10-07-2024 03:47 PM - last edited on 10-07-2024 05:28 PM by shule
Host-A can ping firepower from inside to outside in range (10.10.10.0/25) but not in range of (10.10.10.128/25). If wild card 'ip route' at core-switch is set to follow (10.10.10.10.128/25) then Host-A can ping all ip's in that range. But all ip's in range from 1-126 become unreachable. what could possibly cause this toggling problem?
10-07-2024 04:18 PM
Seems to be a route problem. Why dont you use 10.10.10.0/24 in the route config?
10-07-2024 06:04 PM
10-08-2024 04:41 AM
If the firewall is the gateway for 10.10.10.0/25 and 10.10.10.128/25, you probably have an interface or interface vlan on this networks, right?
From routing point of view, using the mask /24 should be enaough to fix it. If the firewall have interface on those networks, it will know how to send the traffic to the specific host.
Now, if the firewall does not have interface on those networks then the firewall also must have routes pointing to those networks and on this case, yes, you should also use /24 or add two static network with /25
10-07-2024 04:32 PM
Can you more elaborate
MHM
10-08-2024 09:21 AM
10-08-2024 10:59 AM
Sorry can you share the topology if you please
MHM
10-08-2024 02:35 PM
10-09-2024 09:17 AM
Still waiting topolgy
MHM
10-08-2024 09:41 AM
10-08-2024 09:57 AM
if you have a route "ip route 0.0.0.0 0.0.0.0 10.10.10.124" on the core. all the traffic will be sent to 10.10.10.124, which is first network. You need to have specific routes on the core instead.
ip route 10.10.10.0 255.255.255.128 <gateway>
ip route 10.10.10.128 255.255.255.128 <gateway>
10-08-2024 01:21 PM
10-08-2024 11:07 AM
This toggling issue is likely caused by an incorrect routing configuration that is leading to overlapping or conflicting routes between the two subnets (10.10.10.0/25 and 10.10.10.128/25). Here's a breakdown of the potential causes:
Incorrect Longest Prefix Match (LPM): When you configure a wildcard route, the router follows the longest prefix match rule, meaning it chooses the most specific route to forward traffic. By adding the wildcard route for 10.10.10.128/25, the router now routes all traffic matching that range, but this might override the routing for 10.10.10.0/25. As a result, traffic destined for IPs in the 10.10.10.0/25 range is being misrouted or not routed at all.
Subnet Overlap or Improper Route Summarization: If there’s a routing table entry for 10.10.10.0/24, it might be overriding your specific /25 routes. Adding 10.10.10.128/25 could cause the router to prefer the newly defined route for 10.10.10.128/25, making the lower half (10.10.10.1-10.10.10.126) unreachable due to this route mismatch.
Routing Table Conflicts: Check the core-switch routing table for both direct and static routes. There might be a static route incorrectly pointing to 10.10.10.128/25 while the dynamic or connected routes are properly defined for 10.10.10.0/25. This would cause traffic to follow the wrong path depending on the more specific or less specific route.
In short, it seems like a routing conflict or improper route summarization is causing the router to either forward all traffic to one side or the other, depending on the wildcard routing configurations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide