Basic Network Troubleshooting : Can't Ping Internet

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so now we're gonna continue our basic troubleshooting once again we're gonna assume that you are the network admin and you're going on to your default gateway and you're trying to discern if the default gateway is at fault as far as why particular employees cannot reach the internet now in our flow chart this is step nine in the flow chart so once again to recap we verified we could get into the default gateway we could actually get access to the command line that was good we verified that the relevant interfaces were up and functional that was good we verified that we actually had routes to the Internet and so now we're assuming yes we do we do have routes to the Internet and yet still my employees are complaining they cannot get to the Internet so now the next step is okay can my router get there maybe my employees can't get there but my router can and that would help sort of guide me down the path of troubleshooting that I need to go so that's the next step from the actual command line of the router I'm going to try to ping the Internet now in this particular case if this is a real-world environment you would you could ping anything in the Internet I'm saying can you ping 8.8.8.8 from previous videos we saw that that was the public IP address of Google's public DNS server and if you really do have internet access you should be able to ping that from anything so this is a good thing that should always be up that should always be payable of course you know that could potentially go down so if you try to ping then it doesn't work I'd say try to ping something else before you assume that the entire internet is down but so we're gonna say that now let's say you try to ping that IP address or any other internet destination that you're aware of and from your router we're not doing this from the laptop or doing this on the router now and the answer is no I can't ping it just like the employee can't reach it I can't reach it either from the default gateway itself okay so here's how we would do that we'd use the ping command the exact same command that the employee would be using in their das prompt on their laptop now if we can't get there one thing we could try doing from the router is doing a traceroute command and a traceroute command let's assume that this IP address we're trying to get to is hundreds or maybe even thousands of miles away from us from our actual default gateway so the assumption is when I issue when I when my router forwards a packet of this destination it's probably going through many other routers before it finally gets to that destination and what we're trying to discern here what the traceroute command is how far is it getting before it stops is it getting four or five routers deeper into the internet and then it's dying is it getting almost all the way or is it just dying at the very next hop router upstream is it dying in my ISP so trace route could indicate that now actually you can do this command also in Windows now if you do this in the Cisco IOS command line it's exactly like you see here trace route no space altogether you can also do a trace route from your laptop it's it's very similar so instead of the word route it's just our T so trace our T and then the IP address for example here's what it looks like I'll actually trace route to that Google server I have no idea how far away it is I'm actually in North Carolina right now so let's see how many routers I have to get to to reach it okay so my first and the way trace route works is if you're familiar with the structure of IP packets you know that in every IP packet there's a field in the packet called the time-to-live field and the way the time-to-live works is that when the packet is first generated from your laptop or tablet or whatever it puts some initial number in that time-to-live field that's a non-zero number usually it's a pretty high number like 64 or 255 or something like that now as that packet reaches a router before the router actually routes it before the router forwards it it decrements the time-to-live by one and then forwards it out so if my initial time-to-live from my laptop to google's network was let's say 64 when it got to my default gateway normally he would take that number down to 63 and forward it and the next router would decrement down to 62 and forward it the idea is if some router out there gets this packet let's say the packet goes through 63 routers way far away and then that router way out there he gets the packet in it comes in with a TTL of one so start out 64 63 is 60 to 61 then eventually goes all the way down to 1 well what does that router do so when a router receives an inbound IP pack and it comes in with a TTL of 1 the router says ok I'm going to decrement the TTL to 0 uh-oh because when a device when a router decrements a packet with a TTL to 0 he says I'm gonna kill that packet TTL 0 means the packet can go no further the buck stops here so a normal stuff when you're doing web browsing or your instant messaging or something your initial packets are having some TTL value some big number and usually it's big enough to get the packet or ever it needs to go before it counts down all the way to 0 well how's that have to do with traceroute here the traceroute command what it does it says okay I'm going to create a packet to whatever destination you want me to go to I'm going to start with an intentional TTL of 1 and what that does is the packet goes to the default gateway he decrements it to 0 and then the the default response of that router is he sends a packet back saying I'm sorry I had to kill your packet the time-to-live expired here's the packet I had to kill and that's what this first entry is here this line