Cisco connection issues

[Protoform-X]

This router is replacing 3 other routers as the hub of a hub and spoke network.
One of the PTPs is working over IP 10.0.0.1. All traffic is passing on this interface without issue. The other two PTPs seem to be connecting, but not passing traffic.
We are able to ping from router to router over all 3 of the PTPs. A host on the A side can not ping a host on the Z side. From the Z location the VPN has picked up as the failover and I can ping the A location, however, the Z router cannot ping a host at the A location. The only thing that has changed is this router. Thoughts?

show run
Building configuration...

Current configuration : 5946 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NPHC2800
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
card type t1 0 3
logging buffered 51200 warnings
enable secret 5 $1$oXKf$0c5x2HJoxaKbIHBhF80QS0
!
no aaa new-model
no network-clock-participate wic 1 
no network-clock-participate wic 3 
!
!
 --More--         ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
 --More--         !
crypto pki trustpoint TP-self-signed-3468020979
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3468020979
 revocation-check none
 rsakeypair TP-self-signed-3468020979
!
!
crypto pki certificate chain TP-self-signed-3468020979
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343638 30323039 3739301E 170D3039 30333139 30303030 
  30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363830 
  32303937 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B1CA 45A6A6B6 EF9464DD D136C9CB C2321316 BDE7EB67 E2EC4269 BE30BD17 
  EBC45A99 1D04DAD2 6B0DDDA1 C58923BB 6555EA3E 8D3F8001 FF0DC0EF 66EE0704 
  07D47DB1 32280031 8098D167 7A6F3970 17DBD03F 4178AB50 24FD0B5A 881282AE 
  2504BF98 BE315F46 52F92C5A F3FE05C0 AA381CFC 98B20A6E 2AE715E1 6E47BCB0 
  81730203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 174E5048 43323830 302E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 149EAE66 C94D13FB 09061048 3B66F18E 3BAEC97A 
 --More--           2D301D06 03551D0E 04160414 9EAE66C9 4D13FB09 0610483B 66F18E3B AEC97A2D 
  300D0609 2A864886 F70D0101 04050003 81810033 95B41A7C 0D03C715 D11D8D82 
  99F38427 6A1F7321 364E643F 3F01E2C0 CF291AD6 271819DF 0D151B7C 57EE2CDC 
  3677DA9E 945F92BA 1869BAFF 0A15BB3C 59028188 B073C52D 64C33DF1 385338FA 
  EC2CAA4C 3585EED5 0B8C1C1B E4007B7B E9EFAE36 81958251 2862C761 A62798F7 
  3E588C39 01408DBD F941EED6 8782D8DE 5DD1BF
  quit

!
!
controller T1 0/1/0
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
controller T1 0/1/1
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
controller T1 0/3/0
 --More--          framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
controller T1 0/3/1
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
! 
!
!
!
!
interface GigabitEthernet0/0
 description Main Connection at 2nd Street
 ip address 192.168.1.220 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 --More--          no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1/0:0
 description Connected to TATUM
 ip address 10.0.1.1 255.255.255.252
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
!
interface Serial0/1/1:0
 description Connected to DVO
 ip address 10.0.0.1 255.255.255.252
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
!
interface Serial0/3/0:0
 description Connection to PVO.
 ip address 10.0.2.1 255.255.255.252
 encapsulation ppp
 --More--         !
interface Serial0/3/1:0
 description Connection to PVO
 ip address 10.0.2.1 255.255.255.252
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
 --More--         !
access-list 23 permit 10.0.0.0 0.0.255.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
 --More--         it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco". The default username and password have a privilege level of 15.
 --More--         
Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use. 

For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 password ********
 login local
line aux 0
line vty 0 4
 access-class 23 in
 --More--          privilege level 15
 password ******
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

NPHC2800#

 

[Vito_Corleone]

Is the routing set up right? What happens if you do a traceroute from hosts on either side?

 

[Protoform-X]

Here's the routing table:

Gateway of last resort is 192.168.1.254 to network 0.0.0.0

R    192.168.10.0/24 [120/1] via 10.0.0.2, 00:00:03, Serial0/1/1:0
R    192.168.40.0/24 [120/2] via 192.168.1.222, 00:00:01, GigabitEthernet0/0
R    192.168.20.0/24 [120/1] via 10.0.1.2, 00:00:18, Serial0/1/0:0
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C       10.0.0.2/32 is directly connected, Serial0/1/1:0
C       10.0.1.2/32 is directly connected, Serial0/1/0:0
C       10.0.0.0/30 is directly connected, Serial0/1/1:0
R       10.0.0.0/8 [120/1] via 192.168.1.222, 00:00:02, GigabitEthernet0/0
C       10.0.1.0/30 is directly connected, Serial0/1/0:0
C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.1.254

We tried a tracert from the A location to the Z location and it fails to return any hops even to IPs that we can ping. The same behavior is seen from Z to A.

 

[Vito_Corleone]

I don't want the router's table, you said pings are successful from the routers, no? I'm asking what the traceroute does from the hosts on the network, is that what you tried? It sounds like a routing issue to me, from the severely limited information you've posted.

 

[Protoform-X]

Ping router to router is successful. E.g. I can ping serial A to serial Z without issue. Say I try to ping the firewall on the Z side from the A router, it fails. What other information would be helpful?

 

[just2cool]

Do an extended ping and source it from the interface IP for the host subnet.

e.g.
ping x.x.x.x source g0/0

Try pinging the host, as well as the interface IP on the other side.

If this doesn't work, you have a routing issue with the host subnets. Won't be too hard to track down.

 

[Protoform-X]

Using that command I can ping interface to interface internally on the router, I can ping A to Z, and Z to A.

NPHC2800#ping 10.0.1.1 source g0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.220
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
NPHC2800#ping 10.0.1.2 source g0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.220
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
NPHC2800#ping 10.0.0.2 source g0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.220
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms

 

[just2cool]

Oh, my bad haha. We're getting somewhere though.

When I said interface IP, I meant the other source subnet (probably another 192.x.x.x?)

something like: ping 192.x.x.x source g0/0.

If this works, you either have something strange going on with your hosts (i'm assuming they can ping the default gateway), or your firewalls are messed up.

 

[Protoform-X]

Like this?

NPHC2800#ping 192.168.10.254 source g0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.220
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms

 

[just2cool]

Yep.

From what little I know about your network, your routing seems to be setup fine. Otherwise, that wouldn't work.

What that ping is essentially doing is as follows. You're pinging the LAN with the source of another LAN. That means, not only is the prefix of your destination LAN advertised to your current router with valid next-hops, but the return route to your LAN is advertised to the other router with valid next-hops.

Provided that your L2 setup beyond the router is correct, it sounds to me like it's the firewall.

 

[Protoform-X]

Sounds good. I'll investigate the firewalls. Thanks for the help.