Help getting effective solution for a 2degrees broadband routing issue

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Help getting effective solution for a 2degrees broadband routing issue

Fergs63

7 posts

Wannabe Geek

#315624 31-Jul-2024 21:28

Hi,

I'm looking for help with a 2degrees broadband routing issue that I have been unable to solve directly with with 2degrees technical support. I have been through three iterations with them and each time it has not been resolved to my satisfaction. I'm hoping someone here can check my logic and/or suggest how I may better explain the issue in the hope of getting it fixed.

The short version of my problem is that a Sydney based server (128.0.114.20) cannot be pinged from my 2degrees broadband connection. The server does respond to pings from my work network and also over my cellular network connection. These are both with different providers, neither of which is 2degrees. I am on a 2degrees static IP, all my other internet activities are working fine. About 5 weeks ago the server was accessible but seemed to go offline overnight. This did not coincide with any network changes on my home network.

A tracert from my home network stalls after only two hops.

The first hop is my Fritzbox 7490, the second hop is v4.cpcak4-bng1.tranzpeer.net [101.98.0.100], there's nothing after that.

Clearly my tracert packets are making it out of my portion of the network and making it to the device on 101.98.0.100, as it is responding to the tracert.

So we're now dealing with something I can't fix myself. I believe it is most likely a routing issue of some sort.

I assume that the device at 101.98.0.100 has a route table and it would be interesting to know what that looks like, but that requires someone with access to the route table who is also able to interpret it. This person does not seem to be involved in technical support to 2degrees customers.

Potentially, there is actually a route to my destination server or its host provider and the fault resides in the other network provider's systems. I would expect that a 2degrees network operator would have the ability to get on the phone to a counterpart in Sydney (NOC to NOC) and ask them to look into the issue from their end. It's certainly not something I as a customer can do.

Three times times now I've got the email from 2degrees support saying "Your fault has been fixed", I'm unsure what this is actually means, because on neither occasion has my problem been resolved.

Any thoughts? On how I frame this to tech support for a fourth time?

If you're a 2degrees broadband customer with/or without a static IP what do you get when you do: tracert 128.0.114.20 ?

Thanks for any help.

Spyware

3764 posts

Uber Geek

Lifetime subscriber

#3266713 31-Jul-2024 21:37

Tested on 2Degrees, static IP and last response is second hop, i.e., 101.98.0.123.

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

Fergs63

7 posts

Wannabe Geek

#3266714 31-Jul-2024 21:43

Thanks for checking. Nice to know I'm not the only person who can't ping this server from 2degrees. At least it helps to confirm that problem is not on my network or equipment.

Linux

11435 posts

Uber Geek

Trusted

Lifetime subscriber

#3266715 31-Jul-2024 22:02

@Cxf can you add any value here? Thanks

fe31nz

1233 posts

Uber Geek

#3266726 31-Jul-2024 22:54

I am on a 2Degrees static IP in Palmerston North. Definitely something very strange at hop 11 where the same IP as hop 10 replies.

