Pinging connected and External networks issue - OSPF

Jonfvk · November 7, 2023, 5:24pm

TOPOLOGY is correct - Except I deleted the Firewall and now am connecting directly to the MPLS labeled Router.

I have a small topology of three routers in area 0 and they connect to a Internet cloud connected router.

I am able to ping all the interfaces of the Internet connected router from the directly connected TS-Core router in Area1 but all the other two routers cannot ping any of the interfaces. Yet OSPF is advertising the 10.1.0.0/29 network that connects TS-Core and the edge router. I cannot ping 8.8.8.8 from any router except TS-Core and the edge router. I have default-originate command on the TS-core advertising the default route through its outbound interface 10.1.0.2.

Here are the configs:

TS-Core:

vyos@vyos:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=11.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=9.81 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=8.72 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 8.720/9.867/11.067/0.958 ms
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* 0.0.0.0/0 [1/0] via 10.1.0.1, eth0, weight 1, 00:44:10
O   1.1.1.1/32 [110/0] is directly connected, lo, weight 1, 04:15:06
C>* 1.1.1.1/32 is directly connected, lo, 04:42:12
O>* 2.2.2.2/32 [110/1] via 10.2.1.2, eth1, weight 1, 04:02:55
O>* 3.3.3.3/32 [110/1] via 10.2.2.2, eth3, weight 1, 04:08:11
O   10.0.0.0/29 [110/1] is directly connected, eth5, weight 1, 04:15:06
C>* 10.0.0.0/29 is directly connected, eth5, 04:41:08
O   10.1.0.0/29 [110/1] is directly connected, eth0, weight 1, 01:20:46
S   10.1.0.0/29 [1/0] via 10.1.0.1 inactive, weight 1, 01:20:46
C>* 10.1.0.0/29 is directly connected, eth0, 01:20:46
O   10.2.1.0/29 [110/1] is directly connected, eth1, weight 1, 04:08:12
C>* 10.2.1.0/29 is directly connected, eth1, 04:29:01
O   10.2.2.0/29 [110/1] is directly connected, eth3, weight 1, 04:08:11
C>* 10.2.2.0/29 is directly connected, eth3, 04:36:24
O>* 10.2.3.0/29 [110/2] via 10.2.1.2, eth1, weight 1, 04:08:11
  *                     via 10.2.2.2, eth3, weight 1, 04:08:11
vyos@vyos:~$ show config
interfaces {
    ethernet eth0 {
        address 10.1.0.2/29
        hw-id 0c:d2:52:06:00:00
    }
    ethernet eth1 {
        address 10.2.1.1/29
        hw-id 0c:d2:52:06:00:01
    }
    ethernet eth2 {
        hw-id 0c:d2:52:06:00:02
    }
    ethernet eth3 {
        address 10.2.2.1/29
        hw-id 0c:d2:52:06:00:03
    }
    ethernet eth4 {
        hw-id 0c:d2:52:06:00:04
    }
    ethernet eth5 {
        address 10.0.0.1/29
        description "Admin Tool Server"
        hw-id 0c:d2:52:06:00:05
    }
    ethernet eth6 {
        hw-id 0c:d2:52:06:00:06
    }
    ethernet eth7 {
    }
    loopback lo {
        address 1.1.1.1/32
    }
}
protocols {
    ospf {
        area 0 {
            network 1.1.1.1/32
            network 10.2.2.0/24
            network 10.0.0.0/24
            network 10.1.0.0/24
            network 10.2.1.0/24
            network 10.2.1.0/29
            network 10.1.0.0/29
            network 10.0.0.0/29
            network 10.2.2.0/29
        }
        area 0.0.0.0 {
            network 10.1.0.0/29
            network 10.2.1.0/29
            network 10.2.2.0/29
        }
        default-information {
            originate {
            }
        }
        parameters {
            router-id 1.1.1.1
        }
        redistribute {
            connected {
            }
        }
    }
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.0.1 {
            }
        }
        route 10.1.0.0/29 {
            next-hop 10.1.0.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}

