Re: Can't ping subnet (gateway) in BD

Dan Peronto · ‎09-02-2016

Created an EPG and BD

Assigned a subnet to the BD (10.255.141.254/23)

There is a host LIVE in the EPG (10.255.140.2)

I can ping the host both from inside and outside the fabric.

Cannot ping the GW from outside the fabric.

Funny thing, the darn GW responds in the traceroute to the EP

C:\Windows\System32>tracert 10.255.140.2

Tracing route to 10.255.140.2 over a maximum of 30 hops

1     2 ms     2 ms     1 ms 10.0.17.254
2    <1 ms    <1 ms    <1 ms 172.16.21.81
3     3 ms     3 ms     3 ms 172.16.0.2
4     6 ms     5 ms     5 ms 172.16.19.194
5     4 ms     3 ms     3 ms 10.255.141.254
6     3 ms     3 ms     4 ms 10.255.141.254
7     3 ms     3 ms     3 ms 10.255.140.2

Is this 'normal' ?

Jason Williams · ‎09-02-2016

The BD SVI should respond to ICMP. You will need to do some further troubleshooting to determine the cause. Here are my suggestions for you to get started.

1.) Have you verified that ICMP request from outside has actually made it to the fabric?

When you say ping from outside of the fabric, I assume you mean from an L3 out. You could setup a SPAN/ERSPAN session with the L3 out interface(s) as the source group. This will verify whether or not ICMP (between ACI GW and outside) is entering/leaving the fabric.

2.) Do you have access to the hops between the host and ACI fabric?

You could try sending a ping from the device nearest to the fabric. Start with 172.16.19.194 to the ACI gateway. If successful, then try from the next hop device (172.16.0.2) and so on. If you do not have access to these devices, then I would highly recommend a capture via SPAN to start your troubleshooting.

Configure SPAN using the GUI

Configure SPAN using CLI

Dan Peronto · ‎09-02-2016

All right then, guess i will open a TAC case.

Tomas de Leon · ‎09-02-2016

Can you please run the following on the APIC?

# show running-config tenant <tenant-name> interface bridge-domain <bd-name>

For Example:
============
fab1-p1-apic1# show running-config tenant deadbeef-dhcp3 interface bridge-domain dhcp3-bd25
# Command: show running-config tenant deadbeef-dhcp3 interface bridge-domain dhcp3-bd25
# Time: Fri Sep 2 17:55:25 2016
tenant deadbeef-dhcp3
interface bridge-domain dhcp3-bd25
description 'dhcp3-bd25'
dhcp relay policy tenant dhcp3-SingleVrf
ip address 191.1.25.1/24
ipv6 address 2001:191:1:25::1/64 preferred
exit
exit

Then, can you go to the Leaf where this BD is deployed. This will be your service leaf.

# issue a “show vrf” to verify the BD vrf is present.
# run “show ip interface brief vrf <vrf_tenant:vrf_name>”
# run “show ip interface vlan##”
# run “vsh_lc”
# run “show system internal epmc endpoint ip 10.255.141.254”

For Example:
============
fab1-p2-leaf1# show vhf
VRF-Name VRF-ID State Reason
deadbeef-dhcp3:dhcp3-v1 36 Up --

fab1-p2-leaf1# show ip interface brief vrf deadbeef-dhcp3:dhcp3-v1

IP Interface Status for VRF "deadbeef-dhcp3:dhcp3-v1"(36)
Interface Address Interface Status
vlan101 191.1.25.1/24 protocol-up/link-up/admin-up
vlan103 191.1.27.1/24 protocol-up/link-up/admin-up
vlan105 191.1.29.1/24 protocol-up/link-up/admin-up

fab1-p2-leaf1# show ip interface vlan101
IP Interface Status for VRF "deadbeef-dhcp3:dhcp3-v1"
vlan101, Interface status: protocol-up/link-up/admin-up, iod: 173,
IP address: 191.1.25.1, IP subnet: 191.1.25.0/24
IP broadcast address: 255.255.255.255
IP primary address route-preference: 1, tag: 0

fab1-p2-leaf1# vsh_lc
sh_lc
module-1# show system internal epmc endpoint ip 191.1.25.1

