Solved: Re: Can't ping from an interface

tatgauthier · ‎01-23-2024

Hi everyone and thanks in advance for any help. Im making a demo network and have this core switch connected to a fortigate on one side and an access switch on another. I am having connectivity issues so im trying pings. the default gateway is the fortigate with ip 10.3.0.1/30 on a point to point link from the core on te1/1/1. it is directly connected and the default route is set. I cannot ping from g1/0/48(has ip 10.3.0.10/30 and is connected to 10.3.0.9) to the gateway. here is my config and routing table. i tried to clean out the unconfigured ports to unclutter it.

CHQCOREDEMO-1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 10.3.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.3.0.1
10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
C 10.3.0.0/30 is directly connected, TenGigabitEthernet1/1/1
L 10.3.0.2/32 is directly connected, TenGigabitEthernet1/1/1
C 10.3.0.4/30 is directly connected, TenGigabitEthernet1/1/2
L 10.3.0.6/32 is directly connected, TenGigabitEthernet1/1/2
C 10.3.0.8/30 is directly connected, GigabitEthernet1/0/48
L 10.3.0.10/32 is directly connected, GigabitEthernet1/0/48
S 10.3.10.0/24 [1/0] via 10.3.0.9
S 10.3.110.0/24 [1/0] via 10.3.0.9
S 10.3.150.0/24 [1/0] via 10.3.0.9




Building configuration...

Current configuration : 3213 bytes
!
! Last configuration change at 23:18:41 UTC Mon Jan 2 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CHQCOREDEMO-1
!
boot-start-marker
boot-end-marker
!
!
username whatever privilege 15 secret X.X.X
no aaa new-model
switch 1 provision ws-c3750x-48p
system mtu routing 1500
!
!
!
!
ip routing
!
!
ip domain-name vhr.demo
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/48
description Link to Access Switch
no switchport
ip address 10.3.0.10 255.255.255.252
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
description Link to Fortigate
no switchport
ip address 10.3.0.2 255.255.255.252
!
interface TenGigabitEthernet1/1/2
description Link to Fortigate
no switchport
ip address 10.3.0.6 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
interface Vlan250
ip address 10.30.250.1 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.3.0.1
ip route 10.3.10.0 255.255.255.0 10.3.0.9
ip route 10.3.110.0 255.255.255.0 10.3.0.9
ip route 10.3.150.0 255.255.255.0 10.3.0.9
!
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
end

CHQCOREDEMO-1#ping 10.3.0.1 source g1/0/48
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.0.10
.....
Success rate is 0 percent (0/5)
CHQCOREDEMO-1#

MHM Cisco World · ‎01-23-2024

The Access SW send packet to Core and Core use defualt to forward traffic tp forti'

Now retrun packet

Forti need route for any subnet not direct connect'

Do you see route of access SW in forti ?

I dont need access SW config the issue in forti side

MHM

View solution in original post

MHM Cisco World · ‎01-23-2024

Core SW connect to forti FW via two interface

Can you ping direct connect IP of forti from Core SW using ping (and specific source interface)?

MHM

tatgauthier · ‎01-23-2024

Sorry I think I understand so correct me if im not following. I can ping the 10.3.0.1 ip if i do not specify a port, if i use g1/0/48 as the source it does not work. I will use the second interface as a failover with a larger AD.

MHM Cisco World · ‎01-23-2024

You have defualt and static route toward same forti fw.

Config only defualt route and check

MHM

tatgauthier · ‎01-23-2024

I dont understand what you mean. I only configured a

static route
ip route 0.0.0.0 0.0.0.0 10.3.0.1

at least i think so

MHM Cisco World · ‎01-23-2024

ip route 0.0.0.0 0.0.0.0 10.3.0.1
ip route 10.3.10.0 255.255.255.0 10.3.0.9
ip route 10.3.110.0 255.255.255.0 10.3.0.9
ip route 10.3.150.0 255.255.255.0 10.3.0.9

All this route toward forti FW?

MHM

tatgauthier · ‎01-23-2024

no, the ones going toward 10.3.0.9 are going to a distribution switch, subnets for userports(10) voice (110) and printers(150)on port g1/0/48.
i just tried adding

ip route 0.0.0.0 0.0.0.0 10.3.0.5 100

but it did not fix anything
the two ports on the fg are 10.3.0.1/30 and 10.3.0.5/30

I was originally trying to ping from the 10.3.10.0/24 subnet and it gets to 10.3.0.10(second hop) but does not make it from that port any farther

MHM Cisco World · ‎01-23-2024

interface TenGigabitEthernet1/1/1
description Link to Fortigate
no switchport
ip address 10.3.0.2 255.255.255.252
!
interface TenGigabitEthernet1/1/2
description Link to Fortigate
no switchport
ip address 10.3.0.6 255.255.255.252
!

I see description and assume two link to forti

Anyway

You need route in Forti toward core for subnet in access SW

MHM

tatgauthier · ‎01-23-2024

I am not sure i understand. I can ping the interface on fw from switch but not from a specific port on the switch. how does a route help? shouldnt it just answer back on the port it received and the switch is connected to that port? would it help to see the config of the access switch? I have never used a layer 3 switch before so I am not sure how everything works.

MHM Cisco World · ‎01-23-2024

The Access SW send packet to Core and Core use defualt to forward traffic tp forti'

Now retrun packet

Forti need route for any subnet not direct connect'

Do you see route of access SW in forti ?

I dont need access SW config the issue in forti side

MHM

tatgauthier · ‎01-23-2024

You are a legend sir. Thank you so much

M02@rt37 · ‎01-23-2024

Hello @tatgauthier

On Fortigate do

get router info rouring table details 10.3.0.10

Does the Fortigate has got ip route towards this IP ?

If not, you need a static route on this Firewall with next hop 10.3.0.2

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.