FIREPOWER CONNECTED TO A VPC PORT CHANNEL TRUNK NOT ROUTING PROPERLY

aleck.sithole1 · ‎07-29-2019

PLEASE REFER TO THE ATTACHED DIAGRAM

Switch A and B can ping the vlan SVI ip addresses on the firewall portchannel sub-interfaces
But are failing to ping the Interface on the ASR router 172.25.25.1/24 even 172.25.25.2/24 on the firewall

If you enter a default route on either switch C and switch D eg "ip route 0.0.0.0 0.0.0.0 192.168.10.1"
this wil allow SWC /SWD to ping the router interface 172.25.25.1/24 but ie when you are sourcing from vlan 10
THE GOAL IS TO MAKE SURE THE ROUTER CAN BE PINGED FROM ALL VLANS..
So we tried adding other default routes eg "ip route 0.0.0.0 0.0.0.0 192.168.20.1" & "ip route 0.0.0.0 0.0.0.0 192.168.30.1"
and still one vlan is getting to the ASR router because in the routing table of the SWC&D the default route entry at the top is the one that is functional.
Given that you replace " ip route 0.0.0.0 0.0.0.0 192.168.10.1" with "ip route 0.0.0.0 0.0.0.0 192.168.20.1" vlan 20 starts pinging the ASR router while others cant
CAN YOU HELP WITH A SOLUTION THAT CAN HELP US PING THE ASR FROM ALL VLAN ALL AT ONCE.

balaji.bandi · ‎07-29-2019

SWA / SW B - required to have a Gateway IP for the HSRP Virtual IP.

Then you need have a Static Route to be inn place FTD pointing back to Nexus virtual IP as below example :

ip route 192.168.10.0 0.0.0.255 192.168.10.2

Then SW A and SW B point the GW 192.168.10.2

Test and Advise.