LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN not routing between machines over WAN

jrogulski
Visitor

VLAN not routing between machines over WAN

This one is killing me.  

 

I have a mail server in site 1.   IP address is 10.150.1.2.      VLAN 10.150.1.254

I have a mail server in site 2.   IP address is 10.150.2.1       VLAN 10.150.2.1

 

I have a VPN tunnel built between both sites.   If I try to ping vlan to vlan, the ASA tunnel comes up, no issue there.   I cannot get the two VLANS to ping each other.   There are NO ACL's on the firewall side to restrict.  

 

If you look at routing for site 1, ASA is 192.9.230.179.   Route is built for that headed there.

If you look at routing for site 2, ASA is 172.16.110.15.   Route is built for that headed there.  

 

Site 1&2, cannot ping machine from any other vlan either.    I can ping the vlan.   

 

What am I doing wrong?    Although the second NIC on each machine (10.150.x.x) has no gateways, I have netsh route built for the remote sites.    If I can ping the vlan shouldn't I be able to ping the host?   Are my issues there or on the switch?

 

  

6 REPLIES
Vince-Whirlwind
Honored Contributor

Re: VLAN not routing between machines over WAN

I have a mail server in site 2.   IP address is 10.150.2.1       VLAN 10.150.2.1

I assume this is a typo and your Site2 switch and email server aren't actually assigned the exact same addresses.

I'm a bit confused by your Site1 switch config:

ip default-gateway 192.9.230.179

ip route 0.0.0.0 0.0.0.0 192.9.230.180

But that shouldn't matter as you have a more specific route anyway:

ip route 10.150.2.0 255.255.255.0 192.9.230.179

Assuming that IP address is correct for the local ASA, the next check is, does the ASA have a route for the 10.150.2.0/24 network? I think it does, because from Site 1 you can ping 10.150.2.254, right?

 

So all that's left is the host itself.

Can 10.150.1.2 ping its VLAN's router address?

Can the Site2 email server ping its VLAN's router address?

Can each of them ping a different VLAN router address?

jrogulski
Visitor

Re: VLAN not routing between machines over WAN

It is a typo, I'm sorry.     The host is .2

 

 

p default-gateway 192.9.230.179

ip route 0.0.0.0 0.0.0.0 192.9.230.180

But that shouldn't matter as you have a more specific route anyway:

ip route 10.150.2.0 255.255.255.0 192.9.230.179

Assuming that IP address is correct for the local ASA, the next check is, does the ASA have a route for the 10.150.2.0/24 network? I think it does, because from Site 1 you can ping 10.150.2.254, right?

 

 

I'll double check the ASA.     I know that if I try and ping the hosts from each site, the tunnel comes up and I can see the traffic in the logs.   

 

So all that's left is the host itself.

Can 10.150.1.2 ping its VLAN's router address?     Yes, it can. 

Can the Site2 email server ping its VLAN's router address?   Yes.   

Can each of them ping a different VLAN router address?  They can - but it goes out the other nic that has a gateway sepcified.   If I force the traffic out the NIC that I want the traffic on, it wont see any other vlans.  

Vince-Whirlwind
Honored Contributor

Re: VLAN not routing between machines over WAN

It has to have a gateway, or it can't communicate off-subnet.

 

What you need on the server is a second routing table that defines, for example for Site1, 10.150.2.254 as the default gateway address for traffic involving the NIC with 10.150.1.2 on it.

 

If this is a Windows box, you will probably have to rethink the multiple NIC thing.

Probably better to just use one IP address, bond the NICs together and get a bit of redundancy.

 

 

jrogulski
Visitor

Re: VLAN not routing between machines over WAN

I did a route add 10.150.1.0/24 10.150.2.1 metric 1 interface 12 (the interface with no gateway on it.)

 

It's a windows box but running DAG replication for Exchange so MS and the vendor helping me are reccomending that they be on separate vlans. 

Vince-Whirlwind
Honored Contributor

Re: VLAN not routing between machines over WAN

Server NICs have been capable of using 802.1q frame format for years now.

 

You might be better off creating a virtual NIC, using .1q, and assigning it to a bonded pair of physical NICs. That gives you some redundancy and potential bandwidth benefits.

 

I'm not a server guy, so I don't know *how* to do that, but it seems like a likely thing that can be done.

jrogulski
Visitor

Re: VLAN not routing between machines over WAN

I'll give it a shot tomorrow. 

 

 

Thanks

 

Was the switch config ok?