5 Replies Latest reply on May 23, 2013 12:05 PM by kb9mfd

    Packets being dropped, this has me stumped

    kb9mfd New Member

      I have a 1334 and a 1534. They are connected via two fiber channels and they are port trunked giving me 2gb between them. I have several vlans and use vlan tagging. Two vlans are for two different ISP's, and I have three internal networks. Everything is working fine, but for one thing. I have two servers connected to the 1534, both use vlan tagging to access all the vlans, Server #1 is just one port and Server #2 is port trunked 2 ports. Both servers have direct IP's for both ISP's, the 1334 is not NATing them. Server #1 handled my PPtP and IPSec VPN's (IPSec uses ISP #1 and PPtP uses ISP #2) and I moved those functions to my new Server #2. IPSec works great, but PPtP will not. Over the internet via ISP #2 I can ping Server #2, I can trace route over it, I can get IPSec to go over it, but when I try to connect via PPtP, I see (via wireshark)  the connect packet reaching the server, the server ack on its port, I see the ack going over the link to the 1334 (again via wireshark port mirror) , but the packet never ends up going out the port ISP #2 is plugged into. Its being dropped somewhere between the port channel and the port the ISP is plugged into. I can trace any other packets and protocols and they all work, except for some reason this exact packet/protocol. Now, the 1334 has its own address on the vlan for ISP #2 and it's the main internet gateway for the router. If I try to connect to Server #2 locally, it works just fine. The packets are routing internally on the vlan. This has me totally stumped, it worked just fine on Server #1, and I can get everything else to work just fine. Nothing shows up in the firewall logs on the 1334. Is there any way to track a packet threw the 1334 and find out why its being dropped? Any other idea's? I can send any capture or config. Thanks! - Jeremy

        • Re: Packets being dropped, this has me stumped
          Employee

          kb9mfd - I think the first step here would be to post the configurations for us to review. Please remember to remove any sensitive information. Also, which ports on the 1335 and 1534 are in the traffic path of the PPTP traffic? Am I understanding you correctly in that the 1335 terminates both internet connections and then the 1534 plugs into the 1335?

           

          Please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor

            • Re: Packets being dropped, this has me stumped
              kb9mfd New Member

              Here are the configurations. Yes, you will see BackboneSwitch/MainSwitch has a link between the switches. (port-channel 1 on Mainswitch and port-channel 2 on BackboneSwitch). Internet connection #1 is on port 19 (vlan 2), and #2 (vlan 3) is on 22 of Mainswitch. The old server I had the VPN's on is on port 5, and the new one is on ports 12 and 13 (port-channel 3) of BackboneSwitch. Again the strange thing is IPSec, ping and other services will go threw, but not PPtP. In a new twist, I setup ISP #1 to accept PPtP connections and it works. Strange. I did a wireshark capture of port 22 and did not see the reply from my server, but a capture of the two ports linking the switches together (port -channel 1, giga-swx 1 & 2) shows the reply from my server, for some reason the data is getting lost going that inch or two. Thanks! - Jeremy

                • Re: Packets being dropped, this has me stumped
                  Employee

                  kb9mfd - Which subnet does the PPTP server have assigned to it? Your original post seemed to indicate it has a public IP. I just wanted to verify this, since I'm not seeing any PPTP port forwards configured.

                   

                  Thanks,

                  Noor

                    • Re: Packets being dropped, this has me stumped
                      kb9mfd New Member

                      You are correct, both servers have a public IP for both ISP's. There are no port forwards because the ip address for the adtran's vLan 3 is for internet access, and vLan 2 is for VIOP and it port forwarded to our phone system. (vLan 8 uses vLan 2 as its default route, vLan 1 uses vLan 3) Both servers have a valid IP address for all vLans and I can enable ping and ping both from the outside. The internal address for the vpn server is 172.28.130.9 or 172.28.101.9 (on both vlans) and you will see 172.28.50.0/16 (PPtP subnet) pointing to 172.28.101.9 in the route tables. (172.29.0.0/16 are my ipsec vpn's) - Jeremy

                        • Re: Packets being dropped, this has me stumped
                          kb9mfd New Member

                          Hold up, I figured the issue and it's not the adtran. I discovered that the firewall on the server was tagging the outgoing packets with the incorrect vLan. So the communication even though the from address was correct, was actually going out the other ISP. To my amazement ping and other protocols had no issue with that. PPtP must of not liked it. Sorry for the trouble but I was able to correct it myself. I did not notice that until I put a vLan column in Wireshark and noticed the packets where marked wrong. Thanks For the help and reply's!! - Jeremy