number 1 that was the very first packet I had with a TTL of 1 my default gateway killed it of 10 seven one one he'd decrement the TTL to zero and responded back to me then I created another packet going to 888 but this time with a TTL of 2 it went through my default gateway he decremented it to 1 he forwarded it to the next router which in this case was some router owned by Time Warner Telecom with this IP address 66 dot 1 94.1 17 dot 41 he then decremented to 0 killed the packet send a response back so this this trace route is actually a method of by sort of creatively using the time to live field in the IP header of sending a packet a little bit further a little bit further a little bit further and seeing how far out you can get it before either it ultimately reaches its destination or it gets dropped somewhere so you can see in my particular case let's see here to get to the 888 network I went to one two three four I went to eventually went to ten routers actually went to nine routers and then went to the destination so Google's Public DNS server that I'm reaching is nine routers away from me now so that's one thing you could try troubleshooting so for example in my example I say ok the employee says he can get to our to calm but when he tries to go to the website of our 4.com I don't know if you can really see it or not but up here in the upper left hand corner is just spinning the Serbs that irritating spinning symbol which says I'm thinking I'm thinking I'm thinking it never really goes anywhere so our 4.com is is not reachable so let's do a trace route now the first step would be what is the actual IP address that's being resolved by our 4.com and in the previous video if you watch that you saw that I had statically set a DNS entry my hosts file so that r4 would resolve to 4.4.4 dot four so my laptop already knows that let's do a trace route trace route 4.4.4 dot four now the very fact that I see something here tells me that my first packet at least made it to the default gateway so I at least have connectivity to my default gateway die should see that here in just a second that one one one one which is my default gateway okay so my default gateway responded and then I got to another router two two two two then I got to another router which is three three three three and now it's timing out and I'm not gonna keep watching this but I could watch this for another five minutes or so and at this point it's just gonna keep saying request timed out over and over and over again I think it goes up - yeah it goes up to 30 hops and we don't want to watch it for that long so what's this tell me as the employee as the employee it tells me okay this packet got to the third router but it couldn't get beyond at the third router when it tried to get to whatever routers after that something happened we don't know what happened but something happened that was the employee you would probably you know you'd probably just call your network troubleshooting department and say hey I did a traceroute this is what I'm seeing so now what would I do is a network admin I could do the same thing let's go to the my router and do a trace route from here trace route let's see the employee says he can't get to four four four four let's see how far can I get no okay well I'm reaching the next router up the line which is two two two two on getting to the router behind that which is three three three three but at that point can't get any farther now as the network admin the next question you have to ask yourself is okay this router right here three three three three does my company own that router or does some other company on that router if my company own that router my next job would be to get onto this guy I would have to find wherever this router is with the IP address of three three three three jump on to him and find out why he cannot reach four four four four is there something going on with that router if three three three three was not owned by me but owned by my ISP at this point it'd be my job to call up Comcast or Time Warner Cable or something and say hey I verified that I can't reach this website it's not my fault a traceroute proves that it's beyond my network can you look into it for me so that's one thing troubleshooting how far can I get with a traceroute and they'll help me to identify is the problem in my network or is it beyond my network once again we could take a look at the show run output of our router of our default gateway and a couple of basic things we could look for are there some access lists you know maybe somebody hacked into my router and they implemented some sort of an access list that's causing this problem well let's do that so we know in this particular case we can't reach four four four four let's just issue a show run and see if there's any reason why that might not why that might be the case ok so back to my topology diagram I know that to reach four four four four the router is gonna be forwarding stuff out this way and responses are gonna be coming back this way we know the router himself cannot reach it so that would tell me I need to focus in on this interface right here if there's some sort of an access list on here that might explain why these packets are not making it to the destination or not coming back and sure enough when I look at this serial interface oh the access group command is here in the inbound direction the access group command references an access list so access group one says okay when a packet comes inbound in other words when a packet comes this direction in to my interface I'm gonna stop it and inspect it against the access list with the number one and that access list will tell me what to do well access list 1 says if a packet with a source IP address beginning with 4 4 4 that's what this mask says