0

When we switch from a static routed private non-BGP circuit to a BGP private circuit linking two offices, Windows shares and HTTP browsing of internal machines across offices fails with timeouts. Neither of these circuits goes across the public Internet.

We have a Windows Active Directory Domain spanning two offices, each with a separate private subnet (NY subnet is 10.71/16 & NJ subnet is 10.72/16). The Internet gateway router for each site (i.e default gateway for all devices at a site) is at 10.71.0.1 for NY & 10.72.0.1 for NJ.

We have been operating with a private (non-BGP) circuit between two additional routers on our LANs (10.71.0.2 for NY & 10.72.0.2 for NJ). To make the two subnets work together as one Windows AD Domain we have static routes on the gateway routers (on 10.71.0.1 the gateway route to 10.72 is via 10.71.0.2 & on 10.72.0.1 the gateway route to 10.71 is via 10.72.0.2). This means that the path from a NY server to a NJ server would be like: 10.71.1.15, 10.71.0.1, 10.71.0.2, 10.72.0.2, 10.72.0.1, 10.72.1.201.

Now we disable those static routes and add a new MPLS/BGP private (i.e. No access to the Internet over BGP) circuit directly between our NY & NJ gateway routers (i.e. NY gateway router port eth5 has a Verizon MPLS public IP address & ASN 65001 to Verizon AS65000 which routes to our NJ gateway router port eth5 which also has a Verizon public Ip address assigned and ASN65002). Now the BGP circuit is up and happily exchanging messages. TRACERT shows the correct path. Any machine in NY can ping any machine in NJ & vice versa.

The problem is that now Windows Shares across BGP fail with timeouts and so does HTTP browsing. This is all internal to our private office networks with no access to the Internet. DNS seems to be fine. It resolves names to IP properly for ping. Trying to browse \server-name or \10.71.1.15 both fail (across BGP - work fine on the local subnet).

It looks like BGP is configured correctly but I'm missing something about Windows. Turning off Windows Firewall at the two Windows Servers (one in NY & one in NJ) for Windows Share testing does not make any difference -- still fails.

Note: the routers are the same, just a new MPLS/BGP circuit. I'm thinking that the provider made a mistake with ACLs too but it looks like I have to prove it.

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Gerry Wisnoski
  • 1
  • 1
  • Are the routers new as well? Did you change providers? I'd suggest talking to them to see if there are ACL's on the routers that are blocking the traffic. – joeqwerty Dec 12 '15 at 04:17
  • No, same routers, just a new MPLS/BGP circuit. I'm thinking that the provider made a mistake with ACLs too but it looks like I have to prove it – Gerry Wisnoski Dec 12 '15 at 04:56

0 Answers0