RE: Strange behavior of Catalyst4006
Joe, If you are using NAT 0 you need to have a static translation enabled. Otherwise when the machine first comes up it arp's which creates an xlate entry on the PIX which times out when the inactivity timer runs out. This causes behavior similar to what you are experiencing Scott C. McGrath On Mon, 28 Jun 2004, Greg Schwimer wrote: > > > Some things you can look into: > > > firewall interface(10.10.1.122/30). > > ip route 192.168.5.0 255.255.255.0 10.10.1.124 > > Is that the firewall interface is 10.10.1.122, or is it 10.10.1.124? > 10.10.1.122 is a host address in the 10.10.1.120/30 subnet. > 10.10.1.124 is a /30 network. Either way, you're dealing with two > different subnets. Oddly, it's working sometimes. > > > > At the very begining all system works fine. After sometime they said they could > > not acces their email/web/dns > > server from host outside their company's network... We restart ( shut; noshut) the > > fastethernet interface on Catalyst4006, > > and then servers' network access recovered. > > > > Sounds suspiciously like an IP conflict or some MAC weirdness with the > firewall's or 4006's IP. Is the connection between the 4006 and the > customer's firewall a basic crossover, or does the customer have a > hub/switch on their side? Assuming the subnetting statement I've made > above is based on erroneous info, check your arp cache/mac table when > it *is* working. Write down the MAC for the customer's firewall. When > it stops working, check the arp cache/mac table again. Compare the > MACs to be sure they're the same. Just for giggles, clear the arp > cache and see if that fixes it. If that doesn't, clear the entry from > the cam table. > > Good luck... > > Greg Schwimer >
Re: Strange behavior of Catalyst4006
Joe Shen wrote: I'm sorry I made a mistake the subnet between catalyst4006 and customer's firewall is 10.10.1.213/30, Catalyst4006's interface address is 10.10.1.213, firewall's interface address is 10.10.1.214. Have you tried enabling a monitor port on the Cat4k and sniffing what exactly is going on? -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Esc key to reboot Universe, or any other key to continue...
RE: Strange behavior of Catalyst4006
Hi Joe, It would be good to know the type (and software version) of firewall as it could be the firewall and not the switch that's the problem. For instance, there's a known bug with checkpoint and NAT where automatic arp entries "disappear". If you can ping it all from the catalyst but not from the rest of your network it could be that you have a problem with your dynamic routing protocols, or with a device connected to the catalyst. Check your adjacent routers, do you have a valid route to the catalyst for the 192.168.5.7 subnet? What does a traceroute show from your NOC? -GP -Original Message- From: Joe Shen [mailto:[EMAIL PROTECTED] Sent: 29 June 2004 02:01 To: [EMAIL PROTECTED] Subject: Strange behavior of Catalyst4006 Hi, We met a strange problem with Catalyst 4006 when provideing leased line service to one of our customers. Catalyst4006 Customer's firewall ---Customer's Intranet The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our network by using a firewall. The Interface on Cata4006 is set up as "no switchport", and inter-connecting subnet is configured between Cata4006 and firewall interface(10.10.1.122/30). Static route is used on Catalyst4006 to designate route to customer's intranet address. ( ip route 192.168.5.0 255.255.255.0 10.10.1.124 ). Customer setup their email server at 192.168.5.7, dns server at 192.168.5.1, web server at 192.168.5.9. At the very begining all system works fine. After sometime they said they could not acces their email/web/dns server from host outside their company's network. But, when we telnet to Cata4006, we could 'ping' 192.168.5.7, but if we move to host in NOC ping failed all the time. ( ping to server is allowed on firewall). At the same time, their intranet host could access our network. We restart ( shut; noshut) the fastethernet interface on Catalyst4006, and then servers' network access recovered. The phenomon comes up frequently, and our customer said this is a bug with catalyst4006. But, to my understanding, if this is a bug to catos, it should not only affact only three servers. But, why it could be solved by restart catalyst interface? Would you please do some help? ( I attach system info below) Joe Shen ==-= 4006#sh version Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(12c)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 24- Oct-02 23:05 by eaarmas Image text-base: 0x, data-base: 0x00CA7368 ROM: 12.1(12r)EW Dagobah Revision 63, Swamp Revision 24 4006-wulin uptime is 41 weeks, 12 hours, 34 minutes System returned to ROM by power-on System restarted at 05:40:46 RPC Mon Sep 15 2003 System image file is "bootflash:cat4000-is-mz.121-12c.EW1.bin" cisco WS-C4006 (XPC8245) processor (revision 5) with 524288K bytes of memory. Processor board ID FOX05200BRH Last reset from PowerUp 144 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 403K bytes of non- volatile configuration memory. Configuration register is 0x2102 4006# 4006-wulin#sh run int f4/41 Building configuration... Current configuration : 141 bytes ! interface FastEthernet4/41 no switchport ip address 10.10.1.213 255.255.255.252 duplex full speed 100 end 4006# === Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com Vodafone Group Services Limited Registered Office: Vodafone House, The Connection, Newbury, Berkshire RG14 2FN Registered in England No. 3802001 This e-mail is for the addressee(s) only. If you are not an addressee, you must not distribute, disclose, copy, use or rely on this e-mail or its contents, and you must immediately notify the sender and delete this e-mail and all copies from your system. Any unauthorised use may be unlawful. The information contained in this e-mail is confidential and may also be legally privileged.
