204.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 100 deny ip 192.168.204.0 0.0.0.255 192.168.34.0 0.0.0.255
access-list 100 deny ip 192.168.204.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 100 permit ip 192.168.204.96 0.0.0.3 any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=2
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.34.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 102 permit ip 192.168.204.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=20
access-list 110 permit ip 192.168.204.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 110 permit ip 192.168.204.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 110 permit ip 192.168.204.0 0.0.0.255 192.168.34.0 0.0.0.255
access-list 110 permit ip 192.168.204.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 110 permit ip 10.81.0.0 0.0.255.255 192.168.104.0 0.0.0.255
access-list 110 permit ip 10.62.0.0 0.0.255.255 192.168.104.0 0.0.0.255
access-list 170 remark CCP_ACL Category=16
access-list 170 permit ip host YYY.YYY.YYY.YYY any
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map Gi0RouteBack permit 10
match ip address 170
set ip next-hop ZZZ.ZZZ.ZZZ.ZZZ
!
snmp-server community public
!

 

 

 

Labels:
0 Helpful
8 Replies 8

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎04-01-2019 05:02 PM

Hello,

I cant see your configuration if you hidden it. If possible show the configuration interface from LAN INTERFACE and WAN interface that you cant ping.

There is acl applied it? Are you can ping from router itself on this address?

Thanks in advance.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

byungkook
Level 1
Level 1
In response to Jaderson Pessoa

‎04-01-2019 05:40 PM - edited ‎04-01-2019 05:43 PM

What do you see in my post?

What you are asking is literally all there in my post. 

 

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to byungkook

‎04-01-2019 05:52 PM

Could you share show ip route?
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

byungkook
Level 1
Level 1
In response to Jaderson Pessoa

‎04-02-2019 06:57 AM

Here you go

 

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is CCC.CCC.CCC.CCC to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via CCC.CCC.CCC.CCC
CCC.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C CCC.CCC.CCC.0/24 is directly connected, FastEthernet8
L BBB.BBB.BBB.BBB/32 is directly connected, FastEthernet8
C ZZZ.ZZZ.ZZZ.224/30 is directly connected, GigabitEthernet0
L YYY.YYY.YYY.YYY/32 is directly connected, GigabitEthernet0
192.168.204.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.204.0/24 is directly connected, Vlan1
L 192.168.204.252/32 is directly connected, Vlan1
DDD.DDD.DDD.0/32 is subnetted, 1 subnets
S DDD.DDD.DDD.DDD [1/0] via CCC.CCC.CCC.CCC

 

Thank you

0 Helpful

paul driver
VIP
VIP

‎04-02-2019 01:40 AM - edited ‎04-02-2019 02:41 AM

Hello

You nat configuration doesn't look correct Also it seems your trying to PBR for acl 170 towards your wan backup interface but this PBR isnt completed.

What is your goal here, Is it to have NAT resiliency over two ISP wan links?
See below for a possible revised configuration.

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet8 overload
ip nat inside source route-map Gi0RouteBack interface GigabitEthernet0 overload


route-map SDM_RMAP_2 permit 1
match interface FastEthernet8
match ip address 102

route-map Gi0RouteBack permit 10
match interface GigabitEthernet0
match ip address 102
no set ip next-hop ZZZ.ZZZ.ZZZ.ZZZ

If this the above isn't applicable please elaborate on what your objective is.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

byungkook
Level 1
Level 1
In response to paul driver

‎04-02-2019 06:55 AM - edited ‎04-02-2019 04:43 PM

I already have NAT resiliency over two ISP wan links.

 

With "ip local policy route-map Gi0RouteBack", NAT still works when primary WAN link goes down. Site to site VPN connection does get established on secondary WAN link when primary goes down as specified in IP SLA condition.

 

Since NAT overload command already specifies f8 interface, match interface FastEthernet8 in route-map SDM_RMAP_2 is redundant.

 

We have nagios monitoring system in cloud pinging both modems and router interfaces over the internet. we now want to setup ping modems and router interfaces internally due to weird network issue.

 

Only thing left is to enable ping monitoring on G0 interface on router from inside.

 

Thank you very much for your suggestion but that doesn't solve my issue unable to ping G0 interface.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎04-02-2019 02:11 AM - edited ‎04-02-2019 02:12 AM

Hi,

Below configurations are missings: 

1. Route MAP match interface statement is missing

2. NAT is not configured for GIG0

 

Please make below changes:

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet8 overload
ip nat inside source route-map Gi0RouteBack interface GigabitEthernet0 overload

!
route-map SDM_RMAP_2 permit 1
match ip address 102
match interface FastEthernet8

!
route-map Gi0RouteBack permit 10
no match ip address 170
match ip address 102
no set ip next-hop ZZZ.ZZZ.ZZZ.ZZZ
match interface GigabitEthernet0

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

byungkook
Level 1
Level 1
In response to Deepak Kumar

‎04-02-2019 07:03 AM - edited ‎04-02-2019 04:44 PM

I problem is what is written in the subject. Nothing else.

NAT is currently working on secondary WAN link when primary goes down.

ip local policy route-map Gi0RouteBack handles all those suggested commands.

 

For detail please read my reply to Paul above at 04-02-2019 06:55 AM

 

Thank you very much for the suggestion but that doesn't solve my issue unable to ping G0 interface.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card