[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Connectivity to Brazil
- Subject: Connectivity to Brazil
- From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- Date: Tue, 01 Feb 2011 15:19:53 -0500
- In-reply-to: Your message of "Tue, 01 Feb 2011 08:54:47 EST." <[email protected]>
- References: <[email protected]>
On Tue, 01 Feb 2011 08:54:47 EST, Steve Danelli said:
> Some carrier, somewhere between us and the service provider is selectively
> dropping the IKE packets originating from our VPN gateway and destined for
> our Brazil gateway. Other traffic is able to pass, as are the IKE packets coming
> back from Brazil to us. This is effectively preventing us from establishing
> the IPSEC tunnel between our gateways.
Has IKE been known to work to that location before? Or is this something new?
My first guess is some chucklehead banana-eater at the service provider either
fat-fingered the firewall config, or semi-intentionally blocked it because it
was "traffic on a protocol/port number they didn't understand so it must be
evil".
> Also something else is awry, for two given hosts on the same subnet (x.y.z.52
> and x.y.z.53), they take two wildly divergent paths:
> Anyone have any insight on to what may be occurring?
The paths appear to diverge at 67.16.142.238. I wonder if that's gear trying
to do some load-balancing across 2 paths, and it's using the source IP as a
major part of the selector function ("route to round-robin interface source-IP
mod N" or similar?).
The other possibility is your two traceroutes happened to catch a routing flap in
progress (obviously not the case if the two routes are remaining stable).
Sorry I can't be more helpful than that...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110201/15cb3584/attachment.bin>