Weird routing issue

Question

I'm having some weird internet problems on campus. I know it's something simple, but it's a case where I need another set of eyes. I think I can explain the problem best by posting a tracert:

Tracing route to google.com [74.125.45.147]
over a maximum of 30 hops:

  1     3 ms     3 ms     3 ms  192.168.8.1 
  2     1 ms     1 ms     1 ms  elissaemily-pc.york.edu [192.168.10.5] 
  3     2 ms     2 ms     2 ms  rrcs-76-79-19-33.west.biz.rr.com [76.79.19.33] 
  4    31 ms     3 ms     2 ms  ge-1-1-0.lnclne00-mx41.neb.rr.com [76.85.220.109] 
  5    20 ms    17 ms    17 ms  ge-7-3-0.chcgill3-rtr1.kc.rr.com [76.85.220.137] 
  6    20 ms    20 ms    19 ms  ae-5-0.cr0.chi30.tbone.rr.com [66.109.6.112] 
  7    19 ms    19 ms    24 ms  ae-1-0.pr0.chi10.tbone.rr.com [66.109.6.155] 
  8    26 ms    24 ms    24 ms  74.125.48.109 
  9    23 ms    24 ms    21 ms  216.239.46.246 
 10    39 ms    39 ms    55 ms  209.85.242.215 
 11    39 ms    39 ms    39 ms  209.85.254.243 
 12    39 ms    40 ms    96 ms  209.85.253.145 
 13    39 ms    39 ms    39 ms  yx-in-f147.1e100.net [74.125.45.147] 

Trace complete.

Note the second entry in there. Not only is the host name a student's computer, but the ip address doesn't exist. Dhcp shows that host as having a different address and you can't ping any 192.168.10.5. Yet somehow it's routing packets for us (and not very well, either — things are slow right now). The rest of the tracert looks fine (we have a 20Mb fiber connection from road runner). A tracert from the admin vlan (10.x.x.x subnet) shows expected results.

The basic network routing table looks like this:

Destination     Subnet Mask     Gateway
---------------------------------------
Default Route   --              10.1.1.5 (our firewall)
10.0.0.0        255.0.0.0       --
192.168.8.0     255.255.252.0   --

Update/Result
Here's the whole story for the curious.

Several weeks ago we increased the IP range for the students from 192.168.8.0/23 to 192.168.8.0/22. To make this possible, we had to remove an old and now unused 192.168.10.0/24 range from the dhcp server and corresponding interface from our main switch. We finished this project and things seemed to work for a while.

Unfortunately, we missed a detail on the firewall. It had an interface set up for 192.168.10.5/24 that was there to serve the old range (the mystery router, right where it's supposed to be). It worked at first because most devices on the student network would still get IPs in the first part of the range. If anyone complained, by the time we checked it out they'd restart their computer and get a working IP address.

We didn't really have a problem until after spring break, when all the students came back at once. There were a few dhcp conflicts, a few new devices, and I'd reconfigured a couple consumer wireless routers I have to use to work like access points. All of a sudden we had many more devices getting 192.168.10.x addresses. Enough that it confused the firewall itself even and caused slowdowns across campus, if you could connect at all.

I'm glad to have this one fixed, let me tell you.

score 1 · Accepted Answer · answered Mar 30 '10 at 13:41

Check the reverse DNS pointer entry for 192.168.10.5, it's probably point to that PC's hostname. Doesn't mean packets are going to that PC, just that reverse DNS is wrong.

Many routers are firewalled to not respond to direct requests from outside their subnet. So if you're on the 192.168.8.x subnet, and it's on the 192.168.10.x subnet, it probably will not respond to your requests (even just to ping it).

Check the routing table on 192.168.8.1, and the table on it's default router. So if 192.168.8.1 is configured with a default route of 192.168.n.m, go to that router and check it's table for the 192.168.10.5 entry (this is probably the case).

If you're having trouble locating the router, the 192.168.8.1 router will have the MAC address of the router. You can use a MAC lookup to get the vendor of the device. Your switches (if managed) will know what port number the device is plugged into as well (find it by the MAC address again).

Oh, and subnet mask is 255.255.252.0, so we're on the same subnet. But I still should be able to track down that mac somehow — Joel Coel, Mar 30 '10 at 14:11
Ha! Found it! The firewall, whose main interface is 10.1.1.5, has additional interfaces set to respond to requests from other subnets as if it's on that subnet. So that was the right place. — Joel Coel, Mar 30 '10 at 14:59

score 1 · Answer 2 · answered Mar 30 '10 at 13:55

1

Perhaps we can find out more on the following:

I would like to verify that you had obtained the routing table from your personal computer. It would be great if we can view the routing metric values as well.
Would it be possible if you could provide your "ipconfig/ifconfig" output eg., IPv4 + subnet mask + gateway"?
Was your machine assigned a similar DNS hostname as well? Are you able to get someone to ping your machine with its given hostname as a parameter?
Is your machine the only terminal that's affected with the above traceroute results? Are your peers whom are utilizing the same network affected as well?

If you say "Yes" to Point #4 - my immediate reaction will be to try to set up a packet sniffer such as Ethereal/Wireshark to spot for anomalies in all incoming/outgoing packets from the affected terminal.

Cheers!

answered Mar 30 '10 at 13:55

Michael Feng

181

routing table is from the main switch (192.168.8.1) – Joel Coel Mar 30 '10 at 14:07
Assuming that you're in control of the main switch (192.168.8.1) - have you tried to initiate a traceroute from it as a point of origin yet? 2) As you have mentioned that 10.0.0.0/8 is a VLAN - are you running a L2 VLAN or a L3 VLAN?
Looking at your routing table, I am assuming that there is bound to be a router within the 192.168.8.0/22 network. All network traffic will have to go through that router first before it reaches your firewall and subsequently routed back out to the public Internet - unless you are running through a L3 switch.

Michael Feng

Mar 30 '10 at 14:28

There is a 3Com 4900SX fiber switch that does layer 3 routing. The 192.168.8.1 interface is part of that switch, as is a 10.1.1.1 interface for the other subnet. I can tracert from the switch normally, but it always assumes the default vlan 1 (10.1.1.1 interface) when I'm logged in to the device. – Joel Coel Mar 30 '10 at 14:58

score 0 · Answer 3 · answered Mar 30 '10 at 14:04

0

I did this once and I was testing something and added a entry to the hosts file so sometime later everytime I pinged via ip the router it would show up this strange host name.. took me awhile to remember that I had edited the hosts file! dumb....

answered Mar 30 '10 at 14:04

tony roth

3,924

score 0 · Answer 4 · answered Mar 30 '10 at 14:39

First thing I would do is to ping 192.168.10.5 from 192.168.8.1 (the main switch). After that, it should be visible in the switch's ARP table (to get it under IOS, you'd simply type sh arp | i 192.168.10.5). That should then allow you to find the manufacturer of the network card (This URL is a good starting point) and also let you find what the outbound switch-port is for that MAC (again, under IOS, sh mac-address address MACgoesHERE) and that should give you enough info to proceed.

It's not impossible that the device has been sending ICMP redirects for a variety of IP addresses, pointing to itself instead of to whatever the next-hop SHOULD be.

I can't ping from 192.168.8.1. The switch always logs you in to the admin console using the default interface (10.1.1.1). — Joel Coel, Mar 30 '10 at 16:12

Weird routing issue

4 Answers4