IPO 402v2 4.2.4

[afrogley]

Is it possible to do a traceroute ?

The ping is working ok - but I've got 1 way audio again and the 'usual' method to get it working isn't working this time...

 

[afrogley]

Sorry - should've elaborated a bit...

Can I do a traceroute from the IPO ... I assume it's not possible from the phone.

Situation - phone the other end of a VPN - can't hear audio from the IPO - I can hear the other user ...

Route is from the phone -> router1 -> VPN -> router2 -> Lan2
it really isn't complicated - yet it keeps falling over - normally overnight when I believe Router1 ADSL link is interupted.

 

[afrogley]

A bit more - because I'm about to throw the lot into the bin I must have something wrong - but I just can't see what!

There are 2 ADSL routers in the remote location - one for Internet/Data (192.168.50.254 - Vigor 2820) the other for VPN & Voice (192.168.50.252 - Cisco 800). Obviously these have separate lines.
The IPO has another Cisco 800 (10.10.10.1) on WAN2 (10.10.10.10) and has Static route configured 192.168.50.0 set to 10.10.10.1 on WAN2. RIP on WAN1 and WAN2 is turned off.

The PCs and Servers are set to use 50.254 as their default gateway - the IP Phones use 50.252 ... I have set a static route up on 50.254 for 10.10.10.0 to use 50.252 - basically so I can ping and tracert ...

TraceRt from one of the remote PCs to 10.10.10.10 gives:

Tracing route to 10.10.10.10 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  192.168.50.254 
  2    <1 ms    <1 ms    <1 ms  192.168.50.252 
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7    31 ms    31 ms    32 ms  10.10.10.10 
Trace complete.

I think the "Request Timed Out" is where the Cisco routers do not respond to ping ....

 

[afrogley]

Odd - because tracert to 10.10.10.1 from the same machine gives:

Tracing route to 10.10.10.1 over a maximum of 30 hops
  1    <1 ms    <1 ms    <1 ms  192.168.50.254 
  2     1 ms    <1 ms     1 ms  192.168.50.252 
  3    31 ms    34 ms    32 ms  10.10.10.1 
Trace complete.

I know it's a routing issue ... but I just can't work out why!

 

[amriddle01]

Looks like pinging 10.10.10.10 is routing via the net while 10.10.10.1 is staying the tunnel

ACSS (SME)
APSS (SME)

http://www.ipoffice.tel

"I'm just off to Hartlepool to buy some exploding trousers

 

[mattKnight]

For testing - turn off the Vigor and test



Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[afrogley]

Funny you should say that - when setting up the VPN between the two routers the "Cisco guys" helped me out a bit .. and I put the entry:

ip route 10.10.10.0 255.255.255.0 <publicIP> in ..

and the opposite one on the other side - otherwise the VPN would connect but couldn't pass data down the line ... ?

 

[afrogley]

Turn off the Vigor and test - hmm ... would be tricky - I connect to this one to remote control the server ... because I'm not in that office!

 

[amriddle01]

That's the reason for one way audio, the trasffic for 10.10.10.10 is getting routed via the net and lost in the process, that needs to go through the tunnel, that route you added is breaking it

ACSS (SME)
APSS (SME)

http://www.ipoffice.tel

"I'm just off to Hartlepool to buy some exploding trousers

 

[mattKnight]

id expect this ip route 10.10.10.0 255.255.255.0 <publicIP>

to be
ip route 10.10.10.0 255.255.255.0 <tunnel>

It depends on your cisco set up, but I'd expect the each end of tunnel on teh cisco to have a IP address - Is that by any cahnce a 10.x address?

What Subnet are you using between WAN2 and the Cisco?

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[hairlessupportmonkey]

the default IP of a cisco 800 is 10.10.10.1, with a 255.255.255.252 subnet mask.

therefore the next available IP for connection to the 800 is 10.10.10.2

make sure the subnet mask on the cisco is a little wider

ACSS - SME

 

[mattKnight]

>therefore the next available IP for connection to the 800 is 10.10.10.2

Wrong...

therefore the next only useable IP address for connection to the 800 is 10.10.10.2

Right...



Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[mattKnight]

@HSM

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[afrogley]

router1 is set with 10.10.10.1 255.255.255.0

Having removed those two route statements and reloaded its now working - although the tracert is the same ... so I don't think the removal route statements fixed it ...

As it's working and a live office I'm bit loathed to 'test' any more for now .. I'll see if I can get a bit more help off the Cisco Support Community ... but they're not exactly forthcomming ...

I have complete flexibility over the 10.10.10.1 IP address - and IPO wan2 - should I look to change it for something different?

Once again - thank you guys .. have a virtual pint on me ... (If we ever meet up I'll buy you at least one!) ...

 

[hairlessupportmonkey]

thats what i meant.....



ACSS - SME

 

[afrogley]

It was only 10.10.10.1 because that's what I had a router set to before putting in the Cisco box ... so less to change/configure!

Ok - sounds like a quick check of that network and change of IP address is in order then ...

I assume 10.10.1.1 255.255.255.0 is ok ?!

 

[mattKnight]

I am reckoning that the tunnel IP addresses are clashing with something else.

I'd be tempted to change the IP address of the Ip500 wan2 and cisco fastethernet to be something else say 192.168.253.1 and .2 with a 255.255.255.252 subnet (which is a point-to-pint subnet). Obviously you need to adjust the routing at both ends.

I also *guess* that your tunnel configuration isn't right. Can you post a copy of the tunnel interface configuration from teh cisco (obsfuscate the public IP address and keys for security)
Also teh cisco route table




Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[afrogley]

This is the Local Router:

Using 2569 out of 262136 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DEXAMSIP
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 <encrypted>
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2685432798
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2685432799
 revocation-check none
 rsakeypair TP-self-signed-2685432799
!
!
crypto pki certificate chain TP-self-signed-2685432799
 certificate self-signed 01 nvram:IOS-Self-Sig#6.cer
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool dhcppool
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 62.6.40.178
!
!
ip cef
ip name-server 62.6.40.178
no ipv6 cef
!
!
license udi pid CISCO887M-K9 sn FCZ1447C1UT
!
!
username admin privilege 15 password 0 yerright!
!
!
!
!
crypto isakmp policy 9
 hash md5
 authentication pre-share
crypto isakmp key <vpnkey> address <router2publicIP>
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SIPTRAN esp-3des esp-md5-hmac
!
crypto map SIPMAP 10 ipsec-isakmp
 set peer <router2publicIP>
 set transform-set SIPTRAN
 match address 100
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp chap hostname <username>
 ppp chap password 0 <password>
 ppp pap sent-username <username> password 0 <password>
 crypto map SIPMAP
!
ip forward-protocol nd
ip http server
ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 deny   ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password <likeImgonnashowyouthat>
 login
!
scheduler max-task-time 5000
end

and route table:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, Vlan1
L        10.10.10.1/32 is directly connected, Vlan1
      78.0.0.0/32 is subnetted, 1 subnets
C        78.my.ip.addr is directly connected, Dialer1
      188.39.0.0/32 is subnetted, 1 subnets
C        188.39.0.18 is directly connected, Dialer1

 

[mattKnight]

Are you sing SIP phones?

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[afrogley]

No - just Avaya 5610's and 5602's ...

its an IPO 402v2 4.2.4 ..