The diagram explains what I'm trying to do. ISP (labelled as safaricom and MTN) connects to a switch ,then from switch to the ISP outside interface on the ASR routers. From the ASR routers I have inside interfaces to the switch. So from the routers I cannot ping the ISP ip address which essentially is a next hop since the switches are pure layer 2 . I also cannot ping PC connected to the switch , which has an IP addrress in the same network as the inside interface (next hop to inside interface )

Hello,

sorry for the confusion. For every bridge domain you need a BDI in order to do anything layer 3 related. You have only two BDIs, and both are in the same VLAN...

Hello,

what router is this on ? Post the output of

show ver

Cisco IOS XE Software, Version 16.07.01
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.7.1, RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 20-Nov-17 19:01 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

NSSF-HQSC-IEG-2 uptime is 1 week, 4 days, 19 hours, 29 minutes
Uptime for this control processor is 1 week, 4 days, 19 hours, 30 minutes
System returned to ROM by PowerOn
System image file is "bootflash:/asr1001x-universalk9.16.07.01.SPA.bin"
Last reload reason: PowerOn

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Type: Permanent
License Level: ipbase
Next reload license Level: ipbase

cisco ASR1001-X (1NG) processor (revision 1NG) with 3860303K/6147K bytes of memory.
Processor board ID FXS2217Q337
6 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
6594559K bytes of eUSB flash at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

Hi Georg

Thanks so much your suggestion worked , however I'm facing something very strange ,from 10.20.0.1 I cant ping 10.20.0.2. , however the reverse works perfectly and I can ping 10.0.0.2 as well. Here is my

show ip arp

output. Any help with this ?

Protocol           Address           Age(min)            Hardware Addr                 Type Interface
Internet               10.20.0.1               -                780c.f071.XXX ARPA                 BDI12
Internet               10.20.0.2             5                  3c97.0e25.XXXX ARPA              BDI12
Internet               10.0.0.1 -                                780c.f071.XXX ARPA                 BDI112
Internet                10.0.0.2              4                  370df.2fbd.XXX ARPA                BDI112 

Hello, 

where (which port) is 10.20.0.2 connected to ?

Its connected to

gig 0/0/0

its the

next hop to int BDI 12 (10.20.0.1)

Hello,

does the next hop use a BDI as well (and is the next hop interface in the same vrf ) ? If possible, post the config of the next hop device as well...

Hi the next hop is a firewall , doesn't have configs since its GUI, so just an IP address , however I have tried replacing the firewall with a PC and assigning it the firewall IP address and I'm getting similar results I can ping from the firewall/PC but from the router I cannot ping either.

Hello,

can you post the output of:

show ip route vrf NSSF-HQSC-MTNEDGE-VRF

Hi 

here it is 

show ip route vrf NSSF-HQSC-MTNEDGE-VRF

Routing Table: NSSF-HQSC-MTNEDGE-VRF
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.20.0.0/29 is directly connected, BDI12
L 10.20.0.1/32 is directly connected, BDI12
C 10.0.0.0/30 is directly connected, BDI112
L 10.0.0.1/32 is directly connected, BDI112