TS-ACCESS1

vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

O>* 0.0.0.0/0 [110/10] via 10.2.1.1, eth1, weight 1, 00:46:31
O>* 1.1.1.1/32 [110/1] via 10.2.1.1, eth1, weight 1, 04:17:21
O   2.2.2.2/32 [110/0] is directly connected, lo, weight 1, 04:05:16
C>* 2.2.2.2/32 is directly connected, lo, 04:44:32
O>* 3.3.3.3/32 [110/1] via 10.2.3.2, eth5, weight 1, 04:24:25
O>* 10.0.0.0/29 [110/2] via 10.2.1.1, eth1, weight 1, 04:17:21
O>* 10.1.0.0/29 [110/2] via 10.2.1.1, eth1, weight 1, 01:23:07
O   10.2.1.0/29 [110/1] is directly connected, eth1, weight 1, 04:33:52
C>* 10.2.1.0/29 is directly connected, eth1, 04:33:53
O>* 10.2.2.0/29 [110/2] via 10.2.1.1, eth1, weight 1, 04:24:25
  *                     via 10.2.3.2, eth5, weight 1, 04:24:25
O   10.2.3.0/29 [110/1] is directly connected, eth5, weight 1, 04:33:52
C>* 10.2.3.0/29 is directly connected, eth5, 04:33:52
vyos@vyos:~$ show config
interfaces {
    ethernet eth0 {
        hw-id 0c:aa:b4:8a:00:00
    }
    ethernet eth1 {
        address 10.2.1.2/29
        hw-id 0c:aa:b4:8a:00:01
    }
    ethernet eth2 {
        hw-id 0c:aa:b4:8a:00:02
    }
    ethernet eth3 {
        hw-id 0c:aa:b4:8a:00:03
    }
    ethernet eth4 {
        hw-id 0c:aa:b4:8a:00:04
    }
    ethernet eth5 {
        address 10.2.3.1/29
        hw-id 0c:aa:b4:8a:00:05
    }
    ethernet eth6 {
        hw-id 0c:aa:b4:8a:00:06
    }
    ethernet eth7 {
        hw-id 0c:aa:b4:8a:00:07
    }
    loopback lo {
        address 2.2.2.2/32
    }
}
protocols {
    ospf {
        area 0 {
            network 2.2.2.2/32
            network 10.2.1.2/32
            network 10.2.3.0/29
            network 10.5.0.0/24
            network 10.3.0.0/29
        }
        area 0.0.0.0 {
            network 10.2.1.0/29
            network 10.2.3.0/29
        }
        parameters {
            router-id 2.2.2.2
        }
    }
    static {
        route 0.0.0.0/0 {
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
vyos@vyos:~$

TS-ACCESSS2

vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

O   0.0.0.0/0 [110/10] via 10.2.2.1, eth3, weight 1, 00:47:49
S>* 0.0.0.0/0 [1/0] via 10.2.2.1, eth3, weight 1, 04:25:52
O>* 1.1.1.1/32 [110/1] via 10.2.2.1, eth3, weight 1, 04:18:39
O>* 2.2.2.2/32 [110/1] via 10.2.3.1, eth5, weight 1, 04:06:33
O   3.3.3.3/32 [110/0] is directly connected, lo, weight 1, 04:45:43
C>* 3.3.3.3/32 is directly connected, lo, 04:45:51
O>* 10.0.0.0/29 [110/2] via 10.2.2.1, eth3, weight 1, 04:18:39
O>* 10.1.0.0/29 [110/2] via 10.2.2.1, eth3, weight 1, 01:24:25
O>* 10.2.1.0/29 [110/2] via 10.2.2.1, eth3, weight 1, 04:25:41
  *                     via 10.2.3.1, eth5, weight 1, 04:25:41
O   10.2.2.0/29 [110/1] is directly connected, eth3, weight 1, 04:25:52
C>* 10.2.2.0/29 is directly connected, eth3, 04:25:52
O   10.2.3.0/29 [110/1] is directly connected, eth5, weight 1, 04:25:52
C>* 10.2.3.0/29 is directly connected, eth5, 04:25:52
vyos@vyos:~$ show config
interfaces {
    ethernet eth0 {
        hw-id 0c:0c:13:c2:00:00
    }
    ethernet eth1 {
        hw-id 0c:0c:13:c2:00:01
    }
    ethernet eth2 {
        hw-id 0c:0c:13:c2:00:02
    }
    ethernet eth3 {
        address 10.2.2.2/29
        hw-id 0c:0c:13:c2:00:03
    }
    ethernet eth4 {
        hw-id 0c:0c:13:c2:00:04
    }
    ethernet eth5 {
        address 10.2.3.2/29
        hw-id 0c:0c:13:c2:00:05
    }
    ethernet eth6 {
        hw-id 0c:0c:13:c2:00:06
    }
    ethernet eth7 {
        hw-id 0c:0c:13:c2:00:07
    }
    loopback lo {
        address 3.3.3.3/32
    }
}
protocols {
    ospf {
        area 0 {
            network 0.0.0.0/0
            network 3.3.3.3/32
            network 10.2.3.2/32
            network 10.2.2.2/32
            network 10.5.0.0/24
        }
        area 0.0.0.0 {
            network 10.2.2.0/29
            network 10.2.3.0/29
        }
        parameters {
            router-id 3.3.3.3
        }
    }
    static {
        route 0.0.0.0/0 {
            next-hop 10.2.2.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}

MOD EDIT: I have put code statements around your configs to make the post more readable - @tjh

tjh · November 7, 2023, 6:19pm

What does show ip ospf neighbour on each box show?

Also what’s the intention of “area 0” and “area 0.0.0.0” on the boxes? (My OSPF on Vyos is very limited so there’s probably a good reason, I just don’t know what it is)

Jonfvk · November 7, 2023, 6:38pm

Yeah that is odd…should I delete that? Probably!