root@mypvr:~# traceroute-nanog 128.0.114.20
traceroute to 128.0.114.20 (128.0.114.20), 30 hops max, 60 byte packets
1 er4g.jsw.gen.nz (10.0.2.251) 0.177 ms 0.107 ms 0.130 ms
2 * * *
3 * * *
4 as137409.akl.ix.nz (43.243.21.82) 9.526 ms 9.181 ms 8.429 ms
5 206.148.24.105 (206.148.24.105) 32.714 ms 32.636 ms 206.148.24.127 (206.148.24.127) 30.357 ms
6 e50.syd-eqxsy5-cr5.globalsecurelayer.com (206.148.24.4) 32.541 ms 206.148.24.139 (206.148.24.139) 32.006 ms 32.074 ms
7 206.148.24.141 (206.148.24.141) 31.438 ms 31.005 ms 30.851 ms
8 * 169.254.0.253 (169.254.0.253) 30.540 ms 32.834 ms
9 * * *
10 92.223.78.79 (92.223.78.79) 37.317 ms 38.053 ms *
11 * * 92.223.78.79 (92.223.78.79) 36.752 ms
12 * * *
13 * * *
14 * * *
15 * * *^C
root@mypvr:~# traceroute-nanog -I tcp 128.0.114.20
traceroute to 128.0.114.20 (128.0.114.20), 30 hops max, 60 byte packets
1 er4g.jsw.gen.nz (10.0.2.251) 0.188 ms 0.120 ms 0.096 ms
2 * * *
3 * * *
4 as137409.akl.ix.nz (43.243.21.82) 8.927 ms 8.282 ms 8.387 ms
5 * * *
6 206.148.24.139 (206.148.24.139) 31.669 ms 30.977 ms 30.221 ms
7 206.148.24.141 (206.148.24.141) 32.042 ms 31.076 ms 30.658 ms
8 169.254.0.253 (169.254.0.253) 32.977 ms 30.967 ms 31.676 ms
9 * * *
10 92.223.78.79 (92.223.78.79) 36.589 ms 37.977 ms 36.374 ms
11 * 92.223.78.79 (92.223.78.79) 38.533 ms 37.943 ms
12 * * *
13 * * *
14 * * *
15 * * *^C

yitz

2083 posts

Uber Geek

#3266727 31-Jul-2024 22:57

I can successfully ping your host and adjacent IPs from behind a wholesale connection, second hop is also 101.98.0.123 third hop unresponsive then fourth hop is the target.

You can check the routing table here https://lg.2degrees.nz/

I think the issue might be on the return path.

fe31nz: Definitely something very strange at hop 11 where the same IP as hop 10 replies.

That's most likely just an artifact due to different hop lengths across 3 probes.

Also possibly some sort of anti-DDoS packet scrubbing going by the hops.

KiwiSurfer

1464 posts

Uber Geek

ID Verified

Lifetime subscriber

#3266730 31-Jul-2024 23:37

I can ping fine from my 2degrees connection. Only 3 diff I can identify - Slingshot brand, akmod BNG (possibly Mount Eden in Auckland going by akmod), dynamic rather than static.

C:\Users\james>ping 128.0.114.20

Pinging 128.0.114.20 with 32 bytes of data:
Reply from 128.0.114.20: bytes=32 time=218ms TTL=124
Reply from 128.0.114.20: bytes=32 time=637ms TTL=124
Reply from 128.0.114.20: bytes=32 time=234ms TTL=124
Reply from 128.0.114.20: bytes=32 time=452ms TTL=124

Ping statistics for 128.0.114.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 218ms, Maximum = 637ms, Average = 385ms

C:\Users\james>tracert 128.0.114.20

Tracing route to 128.0.114.20 over a maximum of 30 hops

1 12 ms 5 ms 6 ms router.lan [192.168.88.1]
2 16 ms 12 ms 7 ms v1.akmod-bng1.tranzpeer.net [101.98.0.124]
3 * * * Request timed out.
4 258 ms 62 ms 547 ms 128.0.114.20

Trace complete.

Fergs63

7 posts

Wannabe Geek

#3266733 31-Jul-2024 23:51

Thanks for your input so far folks.

I was unfamiliar with that Looking Glass tool. It looks very handy, Admittedly I don't quite understand what Auckland - NTHC and Auckland - Q191 are, and while I know what BGP is, I've not had much call to work with it, so some of the output I'm guessing at what it means.

However, it suggests there is a path to my target, via 119.224.142.205

I tried a tracert to that address and got:
❯❯ tracert 119.224.142.207

Tracing route to default-rdns.vocus.co.nz [119.224.142.207]
over a maximum of 30 hops:

1 290 ms <1 ms <1 ms fritz.box [10.0.15.1]
2 2 ms 2 ms 2 ms v4.cpcak4-bng1.tranzpeer.net [101.98.0.100]
3 3 ms 2 ms 4 ms default-rdns.vocus.co.nz [119.224.142.207]

Trace complete.

