Why can't I ping outside from BGP iosv-3?
-
I'm just starting to take a look at this question. Trying to isolate the issue.
What does
tracerouteshow you from iosv-9 to 192.168.1.5 and from iosv-13 to 192.168.1.5?Can you also post your result of
show ip bgpfrom iosv-3, iosv-2, and iosv-1 ?Can iosv-3 ping iosv-1 (192.168.32.x)?
-
BGP is on 2 and 3 not 1.
iosv-2#s ip bgp
BGP table version is 12, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not foundNetwork Next Hop Metric LocPrf Weight Path*> 172.16.16.0/30 10.23.23.2 0 0 3 ?
*> 172.16.17.0/30 10.23.23.2 30 0 3 ?
*> 172.16.18.0/30 10.23.23.2 30 0 3 ?
*> 172.16.19.0/30 10.23.23.2 30 0 3 ?
*> 172.16.32.0/30 10.23.23.2 0 0 3 ?
*> 172.16.33.0/30 10.23.23.2 30 0 3 ?
*> 172.16.34.0/30 10.23.23.2 30 0 3 ?
*> 192.168.32.0/30 0.0.0.0 0 32768 ?
*> 192.168.33.0/30 192.168.32.1 120 32768 ?
*> 192.168.34.0/30 192.168.32.1 120 32768 ?
*> 192.168.35.0/30 192.168.32.1 120 32768 ?
iosv-2#iosv-3#sh ip bgp
BGP table version is 12, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not foundNetwork Next Hop Metric LocPrf Weight Path*> 172.16.16.0/30 0.0.0.0 0 32768 ?
*> 172.16.17.0/30 172.16.16.2 30 32768 ?
*> 172.16.18.0/30 172.16.16.2 30 32768 ?
*> 172.16.19.0/30 172.16.16.2 30 32768 ?
*> 172.16.32.0/30 0.0.0.0 0 32768 ?
*> 172.16.33.0/30 172.16.32.2 30 32768 ?
*> 172.16.34.0/30 172.16.32.2 30 32768 ?
*> 192.168.32.0/30 10.23.23.1 0 0 2 ?
*> 192.168.33.0/30 10.23.23.1 120 0 2 ?
*> 192.168.34.0/30 10.23.23.1 120 0 2 ?
*> 192.168.35.0/30 10.23.23.1 120 0 2 ?
iosv-3#iosv-3#ping 192.168.32.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)iosv-1#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.2.230 YES NVRAM up up
GigabitEthernet0/1 172.16.1.203 YES NVRAM up up
GigabitEthernet0/2 192.168.33.1 YES NVRAM up up
GigabitEthernet0/3 192.168.32.1 YES NVRAM up up
Loopback0 unassigned YES unset up up
iosv-1#iosv-3#ping 192.168.32.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.32.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms
iosv-3#iosv-2#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.2.235 YES NVRAM up up
GigabitEthernet0/1 192.168.32.2 YES NVRAM up up
GigabitEthernet0/2 10.23.23.1 YES NVRAM up up
Loopback0 unassigned YES unset up up
iosv-2# -
I'm starting to work through some basics right now;
On the following link : http://www.scsiraidguru.com/VIRL/VIRLSims/IPv6NumberingwithIPv4/iosv-1ShIPRoute.txt
On iosv-1 your default route looks a little out of place to me since it's on the other side of isov-3
Also, I'm not seeing 192.16.1x in the routing table for iosv-1. I am seeing though a
172.16.1.0from ge 0/1.The http://www.scsiraidguru.com/VIRL/VIRLSims/IPv6NumberingwithIPv4/iosv-1ShIPIntBr.txt
There is no 192.168.16.1.x connected to iosv-1.
This only leads to the mystery of who is answering 192.16.1.5?
`
-
172.16.1.203 is interface IOSv-1 to Flat.
172.16.1.1 is the Internal2 interface on Fortinet 60E.
