Solved: Re: Cannot ping or ssh to management ports

tatgauthier · ‎01-23-2024

Hi, I have 2 3750s connected one as access the other as core, they are connected to a fortigate and a remote network through an ipsec tunnel(in the fg). I have internet access on user ports but am unable to ping or ssh to the management interfaces ive set up. I have included the 2 configs plus their routing tables in the attached document. Thank you in advance for any help.

tatgauthier · ‎01-24-2024

Sure, this is probably not 100% correct but it is pretty close. I went ahead and set up a trunk from the remote core to the fg and put a bad ip on the fg and that seemed to work on that side. I can ssh from both sides and ping. I thought i would try a trunk between the other two switches but that didnt work, the vlan comes up up but doesnt ping or ssh. I tried doing the same as i did on the remote side after that but it still doesnt work. when i try from the same side(10.3.x.x) it gets stuck after the first hop at 10.3.10.1 on the access switch(ingress). if i try from the other side it gets stuck at 10.3.0.2(the core ingress). so it is not routing between the switches.
Routing for access switch:

Gateway of last resort is 10.3.0.10 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.0.10
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.3.0.8/30 is directly connected, GigabitEthernet1/0/48
L 10.3.0.9/32 is directly connected, GigabitEthernet1/0/48
C 10.3.10.0/24 is directly connected, Vlan10
L 10.3.10.1/32 is directly connected, Vlan10
C 10.3.110.0/24 is directly connected, Vlan110
L 10.3.110.1/32 is directly connected, Vlan110
C 10.3.250.0/24 is directly connected, Vlan250
L 10.3.250.2/32 is directly connected, Vlan250

Routing for core:

Gateway of last resort is 10.3.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.0.1
10.0.0.0/8 is variably subnetted, 11 subnets, 3 masks
C 10.3.0.0/30 is directly connected, TenGigabitEthernet1/1/1
L 10.3.0.2/32 is directly connected, TenGigabitEthernet1/1/1
C 10.3.0.4/30 is directly connected, TenGigabitEthernet1/1/2
L 10.3.0.6/32 is directly connected, TenGigabitEthernet1/1/2
C 10.3.0.8/30 is directly connected, GigabitEthernet1/0/48
L 10.3.0.10/32 is directly connected, GigabitEthernet1/0/48
S 10.3.10.0/24 [1/0] via 10.3.0.9
S 10.3.110.0/24 [1/0] via 10.3.0.9
S 10.3.150.0/24 [1/0] via 10.3.0.9
C 10.3.250.0/24 is directly connected, Vlan250
L 10.3.250.1/32 is directly connected, Vlan250

can they be on the same subnet? do i have to break it up so that the masks are like /30 and route it between them?

View solution in original post

balaji.bandi · ‎01-23-2024

as per the information you provided

Internet --2 Forti-FW - CHQCOREDEMO-1 (10.3.0.10) - (10.3.0.9)CHQACCDEMO- Lan users.

On the Core Switch you have pointed static route back to Access switch for the VLAN 10, 110,150

On access switch there is no IP config on VLAN 150 ?

On the Core switch you have VLAN 250 - with Config .1 IP ( also on access switch VLAN 250 with .2IP this is not going to work since you are using P2P layer 3 interface between Switch so Layer 2 traffic not going to pass between switches.

but am unable to ping or ssh to the management interfaces ive set up

what is your Management interface you have setup - which is not working - can you provide the IP -

From what device you trying to Ping (PC IP address that will helpful to identify the issue)

For SSH Make sure your VTY Lines setup correctly for the PC to SSH :

example config :

ip domain-name bb.com

crypto key generate rsa

ip ssh version 2

enable secret 5 $1$jtK0$yyHFcVM7xyelts1csVwrV/
!
username cisco privilege 15 secret 5 $1$0qFD$ZEMDi.7z1QTtF4EuPdlSY.

aaa new-model
!
aaa authorization config-commands

line con 0
exec-timeout 0 0
privilege level 15
line vty 0 4
privilege level 15
password cisco
transport input ssh

line vty 5 15
privilege level 15
password cisco
transport input ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tatgauthier · ‎01-23-2024

Thanks for your reply, I really appreciate you taking the time. Thanks also for pointing out the issue with vlan 150 i will assign an ip to the vlan.

also the setup is not quite right, I have
Lan Users-REMCOREDEMO-1(10.4.0.2)-(10.4.0.1)Forti-FW--Internet ipsec tunnel--Forti-FW(10.3.0.1) - (10.3.0.2)CHQCOREDEMO-1 (10.3.0.10) - (10.3.0.9)CHQACCDEMO- Lan users. Im really only looking at the right side of the tunnel atm. The traffic seems fine over the tunnel once i did the routing for the subnets on each end.
I may be missing some info. I am new to layer 3 switches so please excuse my lack of knowledge. I thought my management ip was 10.3.250.1 on core and 10.3.250.2 on access. I may be missing some of the nuance of layer 3 switches. There is no physical 250 vlan so i didnt assign a port to it. Is that required? I can see why assigning an ip to each vlan can help with tagging(at least, that is my grasp) but I dont really know how to say hey this is vlan 250 with ip 10.3.250.1 and this is the management IP. the others all ping so i must be missing something.
I am also pretty sure I have configured the other remote management settings correctly in the config i supplied. i created a user and crypto key, domain set up, line con and vty. I cant even ping 10.3.250.1 from the core and i cant ping 10.3.250.2 from the access, those are the same appliances. i am also not sure about this one, i have never used or seen it before:
aaa new-model
!
aaa authorization config-commands

it seems like what you said here is my issue, can you help me resolve it, this is the part im missing i think.
"On the Core switch you have VLAN 250 - with Config .1 IP ( also on access switch VLAN 250 with .2IP this is not going to work since you are using P2P layer 3 interface between Switch so Layer 2 traffic not going to pass between switches."