MAC : 0000.0119.01bf ::: Num IPs : 1
IP# 0 : 191.1.25.1
Vlan id : 101 ::: Vlan vnid : 15761391
::: BD vnid : 15761391
VRF name : deadbeef-dhcp3:dhcp3-v1 ::: VRF vnid : 2162690
phy if : 0x9010065 ::: tunnel if : 0 ::: Interface : Vlan101
Ref count : 3 ::: sclass : 0
Timestamp : 01/06/1970 20:44:44.820000
::: Learns Src: EPM
EP Flags : local|IP|psvi|
PD handles:
Bcm l2 hit-bit : No
[L3-0]: Asic : NS ::: LST SA : 0xa25 ::: BCM : No
<detail> SDB Data:
::::

In the Trace route I saw two entries for 10.255.141.254. When the local host (10.255.140.2) pings 10.255.141.254 does this work? Check the ARP table on the Windows host. Open a separate command window and run an “arp -a” while the ping is going on. Use a persistent ping so that host continues to ping. Do you see the multiple mac address entries for 10.255.141.254 or do you see it changing.

Thanks

T.

Dan Peronto · ‎09-06-2016

outputs:

WIWEA01-DC1-APIC1# show run tenant corp interface bridge-domain grp1
# Command: show running-config tenant corp interface bridge-domain grp1
# Time: Tue Sep 6 08:13:12 2016
tenant corp
    interface bridge-domain grp1
      ip address 10.255.141.254/23 scope public multi-site
      ip shared address 10.255.141.254/23 consumer application any epg any
      exit
    exit

WIWEA01-DC1-LEAF3# show vrf
VRF-Name                           VRF-ID State    Reason
black-hole                              3 Up       --
common:default                          6 Up       --
management                              2 Up       --
overlay-1                               4 Up       --
corp:v1                               5 Up       --

WIWEA01-DC1-LEAF3# show ip interface brief vrf corp:v1
IP Interface Status for VRF "corp:v1"(5)
Interface Address Interface Status
vlan15 10.255.141.254/23 protocol-up/link-up/admin-up

WIWEA01-DC1-LEAF3# show ip interface vlan15
IP Interface Status for VRF "corp:v1"
vlan15, Interface status: protocol-up/link-up/admin-up, iod: 97,
IP address: 10.255.141.254, IP subnet: 10.255.140.0/23 virtual
IP broadcast address: 255.255.255.255
IP primary address route-preference: 1, tag: 0

WIWEA01-DC1-LEAF3# vsh_lc
vsh_lc
module-1# show system internal epmc endpoint ip 10.255.141.254

MAC : 0000.fe8d.ff0a ::: Num IPs : 1
IP# 0 : 10.255.141.254 ::: IP# 0 last mv ts 12/31/1969 18:00:00.000000 ::: IP# 0 ip move cnt: 0 ::: IP# 0 flags :
Vlan id : 15 ::: Vlan vnid : 15859680 ::: BD vnid : 15859680
VRF name : corp:v1 ::: VRF vnid : 2850816
phy if : 0x901000f ::: tunnel if : 0 ::: Interface : Vlan15
Flags : 0x4000404
Ref count : 3 ::: sclass : 0
Timestamp : 02/11/1970 17:08:13.013000
last mv timestamp 12/31/1969 18:00:00.000000 ::: ep move count : 0
last loop_detection_ts 12/31/1969 18:00:00.000000
previous if : 0 ::: loop detection count : 0
Learn Src: EPM
EP Flags : local|IP|psvi|
PD handles:
Bcm l2 hit-bit : No
[L3-0]: Asic : NS ::: LST SA : 0xbbc ::: BCM : No
<detail> SDB Data:
::::

Yes, 10.255.140.2 can ping 10.255.141.254.

Arp is not changing

C:\Users\dperonto>arp -a
Interface: 10.255.140.2 --- 0xc
Internet Address      Physical Address      Type
10.255.141.254        00-22-bd-f8-19-ff     dynamic
10.255.141.255        ff-ff-ff-ff-ff-ff     static
224.0.0.22            01-00-5e-00-00-16     static
224.0.0.252           01-00-5e-00-00-1c     static

Mohamed Mahmoud Abd El Khalek · ‎05-03-2017

Did you find the resoltuion ?. I have similar issue.The EPG is up and live in the operation tap with its MAC but i can not ping the gateway BD from the client. or I can not ping the Client from LEAF .

roysm · ‎08-23-2017

Hi

I have the same issue, so I'm wondering if you ever got a resolution?

Thanks

Roy

micgarc2 · ‎08-23-2017

Roy,

What type of EP is this? If the GW lives inside ACI with unicast routing enabled you should be learning IPs not just MACs because this would be a L3 bridge domain. Can you please verify these settings in the BD?

Thanks,

Michael G.