Solved: Gateway is unreachable at remote site, but Network is working fine

motiar · ‎11-07-2018

Hello Cisco Experts,

I am a bit confused and I would be thankful if someone can help me.

The only Switch in Remote location (assume Site B) can not reach its default Gateway (Gateway of last resort, configured) from its connected IP. But the Network is working fine there and a telnet/SSH connection from HQ is also possible. Please help me understand, why the remote site still functional.

interface Vlan1
ip address 172.17.126.130 255.255.255.192
!
interface Vlan10
ip address 150.251.53.130 255.255.255.192
ip helper-address 150.251.53.11
!
ip default-gateway 172.17.126.140
ip classless
ip route 0.0.0.0 0.0.0.0 150.251.53.4
ip route 0.0.0.0 0.0.0.0 172.17.126.140

----

Gateway of last resort is 172.17.126.140 to network 0.0.0.0

172.17.0.0/26 is subnetted, 1 subnets
C 172.17.126.130 is directly connected, Vlan1
150.251.0.0/26 is subnetted, 1 subnets
C 150.251.53.130 is directly connected, Vlan10
S* 0.0.0.0/0 [1/0] via 172.17.126.140

Regards

Motiar

paul driver · ‎11-08-2018

Hello

If your gateway a firewall ? if so then i guess icmp will be blocked

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Squozen_EU · ‎11-07-2018

Why do you have two default routes set?

Are you sure you're pinging from the right VLAN?

Deepak Kumar · ‎11-07-2018

Hi,

Share a output from "Show CDP nei details" and Sho Running

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎11-07-2018

Hello

Looks like the switch is ip routing, We see two static routes applied but only one entry in the rib.

The vlan 10 static route nexthop isnt in the same subnet as its relative SVI so that could be why that static isnt showing in the rib Also I wonder is vlan 10 actually up?

sh ip int brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎11-07-2018

I find the original post a bit confusing. It says that the switch is not able to access its default gateway but does not provide any example of attempting to access the gateway. So we do not know if it is failure to ping, or failure to telnet, or some other type of failure.

I do agree with the observation that it seems that the switch is set up with ip routing enabled. In that case the configured ip default-gateway is superfluous and will not be used. It does not cause any problem but it will not be used. In this case the switch will use the configured static default route. I also agree with the observation that this configured default route

ip route 0.0.0.0 0.0.0.0 150.251.53.4

has a next hop that is not part of the local subnet (it would be in the local subnet if the mask were 255.255.255.0 but is not in the subnet when the mask is 255.255.255.192).

It would be helpful if the original poster would post the output of show arp (or perhaps show ip arp). And please provide clarification of the problem of not reaching the gateway.

HTH

Rick

HTH

Rick

motiar · ‎11-08-2018

Hi Richard,

You are right, the IP Routing is enable and the Switch is connected to the WAN-Router. Actually, this Switch is located in Site B and I am sitting in Site A (HQ). The sites are in different countries and I have not visited the site B yet. From HQ I can telnet the Swtich and login successfully. If I try to ping to GW configured on the Switch, the ping fails. But the Network is working fine. Therefore, my confusion is, as the Switch is not reachable to GW, how can I access to Switch remotely and the network works. here are all outputs you are asking.

switch01#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.17.126.140 0 906c.ac33.9d6a ARPA Vlan1
Internet 172.17.126.130 - 64d9.893f.35c0 ARPA Vlan1
Internet 172.17.126.176 0 001d.e556.ae9e ARPA Vlan1
Internet 150.251.53.130 - 64d9.893f.35c1 ARPA Vlan10
----------------------------------------

switch01#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.17.126.140 4 906c.ac33.9d6a ARPA Vlan1
Internet 172.17.126.130 - 64d9.893f.35c0 ARPA Vlan1
Internet 172.17.126.176 0 001d.e556.ae9e ARPA Vlan1
Internet 150.251.53.130 - 64d9.893f.35c1 ARPA Vlan10
-----------------------------

switch01#ping 172.17.126.140

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.126.140, timeout is 2 seconds:

.....
Success rate is 0 percent (0/5)
---------------------------------------

switch01#ping 172.17.126.140 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.126.140, timeout is 2 seconds:
Packet sent with a source address of 172.17.126.130
.....
Success rate is 0 percent (0/5)
---------

switch01#ping 150.251.53.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.251.53.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
-----------------------------------------
switch01#ping 150.251.53.4 source vlan 10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.251.53.4, timeout is 2 seconds:
Packet sent with a source address of 150.251.53.130
.....
Success rate is 0 percent (0/5)
-------------------------------------------

interface FastEthernet0/45
switchport voice vlan 10
spanning-tree portfast
--------------------------------------------

paul driver · ‎11-08-2018

Hello

If your gateway a firewall ? if so then i guess icmp will be blocked

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Squozen_EU · ‎11-08-2018

That was my assumption, either the router or the switch has a block on ICMP. Check for ACLs on the switch and then check the router.

motiar · ‎11-08-2018

Yes, you are right. The router blocks the ICMP and the following are just nonsense Configurations and does not make anything.

interface Vlan10
ip address 150.251.53.130 255.255.255.192
ip helper-address 150.251.53.11
!
ip default-gateway 172.17.126.140
ip classless
ip route 0.0.0.0 0.0.0.0 150.251.53.4

--------------

Thank you for your reply.

Regards

Motiar

Squozen_EU · ‎11-08-2018

Good to hear you’ve sorted it out. It sounds like you’ve inherited a network that was set up in the dark or while drunk and you might be best off doing a full audit of all devices to make sure there are no other errors or security holes.

Richard Burts · ‎11-11-2018

Motiar

The output of show ip arp is very helpful
Internet 172.17.126.140 0 906c.ac33.9d6a ARPA Vlan1
This demonstrates very clearly that the switch and the gateway are able to communicate. And that explains why the network continued to work even when you were not able to ping from the switch to the gateway. The problem was not about failure to communicate between the switch and the router, but was about the fact that the router was blocking the pings.

In troubleshooting what is reported as problems with IP communication it is frequently helpful to verify whether the lower levels of IP communication (like arp) are working before we start looking for more complicated issues such as routing problems.

HTH

Rick

HTH

Rick

motiar · ‎11-11-2018

Hi Richard,

Thank you for you Feedback. Indeed, it is very useful information.

Regards

Motiar