On Tue, Jul 12, 2011 at 11:35 PM, Chris <li...@blackhat.bz> wrote: > On 13/07/2011 2:27 PM, Chris wrote: >> <snip> >> > To add to the already long email, here is some more examples of whats > happening: > > From the 10.10.10.100 device, trying to ping the 'acc-bdr1' (J6350) > device works: > > traceroute to 99.99.99.242 (99.99.99.242), 30 hops max, 40 byte packets > 1 10.10.10.254 (10.10.10.254) 0.996 ms 0.699 ms 0.66 ms > 2 99.99.99.242 (99.99.99.242) 1.928 ms 1.589 ms 1.978 ms > > Yet if I try it from a device that I CANT ping from acc-bdr1 (the source > being 10.10.10.30): > > [root@acc-nx4cs ~]# traceroute -n 99.99.99.242 > traceroute to 99.99.99.242 (99.99.99.242), 30 hops max, 40 byte packets > 1 10.10.10.254 4.021 ms 3.981 ms 3.958 ms > 2 * * * > 3 * * * > 4 * * *
Wow. Weird situation. In the case of the traceroute above (from 10.10.10.30 to 99.99.99.242), it only gets back ICMP messages from your EX but not the J series. What route does the EX show for 99.99.99.242? In the case of the static route that you added to the J series, the route may not have been installed by default as "indirect next-hops" are disabled by default. Since the router has no directly-connected interface to 10.10.10.0/24, it's not sure that's what you want to do and will just take the route it already has (the one learned via iBGP). You can set "routing-options forwarding-table indirect-next-hop" to enable this functionality. I would just trace down the path to the host that isn't working and look at the routing and switching tables of anything along the path and debug the path from the source to the destination, and then back again. A route may just be missing somewhere (though this wouldn't explain why only some IP-paths break). Out of curiosity, is there any discernible pattern to the unreachable IPs (every other, every four, etc.)? All the times that I've seen the some-IPs-are-reachable-but-not-others problem, it's been due to a link aggregation or ECMP configuration that has a failed link or IP path along the way that isn't being communicated (and shutdown) by higher layers. Cheers, jof _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp