Home > Troubleshooting Lab Challenge 2

Troubleshooting Lab Challenge 2

June 6th, 2015 in Lab Challenges Go to comments

Troubleshooting Lab Challenge 2:

Note: We created this lab challenge to help you get some practice with networking problems only. These labs are only for fun and do not appear in the TSHOOT exam.


Recently our corporation has just acquired some companies. Our networking engineers are working to merge their networks into ours. An engineer has edited the network configuration and now our users are experiencing network issues. They have contacted you to resolve the issues and return the network to full functionality.

Below are the IPv4 Layer 3 Topology and IPv6 Topology (No switch is used in this challenge so we don’t have a Layer 2 Topology):




To troubleshooting effectively you should understand how this network operates. We summarize it as follows:

+ OSPF process 1 is running between R1, R2, R3, R4 and R5
+ RIP version 2 is running between R2 and R6
+ EIGRP AS 10 is running between R3, R7 and R8
+ Redistribution is configured on R2 & R3 to exchange OSPF, RIP and EIGRP information
+ R5 is connected to an Internet Service Provider (ISP) via BGP 65002. R5 is also providing NAT translation between inside networks ( & and outside network ( &
+ R5 is connected to the OSPF backbone area via a OSPF virtual-link. It is a temporary solution for merging them
+ Two access-lists are applied on R5 to increase security for the inside networks
+ Users are allocated prefixes of & They are represented by Client 1 & Client 2
+ R1, R2 and R3 are connected via DMVPN (this is a new topic in the ROUTEv2 exam. If you don’t understand about DMVPN and NHRP, please ignore ticket 14 & 15.)
+ For security reason, the network between R4 & R5 ( is hidden from all other routers via a filter-list on R4.
+ In the IPv6 Topology R1, R3, R4 and R5 are running OSPFv3 AS#10 while R3 and R8 are running RIPng. Redistribution is performed on R3 so that these two IPv6 routing protocols can see each other.
+ Traceroute commands are not supported in this challenge (that would make the challenge too easy)

There are 15 tickets waiting for you to resolve. Each ticket only contains one error. Below are the links to access them:

Ticket 1 Ticket 2 Ticket 3 Ticket 4 Ticket 5 Ticket 6 Ticket 7 Ticket 8
Ticket 9 Ticket 10 Ticket 11 Ticket 12 Ticket 13 Ticket 14 Ticket 15  

We hope you can solve all these problems. The difficulty of this challenge is same of the TSHOOT exam (for routers only). Please tell us if you like them or not so that we can continue making more in the future.

Note: This lab challenge is run on IOS v15 so “no auto-summary” is the default value and this command is hidden by default.

Comments (30) Comments
Comment pages
1 2 3 10 889
  1. anon
    June 6th, 2015

    ticket 3 ipv6

    ping ipv6 ?
    trace ipv6 ?

    unsupported command…

  2. networktut
    June 7th, 2015

    @anon: For IPv6 ping, just use ping , for example: ping 5005::5 (same as IPv4).

  3. anon
    June 7th, 2015

    typo on ticket 3

    Question on R8 e0/0 ipv6 address is 2019::38:3. On the simulation router its 2019::38:8

  4. anon
    June 7th, 2015

    Ticket 9

    Please check configuration on R8:
    show run config:
    Router eigrp 10
    network —> should be

  5. networktut
    June 7th, 2015

    @anon: Thanks for your information. We have just fixed E0/0 IPv6 address on R8 questions.

    The wildcard mask is correct. You don’t need to type the large subnet but only need to type exactly the interface needs to run EIGRP on ( in this case).

    Note: The ‘network ‘ command on EIGRP, OSPF, RIP means that the router will find all interfaces that belong to range and turn on EIGRP, OSPF, RIP on that interface. So the ‘network’ will turn EIGRP on E0/0 of R8 only. And the ‘network’ will turn EIGRP on all active interfaces of that router.