When I do a tracert to my target from my work network I get:
❯❯ tracert 128.0.114.20

Tracing route to 128.0.114.20 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.0.10.1
2 <1 ms <1 ms <1 ms 10.0.104.60
3 <1 ms <1 ms <1 ms 172.16.1.1
4 2 ms 2 ms 2 ms ip-103-14-70-9.static.vorco.net [103.14.70.9]
5 2 ms 1 ms 1 ms default-rdns.vocus.co.nz [131.203.246.254]
6 1 ms 1 ms 1 ms tengigabitethernet0-2-0-69.aktnz-rt1.fx.net.nz [131.203.246.253]
7 1 ms 3 ms 1 ms 10.101.0.158
8 26 ms 26 ms 26 ms 128.0.114.20

Trace complete.

Interestingly, the fifth hop is also default-rdns.vocus.co.nz, albeit with a different IP.

So a ping to my target from work is successful going via default-rdns.vocus.co.nz (on its 131.203.246.254 address) but a ping from my home to the same target, also presumably going via default-rdns.vocus.co.nz (but on IP 119.224.142.207) does not work.

It does begin to look like packets returning via default-rdns.vocus.co.nz (119.224.142.207) may not be getting back to the originator.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Cxf

61 posts

Master Geek

2degrees

#3266793 1-Aug-2024 09:04

Routing looks the same for all of these connections, goes via AKL IX in MDR. I've reached out to Fergs63 for their static IP to dig deeper. @Spyware please DM me your IP address if you can't ping that host either.

Cxf

61 posts

Master Geek

2degrees

#3266935 1-Aug-2024 11:43

Both subscribers fall within 203.86.192.0/21 which we are advertising to the AKL IX ok.

The 128.0.114.0/23 network is learned over the AKL IX, the first 2 networks in the path have a public looking glass. But the destination network does not, which makes troubleshooting end-to-end quite difficult.

from our POV 128.0.114.0/23 - via AKLIX - AS path: 137409 199524 199610

as137409 - https://lg.gsl.tools/
as199524 - https://lg.gcore.lu/
as199610 - no LG

Both GSL and Gcore LG's have healthy return routing to 203.86.192.0/21 via AS9790, where in our network / routing table there is a more specific /32 routes to the BNG.

We just tested Fergs63's connection with an IP from 121.98.0.0/15 and the ping replies ok. It seems to be an issue upstream and can try message the NOC at as199610 and see what they can find.

Fergs63

7 posts

Wannabe Geek

#3266946 1-Aug-2024 11:57

Thanks to @Cxf my issue has now been resolved.
Sorry for making extra work for you, will be interested to hear how this pans out.

Thanks too, for everyone who chipped in to help. Much appreciated.

Cxf

61 posts

Master Geek

2degrees

#3266978 1-Aug-2024 12:51

Changed my home IP to be Fergs63's old IP and I can see that we get all the way up to the server before it fails. Either blocked or bad return path are my guesses.

Fergs63

7 posts

Wannabe Geek

#3267036 1-Aug-2024 13:05

I was never even getting that far..

Cxf

61 posts

Master Geek

2degrees

#3268362 5-Aug-2024 15:31

This issue is now resolved after deploying a change control last night to remove 128.0.0.0/16 from martian filter lists as it's no longer considered a martian IP in RFC5735. Thank you @Fergs63 and @spyware for your time and patience to troubleshoot this issue with me.

Fergs63

7 posts

Wannabe Geek

#3268366 5-Aug-2024 15:42

@Cxf thank you for seeing it through, I appreciate your efforts - hope you didn't have to crawl through too many router configs :-)
Very happy it has been resolved.