CSM ICMP connectivity problem

danielseely · ‎04-08-2013

We are seeing a very peicular problem with our CSM. Selective clients behind our CSM are unable to ping other clients on other subnets. There is no ryhme or reason to any of the ICMP blocks. For instance you can not narrow the problem down a certain subnet or location. For example some devices are on the same subnet but you can ping some of them but not others. Again, this is ONLY ICMP. TCP and all other protocols are working.

What makes things more weird is it is not bidirectional. You can ping in one direction but not the other!

IE.

FROM 10.0.20.180

[root@lbstats ~]# ping 10.120.1.250

PING 10.120.1.250 (10.120.1.250) 56(84) bytes of data.

64 bytes from 10.120.1.250: icmp_seq=1 ttl=127 time=5.85 ms

64 bytes from 10.120.1.250: icmp_seq=2 ttl=127 time=2.95 ms

======================================================

FROM 10.120.1.250

C:\Users\Administrator>ping 10.0.20.180

Pinging 10.0.20.180 with 32 bytes of data:

Request timed out.

I have completed pack traces on every device in the path and I have discovered that it is clearly stopping on the CSM. I have tried clearing the ARP table on the csm with no success.

We are running version 4.3(6).

Has anyone seen anything similar to this problem?

ajayku2 · ‎04-09-2013

Hi,

Few thought:

A transparent firewall in between which is allowing ICMP packets from one direction.

Try adding the client as server and see if that makes any difference. ( do not use the server anywhere just add it )

It trigger CSM to learn the MAC of the client.

regards,

Ajay Kumar

sivaksiv · ‎04-09-2013

Hi,

Do you have multiple client vlan configured each with its own gateway?

Then this could be problem since CSM doesnt allow asymmetric routing so traffic not coming back on the same vlan is dropped.

You could configure a static route or add those gateways as rservers so its MAC is learnt.

Regards,

Siva