  6. anon
    June 7th, 2015

    spoiler…Solutions to Ticket problem. Interesting simulation…kudos to networktut

    Ticket 1
    IPv4 ip ospf routing
    under ospf process 1, issue the “no area virtual-link”, then “then

    area 1 virtual-link”

    Ticket 2
    IP NAT
    Under interface eth0/1, issue the ‘ip nat inside’ command

    ticket 3
    IPv6 route redistribute
    Under ipv6 ospf process, enter “redis rip RIP Star metric 3 include-

    connected subnets

    ticket 4
    IPv4 OSPF routing
    under OSPF process 1, add the “default-information originate always”


    ticket 5
    IPv4 RIP Routing
    Under RIP process, change the version of RIP from 1 to 2

    ticket 6
    IPv4 Layer 3 Security
    Under “ip access-list standard Security_Internet” configuration add

    “permit′ and ‘permit′ commands

    Ticket 7
    IPv4 EIGRP Routing
    Change EIGRP Autonomous System from 1 to 10

    Ticket 8
    IPv6 OSPF Routing
    Under “ipv6 router ospf 10” enter the “no shutdown” command

    Ticket 9
    IPv4 EIGRP Routing
    Under key chain R3-R7-R8 configuration, add teh key 1 with key-string


    Ticket 10
    IPv4 EIGRP Routing
    Under EIGRP process, enter “redistribute ospf 1 metric 1 1 1 1 1’


    Ticket 11
    IPv4 EIGRP Routing
    Under EIGRP process, remove ‘passive-interface default’ command

    Ticket 12
    IPv6 Route Redistribution
    Under ipv6 RIP proces, enter “redistribute ospf 10 metric 3 include-

    connected” command

    Ticket 13
    Under BGP Process, delete “neighbor remote-as 65002′

    command and enter “neighbor remote-as 65002′

    Ticket 14
    IPv4 OSPF Routing
    Under interface Tunnl 123, change the OSPF priority to a value greater than 1

    Ticket 15
    Under interface Tunnel 123, delete “ip nhrp map” and enter “ip nhrp map” command.

  7. anon
    June 7th, 2015

    time to go to sleep…goodnight y’all!!!

  8. Ghost
    June 7th, 2015

    Amazing practice for the CCNP! Thank you so much!

  9. Littleduck
    June 9th, 2015


    Ticket 14: why is the issue laid on OSPF routing?

    On R1, “show ip nhrp” gives the output that DMVPN can not complete even though there is nothing wrong with the nhrp protocol configuration.

    The command “ip ospf priority 0” under tun123 subinterface command simply tells that R1 does’t want to be the DR in OSPF voting. Is it mandatory that R1, because of being a NHS in NHRP protocol, therefore is always being a DR?

  10. Littleduck
    June 9th, 2015


    In short for my question above: is HUB router in OSPF over DMVPN mandatory being a DR? Can you explain why?

    Anyways, thank you for great trouble tickets.

  11. networktut
    June 9th, 2015

    @Littleduck: Yes, it is mandatory to set the HUB router to be a DR (in a broadcast network). One of the main reason is the HUB must communicate to all Spokes to establish DMVPN. This can only be done if it is a DR.
    Also we have to make sure the Spokes are not elected as DR or BDR by setting their OSPF priorities to 0. Otherwise we’ll get a hard-to-explain situation.

  12. Guest
    June 9th, 2015

    Ticket 14:
    yes, Hub of DMVPN should be DR. But still dmvpn configuration is right on R1, R2, R3, however you dont see spokes in “show dmvpn” and you can’t ping tunnel IP addresses. Please fix this, because it is confusing.

  13. networktut
    June 9th, 2015

    @Guest: Although there is nothing wrong with DMVPN configuration but they cannot establish Hub-Spokes relationship so we don’t see spokes and can’t ping tunnel IP addresses.

  14. Samer
    June 11th, 2015

    Q3) I can see R5 while displaying route of R8, but no ping. How come?