TS-Core

vyos@vyos:~$ sh ip ospf nei

Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
3.3.3.3           1 Full/Backup     5h46m22s          36.820s 10.2.2.2        eth3:10.2.2.1                        0     0     0
2.2.2.2           1 Full/DR         5h53m10s          38.707s 10.2.1.2        eth1:10.2.1.1                        0     0     0

TS-Access1

vyos@vyos:~$ sho ip ospf nei

Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
1.1.1.1           1 Full/Backup     5h55m32s          37.026s 10.2.1.1        eth1:10.2.1.2                        0     0     0
3.3.3.3           1 Full/Backup     5h48m52s          35.179s 10.2.3.2        eth5:10.2.3.1                        0     0     0



TS-Accesss2

vyos@vyos:~$ sh ip ospf nei

Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
1.1.1.1           1 Full/DR         5h49m55s          33.443s 10.2.2.1        eth3:10.2.2.2                        0     0     0
2.2.2.2           1 Full/DR         5h50m03s          35.923s 10.2.3.1        eth5:10.2.3.2                        0     0     0

vyos@vyos:~$

tjh · November 7, 2023, 6:45pm

I would certainly get rid of it as it might be confusing things (I can’t see how though)

Also not a problem but just so you’re aware, you have a static route on TS-ACCESSS2 that’s trumping the OSPF learnt one.

O   0.0.0.0/0 [110/10] via 10.2.2.1, eth3, weight 1, 00:47:49
S>* 0.0.0.0/0 [1/0] via 10.2.2.1, eth3, weight 1, 04:25:52

Finally if you put 3 backticks (```) in your post before and after your commands you’ll get nicely formatted output (I’ve edited your OSPF neighbour post above to include them)

Jonfvk · November 7, 2023, 6:58pm

Ok, Backticks HEARD, Thanks! I deleted the area 0.0.0.0 and the static route on TS-Accesss2 then I restarted all the devices. Still not able to ping the 10.1.0.1 interface of the upstream router that provides internet access (from TS-Access1&2) but I can ping the workstation at 10.0.0.1 which also is connected directly to TS-Core. Both of those subnets are being advertised to TS-Access1 and TS-Accesss2.
Thanks for your help.

Jonfvk · November 7, 2023, 7:07pm

Here is the config on the MPLS labeled Router:

Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* 0.0.0.0/0 [210/0] via 192.168.122.1, eth0, weight 1, 00:28:29
C>* 10.1.0.0/29 is directly connected, eth1, 00:28:32
C>* 192.168.122.0/24 is directly connected, eth0, 00:28:29
vyos@vyos:~$ show config
interfaces {
    ethernet eth0 {
        address dhcp
        hw-id 0c:72:3e:32:00:00
    }
    ethernet eth1 {
        address 10.1.0.1/29
        hw-id 0c:72:3e:32:00:01
    }
    ethernet eth2 {
        hw-id 0c:72:3e:32:00:02
    }
    ethernet eth3 {
        hw-id 0c:72:3e:32:00:03
    }
    ethernet eth4 {
        hw-id 0c:72:3e:32:00:04
    }
    ethernet eth5 {
        hw-id 0c:72:3e:32:00:05
    }
    ethernet eth6 {
        hw-id 0c:72:3e:32:00:06
    }
    ethernet eth7 {
        hw-id 0c:72:3e:32:00:07
    }
    loopback lo {
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address 10.1.0.0/29
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.122.123 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
vyos@vyos:~$    ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=5.09 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=5.46 ms


---------        ----------                        ---  -----------
eth0             192.168.122.123/24                u/u
eth1             10.1.0.1/29                       u/u
eth2             -                                 u/D
eth3             -                                 u/D
eth4             -                                 u/D
eth5             -                                 u/D
eth6             -                                 u/D
eth7             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
vyos@vyos:~$ config

Jonfvk · November 7, 2023, 7:29pm

From TS-Accesss2:

PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
^C
--- 10.1.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms

vyos@vyos:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1045ms

vyos@vyos:~$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.828 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.922 ms
^C
--- 10.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.828/0.875/0.922/0.047 ms
vyos@vyos:~$


Not sure why I can ping 10.0.0.1 but not 10.1.0.1 or 8.8.8.8.

blex · November 8, 2023, 6:24am

On ts-access1 I saw a empty static default route. If you like to get the default route via ospf I would.get rid of this.

Wenn your pings are not working I would suggest start the ping and the open all router allong the way. Then try

Tcpdump -i interface -n -vv ICMP

The sou can follow the icmp package allt the way to the MPLS router and see if the routing is working as you expect.

If you find the point where the package will not be routerd / forward we can see deeper into it.

Viacheslav · November 8, 2023, 7:57am

Dump the traffic and check

monitor traffic interface ethX