-
Right...but where is
192.16.1.5? If the router iosv-1 cannot see192.16.1.x, it cannot route it. According to your diagram, the directly connected interface to iosv-1 should be 192.16.1.x to flat but it's not?. Are you using Fortinet 60E as a router too? -
I found a typo on the diagram. The IOSv-1 address is 172.16.1.203 not 192. I will fix the diagram on the web site.
192.168.1.5 is my UbuntuWeb server on the HP DL360e Gen8. Every other IOSv-x device except 3 can ping it. The Fortinet 60E is a 10 port layer 3 routing firewall. 9 ports are LAN and 1 port is WAN.
iosv-1#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.3.2 YES NVRAM up up
GigabitEthernet0/1 172.16.1.203 YES NVRAM up up
GigabitEthernet0/2 192.168.33.1 YES NVRAM up up
GigabitEthernet0/3 192.168.32.1 YES NVRAM up up
Loopback0 unassigned YES unset up up
iosv-1#G0/1 is 172.16.1.203. flat is 172.16.1.202. Internal2 on 60E is 172.16.1.1. WAN2(LAN port) 192.168.1.x / 24
Internal2 can route to WAN2 on the firewall. WAN2 is a LAN port not a WAN port. I could not change the name.
-
iosv-12#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/9 ms
iosv-12#tr
iosv-12#traceroute 192.168.1.5
Type escape sequence to abort.
Tracing the route to 192.168.1.5
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.35.1 5 msec 5 msec 3 msec
2 192.168.34.1 6 msec 5 msec 6 msec
3 192.168.33.1 7 msec 10 msec 6 msec
4 172.16.1.1 6 msec 8 msec 5 msec
5 192.168.1.5 4 msec 4 msec 6 msec
iosv-12#iosv-13#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/10/13 ms
iosv-13#
iosv-13#tr
iosv-13#traceroute 192.168.1.5
Type escape sequence to abort.
Tracing the route to 192.168.1.5
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.19.1 3 msec 4 msec 3 msec
2 172.16.18.1 4 msec 4 msec 6 msec
3 172.16.17.1 5 msec 6 msec 6 msec
4 172.16.16.1 8 msec 7 msec 6 msec
5 10.23.23.1 10 msec 9 msec 11 msec
6 192.168.32.1 12 msec 13 msec 14 msec
7 172.16.1.1 12 msec 11 msec 9 msec
8 192.168.1.5 9 msec 9 msec 9 msec
iosv-13#osv-9#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 6/8/9 ms
iosv-9#
iosv-9#
iosv-9#tr
iosv-9#traceroute 192.168.1.5
Type escape sequence to abort.
Tracing the route to 192.168.1.5
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.1 3 msec 5 msec 3 msec
2 172.16.33.1 4 msec 5 msec 3 msec
3 172.16.32.1 7 msec 5 msec 8 msec
4 10.23.23.1 8 msec 6 msec 7 msec
5 192.168.32.1 9 msec 9 msec 8 msec
6 172.16.1.1 7 msec 8 msec 10 msec
7 192.168.1.5 6 msec 7 msec 9 msec
iosv-9# -
router rip
version 2
redistribute static metric 3
network 192.168.32.0
network 192.168.33.0
default-information originate
no auto-summary
!ip route 0.0.0.0 0.0.0.0 172.16.1.1
I created the static route and redistributed it in RIP and RIPng
-
Please show the
traceroutefrom iosv-3? Trying to figure out where it failshave you also redistributed rip into BGP?
Thanks?
-
@ronnie-wong What every you need I will get you, I appreciate your help.
iosv-3#traceroute 192.168.1.5
Type escape sequence to abort.
Tracing the route to 192.168.1.5
VRF info: (vrf in name/id, vrf out name/id)
1 10.23.23.1 5 msec 5 msec 3 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7
iosv-3#
iosv-3#
iosv-3#tr
iosv-3#traceroute 192.168.32.1
Type escape sequence to abort.
Tracing the route to 192.168.32.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.23.23.1 4 msec 4 msec 3 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * *
iosv-3#traceroute 192.168.32.2
Type escape sequence to abort.
