Thanks for reply,
i see arp entry correctly in the Switch and gateway firewall (Layer 3 ). We already rebooted the router . We changed the IP of the this switch as well to see there is no arp issue . I think the problem related with gateway. I am able to ping switch IP from the same switch(from itself) but not able to ping to gate way ip address (Configured on firewall). In the same vlan there are other switches and they are able to ping gateway ip address. (There is no polices on internal firewall to block the traffic . Same way from firewall i am able to ping other switches in the same vlan, but i can't ping only this switch in this vlan. MAC and ARP looks good.

What is the management interface and what is its IP address? Would you post the output of these commands on the switch

show ip route

show arp

Hello Rechard,

Thanks for reply ! Please find details attached.

Thank you for the output that I requested. Show ip route shows one connected subnet and no default route, which is probably what we would expect if ip routing were not enabled. And (importantly) it shows an arp entry for the 10.130.9.1 address. So there is some communication between your switch and its gateway. I am puzzled that ping fails.

As a next step in investigating the issue would you attempt the ping and then quickly check the logs of both the switch and the gateway to see if any messages were generated about the ping attempt?

Is it possible that some config change was made on the switch but not saved to startup config and therefore was lost in the reboot of the upgrade? 

Internal firewall ' here issue I think 

The traffic use different vlan tag when go and return back through fw.

Hello MHM,

It seems that we're facing an issue after upgrading the iOS on our router. Prior to the upgrade, everything was functioning correctly. The upgrade was performed virtually using SSH, but after completing it, we lost access to the router and are unable to ping the management IP address. It's important to note that we didn't make any changes to the firewall vlans ( there is no policies configured on internal firewall) or router configuration, except for modifying the router boot statement.

Clear arp in fw 

And check drop in fw

As i mention it vlan tag issue 

Hello MHM , Thanks for your reply . We are using PA320 there is no command to delete specific Arp entry . I have to delete entire interface Arp entry . We are in production now bit hesitate to clear all arp entry on interface , I will do that after working hours. But just for your Information We had rebooted our core distribution switch , when this issue started . also rebooted firewall . I believe this should clear entire arp table. Also we tried to change the IP of switch to generate new apr entry with new IP. 

Ok' FW inbetween 

From FW try ping mgmt IP of SW and use same subnet and different subnet 

Firewall is acting as our core L3 router . All L3 gateways are on firewall.  Distribution switch is configured same as other 40 switches on the network. only difference other switch's are  not connected directly on firewall . Distribution is connected directly. I can try changing the subnet after hours . but it will not me i believe.  Please check the topology for more details. Please review the attached image. 

We have configured ip default gateway (firewall Management Vlan IP) already on core switch (It was working before upgrade, i mean the same config was working without problem, that means default gateway config is correct) . On all our switches have SVI Management IP from this Vlan. Firewall has SVI Vlan (default gateway ip address) I don't think we need IP routing for this problem, because this is layer 2 communication (Without configuring IP routing we were able to access core) and now all other switches are working fine without configuring ip routing on them, just with default gateway. The core switch passing all the traffic through without issue. We are not able access only its management IP.

Yes' I know it l2 

And same defualt gateway config before and after upgrading.

This issue I see before for cata9000 series' the solution was enable ip routing.

So just for checking then you can disbale it.