that says if the first three numbers are 4 4 4 and the last octet the last number is I don't care so if a source address is 444 deny that packet if it does not match this permit everything else and that's why I'm unable to get to that website it's not because my packets are not getting to the website is because when the website it tries to reply to me his replies are being dropped in the inbound direction somebody hacked into this router and they installed this inbound access list and this is what's killing my internet connectivity so first step is rectify the problem get rid of that access list it's not supposed to be there I should say that access group okay now can I ping the website yes I can go back to the the employee hey can you bring up the website now ploy says ok let me take a look are 4.com yeah it came up it's working all is solved so now your job is not yet done right now you have to put on your investigators hat and figure out who hacked into my router and what can I do to prevent that from happening again in the future that's a video for another day if there had not been an access list let's say that had not been the issue another more advanced thing you could look for is something called policy based routing now once again this would be an issue of somebody hacking into your router and putting a configuration in there that was not supposed to be there but basically what pals as a real high overview of policy based routing I'm not going to get into the details of that policy based routing is something like this let's say you have a router and it's got several interfaces and if you did normal routing let's say that there was some destination out here destination X some web server and normally if a packet came in this interface and we just did regular routing we would route it out this interface let's just give some interface numbers here let's say this is one two and three well policy based routing is a way that you can tell the router hey when a packet comes in don't look it up in the normal routing table I'm gonna tell you explicitly where I want you to forward that packet so I could implement policy based routing right here on this inbound interface PBR implemented in which in which that when a packet came in that matched this criteria whereas the normal routing table would forward it this way if I was trying to be malicious I could say no my policy based routing is going to send it out this way he'll never reach his destination because destination X does not live here but that was my intent if I was a malicious hacker I'd say okay let me try to put some PBR in this interface which will redirect traffic out the wrong interface and kill network connectivity and let's see if the network admin is smart enough to detect that in his config so that the other thing you'd want to look for look for some sort of interface level configuration that relates to policy based routing that might be causing your traffic to be redirected out the incorrect interface if you don't see that okay so once again I can't ping the internet from my default gateway I don't see any access lists are causing the problem I don't see policy based routing causing the problem I've already verified I have an actual route to the internet it's not a routing problem well this point you may want to just go to the upstream device now I'm sure if we thought about it long enough we might be able to come up with some other reasons why on the default gateway itself there could be some configuration there which could be causing a problem but from a basic network troubleshooting standpoint if you have a route to the Internet but you can't ping your destination then either the problem is when packets are coming back to you you are able to ping it but when the replies are coming back you're killing those packets and that would be an access list problem or when you're trying to ping it you're going the wrong way and that could be a policy based routing problem I suppose we could also artificially in influence our routing protocol so the routing protocol thinks it has a route but in reality that route is wrong that could be another thing just because you have a route and your routing table it says this is the route you use to get to the internet check that route maybe it's not pointing the right way right if I go back to my diagram here for a second in this particular case chances are your default gateway probably has more than two interfaces in this case I've just drawn two but you probably have other ones let's just draw one other one here let's say this is fastethernet 0/1 so maybe I go into my router and that the very first thing I say is okay do I ever out to the Internet let's see I know I should be singing around that says 0.0.0.0 I do show IP route and there it is 0 dot 0 dot 0 okay move on I'll hold on a second you may have a route a default route but is it pointing to the correct next hop maybe if I look if I just take a couple more seconds to look at that default route you might say wait a second I have an ERP route and the next hop is 5 5 5 6 say that's wrong the next hop should not be out this interface here it should be out the serial interface this is wrong so now the next question I have to ask myself is is there something in the default gateway is there some hacked configuration that caused this to appear that could be another thing I'd be looking for just because you have the route doesn't necessarily mean it's the correct route you

Info

Channel: INEtraining

Views: 22,392

Rating: undefined out of 5

Keywords: ine, internetwork expert, cisco, CCIE Certification, Computer Network (Industry), routing & switching, network troublshooting, keith bogart

Id: whkS-HY2zHE

Channel Id: undefined

Length: 19min 43sec (1183 seconds)

Published: Fri Jan 22 2016