[136148] in North American Network Operators' Group
Re: Connectivity to Brazil
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Feb 1 15:20:30 2011
To: Steve Danelli <the76posse@gmail.com>
In-Reply-To: Your message of "Tue, 01 Feb 2011 08:54:47 EST."
<4F3DD62E-4007-4ED2-94D6-8405E1C1546E@gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 01 Feb 2011 15:19:53 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1296591593_4968P
Content-Type: text/plain; charset=us-ascii
On Tue, 01 Feb 2011 08:54:47 EST, Steve Danelli said:
> Some carrier, somewhere between us and the service provider is selectively
> dropping the IKE packets originating from our VPN gateway and destined for
> our Brazil gateway. Other traffic is able to pass, as are the IKE packets coming
> back from Brazil to us. This is effectively preventing us from establishing
> the IPSEC tunnel between our gateways.
Has IKE been known to work to that location before? Or is this something new?
My first guess is some chucklehead banana-eater at the service provider either
fat-fingered the firewall config, or semi-intentionally blocked it because it
was "traffic on a protocol/port number they didn't understand so it must be
evil".
> Also something else is awry, for two given hosts on the same subnet (x.y.z.52
> and x.y.z.53), they take two wildly divergent paths:
> Anyone have any insight on to what may be occurring?
The paths appear to diverge at 67.16.142.238. I wonder if that's gear trying
to do some load-balancing across 2 paths, and it's using the source IP as a
major part of the selector function ("route to round-robin interface source-IP
mod N" or similar?).
The other possibility is your two traceroutes happened to catch a routing flap in
progress (obviously not the case if the two routes are remaining stable).
Sorry I can't be more helpful than that...
--==_Exmh_1296591593_4968P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFNSGrpcC3lWbTT17ARAjF9AJ9lyhFYF4uPMJomUOXJ3ofoTxoU0wCePD7T
hFh9QyZWgU1drBJB6wnh3/w=
=kjE0
-----END PGP SIGNATURE-----
--==_Exmh_1296591593_4968P--
