Simple? Network troubleshooting

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

IamSpartacus

Well-Known Member
Mar 14, 2016
2,515
650
113
Trying to troubleshoot a connectivity issue between two hosts on separate networks connected via Site-to-Site VPN. Here's the basics:

Site A Network: 10.10.4.0/24
Site B Network: 192.168.10.0/24

Host A: 10.10.4.30
Host B: 10.10.4.50
Host C: 192.168.10.30
Host D: 192.168.10.55

The issue I'm having is connectivity between Host A and Host C. They are both Linux boxes and I want to do test some rsyncing. However as it stands, I can ONLY get a ping/rsync to work when the connection is initiated by host C. From Host A, I can't ping and rsync.

Host A to Host C: no ping
Host A to Host D: ping works
Host A to B: ping works
Host C: can ping all hosts


Seems pretty odd to me. No firewall rules are in the way as I'm testing with a full any/any rule across the VPN.
 

PithyChats

Active Member
Feb 3, 2015
173
85
28
Trying to troubleshoot a connectivity issue between two hosts on separate networks connected via Site-to-Site VPN. Here's the basics:

Site A Network: 10.10.4.0/24
Site B Network: 192.168.10.0/24

Host A: 10.10.4.30
Host B: 10.10.4.50
Host C: 192.168.10.30
Host D: 192.168.10.55

The issue I'm having is connectivity between Host A and Host C. They are both Linux boxes and I want to do test some rsyncing. However as it stands, I can ONLY get a ping/rsync to work when the connection is initiated by host C. From Host A, I can't ping and rsync.

Host A to Host C: no ping
Host A to Host D: ping works
Host A to B: ping works
Host C: can ping all hosts


Seems pretty odd to me. No firewall rules are in the way as I'm testing with a full any/any rule across the VPN.
Do you have any local firewalls on host C? That would be my first thought. Or any outgoing firewall rules on host A? Are there any middeboxes on your network (other routers, smart switches etc?) I've seen problems with HP switches and their anti-DDOS technology which is prevalent on quite a number of their switches.
 
  • Like
Reactions: gustav

BlueLineSwinger

Active Member
Mar 11, 2013
176
66
28
Try running tcpdump on A and C and filter on ICMP echo. This will help to narrow down where the failure might be. e.g., is C not receiving the ping request, or maybe not returning it properly, or maybe A is somehow receiving the reply but not registering it, etc. Also look for any shifts on MAC and/or IP addresses (e.g., receiving on one but replying with another). If you can run tcpdump or a like packet capture feature on the VPN endpoints do that as well.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Sounds an aweful lot like host C is refusing to answer. Likely a local firewall rule. If Linux make sure ICMP is not blocked by IPTables. If Windows make sure the network is not set to 'public' firewall rules, which block ping response.

Sent from my VS996 using Tapatalk
 

IamSpartacus

Well-Known Member
Mar 14, 2016
2,515
650
113
Do you have any local firewalls on host C? That would be my first thought. Or any outgoing firewall rules on host A? Are there any middeboxes on your network (other routers, smart switches etc?) I've seen problems with HP switches and their anti-DDOS technology which is prevalent on quite a number of their switches.
No firewalls on either.

Host A's default gateway is 10.10.4.2 (Cisco SG350XG) and my router is 10.10.4.1. I can ping Host D (192.168.10.55) just fine.


Try running tcpdump on A and C and filter on ICMP echo. This will help to narrow down where the failure might be. e.g., is C not receiving the ping request, or maybe not returning it properly, or maybe A is somehow receiving the reply but not registering it, etc. Also look for any shifts on MAC and/or IP addresses (e.g., receiving on one but replying with another). If you can run tcpdump or a like packet capture feature on the VPN endpoints do that as well.
I will do this at some point tonight and see what I find.


Sounds an aweful lot like host C is refusing to answer. Likely a local firewall rule. If Linux make sure ICMP is not blocked by IPTables. If Windows make sure the network is not set to 'public' firewall rules, which block ping response.

Sent from my VS996 using Tapatalk
Host C will answer ping requests just fine from any other on the 10.10.4.0 network though, just not Host A.
 

PithyChats

Active Member
Feb 3, 2015
173
85
28
No firewalls on either.

Host A's default gateway is 10.10.4.2 (Cisco SG350XG) and my router is 10.10.4.1. I can ping Host D (192.168.10.55) just fine.




I will do this at some point tonight and see what I find.




Host C will answer ping requests just fine from any other on the 10.10.4.0 network though, just not Host A.
Ah, you probably have an asynchronous routing issue. Are you running a transit network between the SG350XG and the router? For network purposes if you are running layer 3, the SG350XG is a router, and therefore you need a transit network. Here is some more info:

How to configure a Cisco Layer 3 switch-InterVLAN Routing
 
  • Like
Reactions: gustav

IamSpartacus

Well-Known Member
Mar 14, 2016
2,515
650
113
Ah, you probably have an asynchronous routing issue. Are you running a transit network between the SG350XG and the router? For network purposes if you are running layer 3, the SG350XG is a router, and therefore you need a transit network. Here is some more info:

How to configure a Cisco Layer 3 switch-InterVLAN Routing
I'm not running a transient network between the 350XG and pfSense. I'm simply trunking VLANs over the uplink. At this very moment, pfSense (router), the 350XG and linux host (Host A) are all on the same VLAN/network.
 

ridney

Member
Dec 8, 2015
77
33
18
Singapore
Host A's default gateway is 10.10.4.2 (Cisco SG350XG) and my router is 10.10.4.1. I can ping Host D (192.168.10.55) just fine.
Perhaps change Host A default gateway to your router instead of your switch? Not sure why you want it that way when all are in the same network.
 

pricklypunter

Well-Known Member
Nov 10, 2015
1,708
515
113
Canada
What's different between Hosts A & B and C & D in terms of network configuration and firewall, also what's different on the network between them? If that doesn't turn up something, I might be tempted to stick Wireshark on a mirrored port and have a peek at what's happening at each end. Should very quickly be able to narrow the issue down to one particular host, route or port :)
 

PithyChats

Active Member
Feb 3, 2015
173
85
28
I'm not running a transient network between the 350XG and pfSense. I'm simply trunking VLANs over the uplink. At this very moment, pfSense (router), the 350XG and linux host (Host A) are all on the same VLAN/network.
I would make sure then that all layer 3 options are turned off on the 350XG. Even if you are on the same vlan and subnet, you might still get asynchronous routing if the SG350X has an IP in that subnet.
 
  • Like
Reactions: gustav

IamSpartacus

Well-Known Member
Mar 14, 2016
2,515
650
113
So just wanted to update on what my issue was.

I had a policy routing rule in place from when I had tested sending data between these two networks via multiple OpenVPN connections. I completely forgot it was there. It was trying to send the data out of a gateway group that was disabled. Once I removed that rule, all is working.
 

PithyChats

Active Member
Feb 3, 2015
173
85
28
So just wanted to update on what my issue was.

I had a policy routing rule in place from when I had tested sending data between these two networks via multiple OpenVPN connections. I completely forgot it was there. It was trying to send the data out of a gateway group that was disabled. Once I removed that rule, all is working.

Thanks for the update. Glad you got it working!
 
  • Like
Reactions: gustav