RE: Strange behavior of Catalyst4006
I'm sorry I made a mistake the subnet between catalyst4006 and customer's firewall is 10.10.1.213/30, Catalyst4006's interface address is 10.10.1.213, firewall's interface address is 10.10.1.214. Sorry. Joe On Mon, 28 Jun 2004 21:24 , Tony Rall <[EMAIL PROTECTED]> sent: On Monday, 2004-06-28 at 20:41 MST, Greg Schwimer <[EMAIL PROTECTED]> wrote: > Some things you can look into: > > > firewall interface(10.10.1.122/30). > > ip route 192.168.5.0 255.255.255.0 10.10.1.124 > > Is that the firewall interface is 10.10.1.122, or is it 10.10.1.124? > 10.10.1.122 is a host address in the 10.10.1.120/30 subnet. > 10.10.1.124 is a /30 network. Either way, you're dealing with two > different subnets. Oddly, it's working sometimes. On top of that, we have this discrepancy: On Monday, 2004-06-28 at 19:01 CST, Joe Shen <[EMAIL PROTECTED]> wrote: > interface FastEthernet4/41 > ip address 10.10.1.213 255.255.255.252 So the router's address isn't even on the same subnet as the firewall's. Again, it's not clear how it ever worked. Tony Rall Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
RE: Strange behavior of Catalyst4006
On Monday, 2004-06-28 at 20:41 MST, Greg Schwimer <[EMAIL PROTECTED]> wrote: > Some things you can look into: > > > firewall interface(10.10.1.122/30). > > ip route 192.168.5.0 255.255.255.0 10.10.1.124 > > Is that the firewall interface is 10.10.1.122, or is it 10.10.1.124? > 10.10.1.122 is a host address in the 10.10.1.120/30 subnet. > 10.10.1.124 is a /30 network. Either way, you're dealing with two > different subnets. Oddly, it's working sometimes. On top of that, we have this discrepancy: On Monday, 2004-06-28 at 19:01 CST, Joe Shen <[EMAIL PROTECTED]> wrote: > interface FastEthernet4/41 > ip address 10.10.1.213 255.255.255.252 So the router's address isn't even on the same subnet as the firewall's. Again, it's not clear how it ever worked. Tony Rall
RE: Strange behavior of Catalyst4006
Some things you can look into: > firewall interface(10.10.1.122/30). > ip route 192.168.5.0 255.255.255.0 10.10.1.124 Is that the firewall interface is 10.10.1.122, or is it 10.10.1.124? 10.10.1.122 is a host address in the 10.10.1.120/30 subnet. 10.10.1.124 is a /30 network. Either way, you're dealing with two different subnets. Oddly, it's working sometimes. > At the very begining all system works fine. After sometime they said they could not > acces their email/web/dns > server from host outside their company's network... We restart ( shut; noshut) the > fastethernet interface on Catalyst4006, > and then servers' network access recovered. > Sounds suspiciously like an IP conflict or some MAC weirdness with the firewall's or 4006's IP. Is the connection between the 4006 and the customer's firewall a basic crossover, or does the customer have a hub/switch on their side? Assuming the subnetting statement I've made above is based on erroneous info, check your arp cache/mac table when it *is* working. Write down the MAC for the customer's firewall. When it stops working, check the arp cache/mac table again. Compare the MACs to be sure they're the same. Just for giggles, clear the arp cache and see if that fixes it. If that doesn't, clear the entry from the cam table. Good luck... Greg Schwimer
Re: Strange behavior of Catalyst4006
Joe Shen wrote: The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our network by using a firewall. The Interface on Cata4006 is set up as "no switchport", and inter-connecting subnet is configured between Cata4006 and firewall interface(10.10.1.122/30). For starters 10.10.1.122/30 is not on a valid subnet boundry. Other things to make sure is that speed and duplex are always forced toward customer facing equipment. (you never know whats on the other side) -- Robert Blayzor INOC, LLC [EMAIL PROTECTED]
RE: Strange behavior of Catalyst4006
It is possible that this issue is being cause by the customer's firewall as well. Every Ethernet cable has two ends. :) I would check and see if the customer's firewall log says anything. I believe doing a shut/no shut on the Cat 4006 causes the Ethernet link to 'flap' on the port, causing the interface to totally reset on both ends. This could be clearing errored conditions on both sides. Is there anything interesting in the 4006 log? Have you done a 'show interface fa4/41' when the interface in broken to see if it has any reasoning for the failure? One other thing you could do it a 'no cdp enable' on the interface. You really won't get any cdp information from a firewall anyways...at least you shouldn't* get any. :) - Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Shen Sent: Monday, June 28, 2004 8:01 PM To: [EMAIL PROTECTED] Subject: Strange behavior of Catalyst4006 Hi, We met a strange problem with Catalyst 4006 when provideing leased line service to one of our