is there a better strategy? i need the management to all be on the 250 vlan. Connected to the core switch is a fortigate and that is connected to a remote network with one fortigate and one switch. they also need to be on the 250 vlan but it will be 10.4.0.0/16 for that network and the IP should be 10.4.250.x.
can i subnet it somehow and route it back and forth(to allow the 10.4 net to get over to it)... that still sounds weird because the switch cannot even ping its own 10.3.250.x interface so maybe im wrong

Georg Pauwen · ‎01-24-2024

Hello,

from what I can see in your output, there is no route for the 10.30.250.0/24 network in the routing table of the switch. Most likely because the status of the interface Vlan250 is down (you can check that with the command 'ship int brief').

You need to make that Vlan available on all switches. I am not sure if the port-channel is the link that is connecting the access and the core switches, but if it is, add Vlan 250 to the allowed Vlans on that port-channel (using the command 'switchport trunk allowed vlan add 250).

interface Port-channel1
--> switchport trunk allowed vlan 100,150
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan250
ip address 10.30.250.1 255.255.255.0

tatgauthier · ‎01-24-2024

Thanks for your reply. The port channel is for printers and servers at a later date. This is just a demo so we're not actually plugging anything in to that. Can I do a loopback or something? And then assign a vlan to that or do I have to actually connect the two switches with a trunk instead of the point-of-point connection on G1/0/48. If that's the case I'm not really sure what to do on the other side of the tunnel either

Georg Pauwen · ‎01-24-2024

Hello,

the Vlan interface (250) needs to be up/up (is that the case right now) ?

tatgauthier · ‎01-24-2024

it is up down. can i apply it to an unused switchport interface?

Georg Pauwen · ‎01-24-2024

Hello,

whatever port or interface you apply it to needs to be up/up as well.

tatgauthier · ‎01-24-2024

Do you have a suggestion? This is a demo so many of the ports will not be up up. The core only has 2 redundant connections to the fortigate and 1 connection to the access switch, all ip routed. and on the other side it is just one switch connected to the fortigate with 2 redundant also routed connections. How do i assign it to a port if there are none that will be connected. I can make a trunk between the two switches and assign 250 to it but i cant with the one switch.

tatgauthier · ‎01-24-2024

So i created another link from the remote core switch to the remote fg and gave the fg port ip 10.4.250.3 and made the other end a trunk with vlan 250 on it. The vlan is now up up and i can ping and ssh to it from itself and the 10.4.10.0/24 subnet but not from accross the tunnel. I even tried adding a route to the subnet and tried changing it to the host, i copied the fortigate routing into the document i uploaded(removing public IPs). I can do a tracert and it enters 10.3.0.1 but gets stuck so it is not making it accross the tunnel. other pings do so it must be routing and not a fw policy i dont think.

Georg Pauwen · ‎01-24-2024

Hello,

can you post a schematic drawing of your topology ? It is becoming difficult to visualize what is not working now.

tatgauthier · ‎01-24-2024

Sure, this is probably not 100% correct but it is pretty close. I went ahead and set up a trunk from the remote core to the fg and put a bad ip on the fg and that seemed to work on that side. I can ssh from both sides and ping. I thought i would try a trunk between the other two switches but that didnt work, the vlan comes up up but doesnt ping or ssh. I tried doing the same as i did on the remote side after that but it still doesnt work. when i try from the same side(10.3.x.x) it gets stuck after the first hop at 10.3.10.1 on the access switch(ingress). if i try from the other side it gets stuck at 10.3.0.2(the core ingress). so it is not routing between the switches.
Routing for access switch:

Gateway of last resort is 10.3.0.10 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.0.10
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.3.0.8/30 is directly connected, GigabitEthernet1/0/48
L 10.3.0.9/32 is directly connected, GigabitEthernet1/0/48
C 10.3.10.0/24 is directly connected, Vlan10
L 10.3.10.1/32 is directly connected, Vlan10
C 10.3.110.0/24 is directly connected, Vlan110
L 10.3.110.1/32 is directly connected, Vlan110
C 10.3.250.0/24 is directly connected, Vlan250
L 10.3.250.2/32 is directly connected, Vlan250

Routing for core:

Gateway of last resort is 10.3.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.0.1
10.0.0.0/8 is variably subnetted, 11 subnets, 3 masks
C 10.3.0.0/30 is directly connected, TenGigabitEthernet1/1/1
L 10.3.0.2/32 is directly connected, TenGigabitEthernet1/1/1
C 10.3.0.4/30 is directly connected, TenGigabitEthernet1/1/2
L 10.3.0.6/32 is directly connected, TenGigabitEthernet1/1/2
C 10.3.0.8/30 is directly connected, GigabitEthernet1/0/48
L 10.3.0.10/32 is directly connected, GigabitEthernet1/0/48
S 10.3.10.0/24 [1/0] via 10.3.0.9
S 10.3.110.0/24 [1/0] via 10.3.0.9
S 10.3.150.0/24 [1/0] via 10.3.0.9
C 10.3.250.0/24 is directly connected, Vlan250
L 10.3.250.1/32 is directly connected, Vlan250

can they be on the same subnet? do i have to break it up so that the masks are like /30 and route it between them?

tatgauthier · ‎01-24-2024

Okay so that is exactly what i did, I split the vlan to /30 and did 10.3.250.1 and 10.3.250.5 and set a route on the core. It works!! Thanks so much!!! I want to give you credit can you repost this so i can accept the solution?