+ Post New Thread
Results 1 to 15 of 15
Wireless Networks Thread, Hp Procurve default gateway help in Technical; I urgently need some advice with default gateway settings on a HP Procurve 5406zl. The switch currently looks after all ...
  1. #1
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16

    Hp Procurve default gateway help

    I urgently need some advice with default gateway settings on a HP Procurve 5406zl.

    The switch currently looks after all the internal Vlans and is the router for these.
    The vlans all have their own default gateway.

    I have setup a VPN to a remote site which is all working with no problems (I can RDP onto my servers from the remote site), however I can't get from my server vlan over to the remote site and I'm pretty certain it's down to the routing.

    Camera server - 10.0.0.13 255.240.0.0 has a default gateway of 10.0.0.76 (the HP switch mentioned above.

    Our firewall is a watchguard and is on 10.0.0.1

    If I run a tracert from the camera server over to the VPN I get nothing beyond the default gateway, suggesting to me that the switch doesn't know the route to the firewall?

    Can anyone help please?

  2. #2

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,433
    Thank Post
    368
    Thanked 646 Times in 528 Posts
    Rep Power
    159
    Add on static routes (seems to come to my TFI Friday brain)

  3. Thanks to matt40k from:

    Andi (10th October 2008)

  4. #3
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    Thanks

    I've just done:

    ip route 172.10.0.0/24 10.0.0.1

    on the switch, no success yet.

    Does that look nearly right?

  5. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,467
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    from configure:

    ip route 0.0.0.0 0.0.0.0 10.0.0.1

    Just be careful as it can affect existing routes. I changed it remotely once and spent 2 hours working out how to get back in with a chain of ssh sessions via servers that didn't require routing

  6. Thanks to DMcCoy from:

    Andi (10th October 2008)

  7. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,467
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    Does the firewall have a route back to the switches IP address too?

  8. Thanks to DMcCoy from:

    Andi (10th October 2008)

  9. #6
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    Currently there is no route back to the 10.0.0.0 range setup on the firewall, but as the firewall is currently on the same range as the servers I'm guessing it won't need it?

    I think I'll wait until monday to play with this, 8 years of experience tells me nothing apart from changing this sort of thing on a Friday afternoon is asking for trouble!

    Do I need to undo the ip route change I just added before I go?

    Thanks for your help guys!

  10. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,467
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    My route is back to the default gateway for the vlan that the firewall is on.



    Client (10.0.200.1) -------(10.0.200.254) 5412 (10.0.7.254) via route (0.0.0.0 0.0.0.0 10.0.7.5) ------ (10.0.7.5) Firewall (10.20.x.x)---------Internet

    Firewall has a static route for 10.0.0.0 255.255.0.0 as 10.0.7.254

  11. Thanks to DMcCoy from:

    Andi (10th October 2008)

  12. #8
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    Does anyone know the command to view the current static routes?

  13. #9
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    OK, I removed the static route
    172.10.0.0 255.255.255.0 10.0.0.1 using 'no ip route'
    and entered
    ip route 0.0.0.0 0.0.0.0 10.0.0.1 as suggested.

    I still can't get through to my vpn. Tracert still stops at 10.0.0.76 (IP of my main routing switch).

    Any thoughts?

  14. #10
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,467
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    Do all involved vlans have their own ip ranges and subnets?

    What are the addresses, vlans and subnets involved?

  15. Thanks to DMcCoy from:

    Andi (13th October 2008)

  16. #11
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    Yes the internal vlans follow the pattern:

    192.168.1.x 255.255.255.0 192.168.1.254
    192.168.2.x 255.255.255.0 192.168.2.254
    192.168.3.x 255.255.255.0 192.168.3.254
    etc etc

    We still have some nodes left on the default vlan due to not having managed switches everywhere - the switches and servers are still on the default VLAN also.

    The default vlan is
    10.0.x.x 255.240.0.0 10.0.0.76

    The main switch that looks after the vlans and routes is 10.0.0.76
    The watchguard firewall (10.0.0.1) takes care of the VPN tunneling. I know that the VPN is working as I can login from the other side of the tunnel with no problems.

    The IP range the other side of the tunnel is:
    172.10.0.x 255.255.255.0

  17. #12
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,467
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    So you have a vpn running from the outside to the watchguard with the ip range of 172.10.0.x 255.255.255.0? What sort of vpn and is it a lan/lan vpn?

    One thing you could try is setting the default gateway for a machine in the 10.0 range to the firewall, if this doesn't work when its on the same vlan/subnet without using the switch as the gateway then you can probably rule the switch out as the issue.

  18. Thanks to DMcCoy from:

    Andi (13th October 2008)

  19. #13
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    I'm not sure how to answer your first question. The VPN is a Branch-Office VPN, I'm not sure whether that's a name specific to watchguard or whether it's a standard. I guess it's a lan-lan, connected via ADSL lines.

    Is that what you meant?

    Good idea about changing the default gateway, I'll give that a try on a machine now and get back to you.

    Thanks again for all your advice.

  20. #14
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    OK, I have changed the default gateway on the computer that will eventually be using the VPN to the firewall IP address.

    Pings and trace routes still timeout but now I am getting an error message on the firewall log:

    2008-10-13 12:03:00 Deny 10.0.0.13 172.10.0.1 icmp-Echo 1-Trusted unknown packet with TTL=0, firewall drop (internal policy) rc="104"

  21. #15
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    16
    Resolved the issue, there was a static route on the Watchguard firewall as follows:
    172.10.0.0/24 - 10.0.0.1

    Removing this route solved the problem. Thanks Watchguard for telling me to put that route there in the first place.

SHARE:
+ Post New Thread

Similar Threads

  1. Default TS Web Access as Default Site in IIS7
    By darknova in forum Windows Server 2008
    Replies: 1
    Last Post: 13th March 2008, 03:57 PM
  2. Set Default Gateway for all users
    By link470 in forum Wireless Networks
    Replies: 2
    Last Post: 15th January 2008, 10:30 AM
  3. No Default Gateway for curriculum
    By Lipjam in forum Network and Classroom Management
    Replies: 4
    Last Post: 10th June 2007, 04:13 PM
  4. HP Procurve 2650
    By localzuk in forum Hardware
    Replies: 29
    Last Post: 20th April 2007, 01:59 PM
  5. Default gateway settings etc. help please.
    By tickmike in forum Wireless Networks
    Replies: 21
    Last Post: 17th September 2006, 03:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •