Hp Procurve default gateway help

[Andi]

I urgently need some advice with default gateway settings on a HP Procurve 5406zl.

The switch currently looks after all the internal Vlans and is the router for these.
The vlans all have their own default gateway.

I have setup a VPN to a remote site which is all working with no problems (I can RDP onto my servers from the remote site), however I can't get from my server vlan over to the remote site and I'm pretty certain it's down to the routing.

Camera server - 10.0.0.13 255.240.0.0 has a default gateway of 10.0.0.76 (the HP switch mentioned above.

Our firewall is a watchguard and is on 10.0.0.1

If I run a tracert from the camera server over to the VPN I get nothing beyond the default gateway, suggesting to me that the switch doesn't know the route to the firewall?

Can anyone help please?

[matt40k]

Add on static routes (seems to come to my TFI Friday brain)

[Andi]

Thanks

I've just done:

ip route 172.10.0.0/24 10.0.0.1

on the switch, no success yet.

Does that look nearly right?

[DMcCoy]

from configure:

ip route 0.0.0.0 0.0.0.0 10.0.0.1

Just be careful as it can affect existing routes. I changed it remotely once and spent 2 hours working out how to get back in with a chain of ssh sessions via servers that didn't require routing

[DMcCoy]

Does the firewall have a route back to the switches IP address too?

[Andi]

Currently there is no route back to the 10.0.0.0 range setup on the firewall, but as the firewall is currently on the same range as the servers I'm guessing it won't need it?

I think I'll wait until monday to play with this, 8 years of experience tells me nothing apart from changing this sort of thing on a Friday afternoon is asking for trouble!

Do I need to undo the ip route change I just added before I go?

Thanks for your help guys!

[DMcCoy]

My route is back to the default gateway for the vlan that the firewall is on.



Client (10.0.200.1) -------(10.0.200.254) 5412 (10.0.7.254) via route (0.0.0.0 0.0.0.0 10.0.7.5) ------ (10.0.7.5) Firewall (10.20.x.x)---------Internet

Firewall has a static route for 10.0.0.0 255.255.0.0 as 10.0.7.254

[Andi]

Does anyone know the command to view the current static routes?

[Andi]

OK, I removed the static route
172.10.0.0 255.255.255.0 10.0.0.1 using 'no ip route'
and entered
ip route 0.0.0.0 0.0.0.0 10.0.0.1 as suggested.

I still can't get through to my vpn. Tracert still stops at 10.0.0.76 (IP of my main routing switch).

Any thoughts?

[DMcCoy]

Do all involved vlans have their own ip ranges and subnets?

What are the addresses, vlans and subnets involved?

[Andi]

Yes the internal vlans follow the pattern:

192.168.1.x 255.255.255.0 192.168.1.254
192.168.2.x 255.255.255.0 192.168.2.254
192.168.3.x 255.255.255.0 192.168.3.254
etc etc

We still have some nodes left on the default vlan due to not having managed switches everywhere - the switches and servers are still on the default VLAN also.

The default vlan is
10.0.x.x 255.240.0.0 10.0.0.76

The main switch that looks after the vlans and routes is 10.0.0.76
The watchguard firewall (10.0.0.1) takes care of the VPN tunneling. I know that the VPN is working as I can login from the other side of the tunnel with no problems.

The IP range the other side of the tunnel is:
172.10.0.x 255.255.255.0

[DMcCoy]

So you have a vpn running from the outside to the watchguard with the ip range of 172.10.0.x 255.255.255.0? What sort of vpn and is it a lan/lan vpn?

One thing you could try is setting the default gateway for a machine in the 10.0 range to the firewall, if this doesn't work when its on the same vlan/subnet without using the switch as the gateway then you can probably rule the switch out as the issue.

[Andi]

I'm not sure how to answer your first question. The VPN is a Branch-Office VPN, I'm not sure whether that's a name specific to watchguard or whether it's a standard. I guess it's a lan-lan, connected via ADSL lines.

Is that what you meant?

Good idea about changing the default gateway, I'll give that a try on a machine now and get back to you.

Thanks again for all your advice.

[Andi]

OK, I have changed the default gateway on the computer that will eventually be using the VPN to the firewall IP address.

Pings and trace routes still timeout but now I am getting an error message on the firewall log:

2008-10-13 12:03:00 Deny 10.0.0.13 172.10.0.1 icmp-Echo 1-Trusted unknown packet with TTL=0, firewall drop (internal policy) rc="104"

[Andi]

Resolved the issue, there was a static route on the Watchguard firewall as follows:
172.10.0.0/24 - 10.0.0.1

Removing this route solved the problem. Thanks Watchguard for telling me to put that route there in the first place.