Tracing the route to 192.168.32.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.23.23.1 7 msec * 4 msec
iosv-3# -
iosv-2#sh run | s router
router rip
version 2
redistribute bgp 2 metric 3 route-map bgp-into-rip
network 192.168.32.0
no auto-summary
router bgp 2
bgp router-id 2.2.2.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor R3 peer-group
neighbor R3 remote-as 3
neighbor R36 peer-group
neighbor R36 remote-as 3
neighbor 10.23.23.2 peer-group R3
neighbor FD10:23:23::2 peer-group R36
!
address-family ipv4
redistribute rip metric 120
neighbor R3 next-hop-self
neighbor 10.23.23.2 activate
exit-address-family
!
address-family ipv6
redistribute rip RIPng metric 120
neighbor R36 next-hop-self
neighbor FD10:23:23::2 activate
exit-address-family
ipv6 router rip RIPng
redistribute bgp 2 metric 3 route-map bgp-into-rip
iosv-2# -
Alright, progress. The problem is IOSv-2. I won't have time to do much today but your trace route from either side of it is showing it to be the culprit. I have a made a simplified duplication of your topology just using bgp and rip and have the exact same issue. I'm believing it's a redistribution issue....but that's all I can do for now. :)
-
I have been looking at iosv-2 because it seems to be the problem. I just can't fi9ure out why. Everything can ping from EIGRP and OSPF to 192.168.1.5 except IOSv-3. I came to the same conclusion about redistribution being the issue. Looks like I followed everything correctly in BGP configuration. I thought about dropping the address-family and going direct to BGP on everything. I know you are busy. Don't worry about it. Thanks for you help.
Friday 8am: Hospital for C-Section
We bought a house today! Doing paperwork and going home tonight to box up stuff. -
I fixed it; probably don't need loopback.
add network mask statements on both 2 and 3
network 3.3.3.3 mask 255.255.255.255
network 10.23.23.0 mask 255.255.255.252ebgp-multihop 2 for peer-group.
iosv-3#sh run | s router
router eigrp 10
default-metric 10000000 1 255 1 1500
network 172.16.32.0 0.0.0.3
redistribute bgp 3 route-map bgp-into-eigrp
redistribute ospf 1
eigrp router-id 3.3.3.3
router ospf 1
router-id 3.3.3.3
redistribute eigrp 10 metric 30 subnets
redistribute bgp 3 subnets route-map bgp-into-ospf
network 172.16.16.0 0.0.0.3 area 0
default-metric 30
router bgp 3
bgp router-id 3.3.3.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor R2 peer-group
neighbor R2 remote-as 2
neighbor R2 ebgp-multihop 2
neighbor R26 peer-group
neighbor R26 remote-as 2
neighbor 2.2.2.2 peer-group R2
neighbor 10.23.23.1 peer-group R2
neighbor FD10:23:23::1 peer-group R26
!
address-family ipv4
network 3.3.3.3 mask 255.255.255.255
network 10.23.23.0 mask 255.255.255.252
redistribute ospf 1
redistribute eigrp 10
neighbor R2 next-hop-self
neighbor 10.23.23.1 activate
default-metric 30
exit-address-family
!
address-family ipv6
redistribute ospf 1
redistribute eigrp 10
neighbor R26 next-hop-self
neighbor FD10:23:23::1 activate
exit-address-family
ipv6 router eigrp 10
eigrp router-id 3.3.3.3
redistribute bgp 3 route-map bgp-into-eigrp
redistribute ospf 1
default-metric 10000000 1 255 1 1500
ipv6 router ospf 1
router-id 3.3.3.3
default-metric 30
redistribute bgp 3 route-map bgp-into-ospf
redistribute eigrp 10 metric 30
iosv-3#iosv-3#ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms
iosv-3# -
wow...great job in finding this! I was still heading for the redistribution issue but glad you eyeballed it!
-
It made no sense what was missing until I started going through the book on BGP configurations and figuring what was missing. eBGP-multihop is usually the culprit for pings not working. It was putting the network x.x.x.x mask y.y.y.y statements that got it working. BGP configuration with address-family ipv6 and ipv4 break everything up so that it would be easy to miss.
Thank you for all your help.