  15. awdoyoudo
    June 11th, 2015

    Ipv4 router-id’ s are missing under ‘ ipv6 router ospf x ‘ in the lab? But very nice tickets, still working on it :)

  16. networktut
    June 12th, 2015

    @Samer: Could you please tell us in detail what IP address cannot ping what IP address? Maybe you want to ask why R5 cannot ping This is because the “Security_Internet” access-list on R5 blocked

    @awdoyoudo: In this new IOS version (v15.4), IPv6 still works when missing IPv4 router-id under ‘ipv6 router ospf’. We believe it will use the IPv4 router-id indicated by the “show ip protocols” command.

  17. networktut
    June 12th, 2015

    @Samer: Maybe we got what you asked. The reason IPv6 address on R8 (2019::38:8) cannot ping 5005:5 even R8’s IPv6 routing table contains route of 5005::5 is because R5 does not know how to reach 2019::38:8 (because R3 is missing ‘include-connected’ option under OSPFv3 process which cause R3 not advertise its directly connected prefixes).

  18. awdoyoudo
    June 15th, 2015

    for ticket 9:
    How come R8 and R7 see R3 as a EIGRP neighbor? While there is an authentication
    issue? R3 doesn’ t see R8 and R7.
    for ticket 12:
    The metric under ipv6 router rip is 15, but those routes should still be reachable because
    16 is unreachable, no?
    In all labs:
    Why is no auto-summary never used in EIGRP and RIP? You can have discontiguous networks without it.

  19. networktut
    June 15th, 2015

    Ticket 9 is correct. You need to understand how EIGRP authentication works in this case:
    This is the key-chain config of R3:
    key chain R3-R7-R8
    key 10
    key-string 6543210

    And the key-chain config of R7,R8:
    key chain R3-R7-R8
    key 1
    key-string 0123456
    key 10
    key-string 6543210

    Please remember that EIGRP always uses the lowest key-id for authentication. In this case R3 will send its key-id 10. R7 & R8 receive this key and it matches their key 10 -> Authentication succeeds -> R7 & R8 consider R3 their EIGRP neighbors.
    In turn, R7 & R8 sends its lowest key-id for authencation, which is key-id 1 but R3 does not have this key -> Authentication fails and R3 does not consider R7, R8 its EIGRP neighbors.

    For ticket 12, when we redistribute into RIPng with metric (hop count) of 15, when R8 receives these routes it adds 1 hop count and makes them 16, which is unreachable.

    In all tickets you don’t see “no auto-summary” commands used because in this new IOS version (v15.4), “no auto-summary” is the default option (instead of “auto-summary” in the old IOS versions 12.4 and below).

  20. AKG
    June 15th, 2015

    on which version of Packet Tracer these tickets work?

  21. networktut
    June 15th, 2015

    @AKG: You don’t need Packet Tracer or any simulators. Just make sure you have Flash plugin on your browser then you can practice them (via the links above).

  22. awdoyoudo
    June 15th, 2015

    Thank you for your clear feedback!

  23. Am
    June 16th, 2015

    Can somebody chek if the strategy of Anon is correct?

  24. gkk
    June 17th, 2015

    please someone tell me how to access the router to check the configuration.

  25. vj
    June 17th, 2015

    networktut rocks!!!!!!!!

  26. Anonymous
    June 18th, 2015

    For DMVPN, disabling ip split-horizon isn’ t necessary for tunnel interfaces like for subinterfaces?

  27. networktut
    June 19th, 2015

    @Anonymous: If we use distance vector protocols (RIP, EIGRP) we have to turn-off split-horizon at the hub side so that the Spokes can see each other (and communicate directly).

  28. Anonymous
    June 19th, 2015

    Thank you for your response

  29. Sendy
    June 23rd, 2015

    Hello All ( Anon)

    I try to solve ticket number 1 found issue with virtual Link, choose answer and result was incorrect – where is the issue?

    Thanks for your points

  30. networktut
    June 23rd, 2015

    @Sendy: Your 3rd statement (command) was not correct. You should check carefully which command should be used.

Comment pages
1 2 3 10 889