customers. Catalyst4006 Customer's firewall ---Customer's Intranet The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our network by using a firewall. The Interface on Cata4006 is set up as "no switchport", and inter-connecting subnet is configured between Cata4006 and firewall interface(10.10.1.122/30). Static route is used on Catalyst4006 to designate route to customer's intranet address. ( ip route 192.168.5.0 255.255.255.0 10.10.1.124 ). Customer setup their email server at 192.168.5.7, dns server at 192.168.5.1, web server at 192.168.5.9. At the very begining all system works fine. After sometime they said they could not acces their email/web/dns server from host outside their company's network. But, when we telnet to Cata4006, we could 'ping' 192.168.5.7, but if we move to host in NOC ping failed all the time. ( ping to server is allowed on firewall). At the same time, their intranet host could access our network. We restart ( shut; noshut) the fastethernet interface on Catalyst4006, and then servers' network access recovered. The phenomon comes up frequently, and our customer said this is a bug with catalyst4006. But, to my understanding, if this is a bug to catos, it should not only affact only three servers. But, why it could be solved by restart catalyst interface? Would you please do some help? ( I attach system info below) Joe Shen ==-= 4006#sh version Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(12c)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 24- Oct-02 23:05 by eaarmas Image text-base: 0x, data-base: 0x00CA7368 ROM: 12.1(12r)EW Dagobah Revision 63, Swamp Revision 24 4006-wulin uptime is 41 weeks, 12 hours, 34 minutes System returned to ROM by power-on System restarted at 05:40:46 RPC Mon Sep 15 2003 System image file is "bootflash:cat4000-is-mz.121-12c.EW1.bin" cisco WS-C4006 (XPC8245) processor (revision 5) with 524288K bytes of memory. Processor board ID FOX05200BRH Last reset from PowerUp 144 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 403K bytes of non- volatile configuration memory. Configuration register is 0x2102 4006# 4006-wulin#sh run int f4/41 Building configuration... Current configuration : 141 bytes ! interface FastEthernet4/41 no switchport ip address 10.10.1.213 255.255.255.252 duplex full speed 100 end 4006# === Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
Strange behavior of Catalyst4006
Hi, We met a strange problem with Catalyst 4006 when provideing leased line service to one of our customers. Catalyst4006 Customer's firewall ---Customer's Intranet The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our network by using a firewall. The Interface on Cata4006 is set up as "no switchport", and inter-connecting subnet is configured between Cata4006 and firewall interface(10.10.1.122/30). Static route is used on Catalyst4006 to designate route to customer's intranet address. ( ip route 192.168.5.0 255.255.255.0 10.10.1.124 ). Customer setup their email server at 192.168.5.7, dns server at 192.168.5.1, web server at 192.168.5.9. At the very begining all system works fine. After sometime they said they could not acces their email/web/dns server from host outside their company's network. But, when we telnet to Cata4006, we could 'ping' 192.168.5.7, but if we move to host in NOC ping failed all the time. ( ping to server is allowed on firewall). At the same time, their intranet host could access our network. We restart ( shut; noshut) the fastethernet interface on Catalyst4006, and then servers' network access recovered. The phenomon comes up frequently, and our customer said this is a bug with catalyst4006. But, to my understanding, if this is a bug to catos, it should not only affact only three servers. But, why it could be solved by restart catalyst interface? Would you please do some help? ( I attach system info below) Joe Shen ==-= 4006#sh version Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(12c)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 24- Oct-02 23:05 by eaarmas Image text-base: 0x, data-base: 0x00CA7368 ROM: 12.1(12r)EW Dagobah Revision 63, Swamp Revision 24 4006-wulin uptime is 41 weeks, 12 hours, 34 minutes System returned to ROM by power-on System restarted at 05:40:46 RPC Mon Sep 15 2003 System image file is "bootflash:cat4000-is-mz.121-12c.EW1.bin" cisco WS-C4006 (XPC8245) processor (revision 5) with 524288K bytes of memory. Processor board ID FOX05200BRH Last reset from PowerUp 144 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 403K bytes of non- volatile configuration memory. Configuration register is 0x2102 4006# 4006-wulin#sh run int f4/41 Building configuration... Current configuration : 141 bytes ! interface FastEthernet4/41 no switchport ip address 10.10.1.213 255.255.255.252 duplex full speed 100 end 4006# === Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com