Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
0
Helpful
2
Replies

Endpoint can't ping endpoints in remote ACI site

KVS7
Level 1
Level 1

‎05-14-2025 08:21 AM - edited ‎05-15-2025 12:46 AM

I may need help tracing the packet beyond the L3Out. Here is what I have so far

Site-A VM can ping Site-B VM

Site-B VM can't ping Site-A VM

For the record, other servers in Site-B are fine and are working normally. This is specifically for new endpoints in a new BD/EPG.

Both are multi-site ACI endpoints in different vCenter VMM domains (immediate resolution) on separate Fabric Interconnects so two datacenters. The EPGs aren't stretched and therefore have L3Outs on their BDs.

To rule out contracts, I unenforced the policy control at the VRF level. 

To rule out local L2 and run apic# show endpoints ip x.x.x.x it learns MAC/IP from vmm domain via the vPC policy.

I ran LF# show ip route bgp vrf all | egrep x.x.x.x (remote endpoint net ID) and it contains the source network out a tunnel TEP. I don't know how to trace the packet after that.

I also successfully ran LF103# iping -V tn:vrf -S <ip address> <ip address> (src bd gateway > dst host). It pings fine. Meaning the BD gateway in Site-B can ping the Site-A host. I think that's what I was testing anyways.

The BDs are using Hardware Proxy but I did a constant ping from the source VMs but not the destination and arp glean is turned off of the BD. Does that mean I need to ping the source host from the remote endpoint to wake it up in the case of a silent host?  

That's as far as my experience takes me atm. Can someone help me use a more methodical process for tracking down where the problem lies? Again, just trying to get new endpoints in a new EPG/BD in Site-B to ping endpoints in Site-A.

Labels:
0 Helpful
2 Replies 2

RedNectar
VIP Alumni
VIP Alumni

‎05-15-2025 05:05 AM

Hi @KVS7 ,

Can't count the number of times I've been stumped by this only to discover that Site-A VM has an active firewall blocking ICMP.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

KVS7
Level 1
Level 1

‎05-20-2025 12:10 PM - edited ‎05-21-2025 08:16 AM

 

Ok I have more information.

I can get a few pings to the destination before it times out if I keep changing the IP address. I had just enough pings to run a tracert before it timed out again but took a few tries.

The end result of tracert is that any stretched BD that I ping from to a non stretched BD in another site, takes the L3Out instead of through the DCI.

No VM firewall. All turned off. 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License