Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Some Customers denied access

Status
Not open for further replies.

digriz60

Programmer
Aug 15, 2002
15
US
We host our web server and email from our corporate site. Nobody has any problem except two (so far) clients who cannot access our domain, either web or email. They get host unknown. The get as far as our external interface, then it drops them in a tracert. Here is our truncated config, we have no ACL. Any suggestions? TIA

ip subnet-zero
no ip domain-lookup
!
!
!
!
interface FastEthernet0/0
description connected to Corporate LAN
ip address [internal address] 255.255.255.224
no ip directed-broadcast
speed auto
half-duplex
!
interface Serial0/0
ip address [external address] 255.255.255.252
ip directed-broadcast
no ip mroute-cache
no fair-queue
!
router rip
version 2
passive-interface Serial0/0
network X.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 [IP gateway]
ip http server
 
Has there been changes done to your routes / networks recently for network ip address changes, or routing protocol?

are you an ISP? and these clients, clients of the company not users? The only reason I ask is because of the passive-interface statement is usually for ISP's so they dont learn routs to other networks which could inhibit the path back to the users. maybe.
 
No, we're not an ISP, our ISP is Broadwing. The clients are customers for our retail unit that can't email us or get to our website (hosted by us here). We renewed our domain months ago, but it's consistently resided on Broadwing's name servers for over a year. No addressing scheme has changed, and nobody else except these two customers have a problem getting to us. We are set up as passive on the serial interface.

Thanks,

Steve
 
Steve,

Does this serial interface serve only these two customers or everyone? By two customers you mean two sites not two people on a segment with 38 other persons having no problems right?

Can you ping from the internal ethernet (of the above mentioned router) to their network with no problems(e.g. thier machines, router etc.)?

From their router can they ping to the network in question?

When doing a show ip route it knows of the networks on both routers right?

What is the config of the other router? just curious to see if there is anything on that one that may inhibit it from talking to each other.

Kevin
 
digriz60
If all other users are okay, then the problem may not be with the router, but a configuration at the client. Perhaps the two clients are not resolving your domain name correctly. Get them to check their DNS server settings and confirm they can resolve your domain.

JimmyZ
 
JimmyZ, interesting question, yes, they can resolve our address, as a matter of fact, when this first happened a couple of months ago, I gave them our direct address to plug into their browser. No dice. They can't ping the address and the tracert dies right at the serial interface. It's like the serial interface isn't passing it through to the FastEthernet port. Before that, I thought their ISP wasn't resolving DNS properly.

Kevin:

Thanks for your response. I'm probably confusing people by saying "customers". They are two companies that are trying to get to our website and send email over the internet.
We've got a single fractional T-1 going into one serial interface for all internet activity. I haven't done a show ip route, thanks for that, I'll give that a try tomorrow. We haven't yet started looking at their router configuration, although I know they contacted their ISP initially when I thought it might have been a DNS issue. This is a stumper. I'm not sure why 99% can get through and these guys can't. As you can see from our config above, nothing special about our config, although someone thought it might have had something to do with unicast reverse path forwarding if these two clients were served by multiple ISPs, my serial may reject the packet thinking it was spoofed. Thanks for your time on this!
 
I think whomever told you this might be a problem with Unicast reverse path forwarding is very likely correct. Use of this technology can block packets if there is asymmetrical routing between you and the person you're talking with. I've had problems like this with Broadwing in the past, so I would start by asking them if they are using Unicast RPF. Cisco's Unicast RPF dox are here:

 
I think this is a routing issue and my hunch is your router doesnt know the way back! Hence the telnet droping on your serial int. try a static route to them with a 255.255.255.255 subnet. Look at the routing table and see were the packets are aimed - remember the longest match will be used. You said one is in the same retail park - are they both?? They could be getting "black holed" by a route summary that points the returning packet the wrong way. Get the cutomers to visit and tell you what there public IP address is. Then you try and ping / tracert to it. I think this is how you will find your problem

Regards
Paul
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top