Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
13
Replies

No connection to VLAN IP Interface from outside of Subnet

tgt
Level 1
Level 1

‎05-26-2023 03:30 AM - edited ‎05-26-2023 03:32 AM

Hello,

we have a couple of CBS350, and after Updating them to Version 3.3.x we where no longer able to access the VLAN IP Interface from outside of the subnet.

I have tried back and forth with:
- default route
- ip routing
- VLAN Allow lists
- No Access-Lists are configured

I have no clue on why that is.

I can ping other Switches in the same Subnet 10.20.1.1 -> 10.20.1.50 but not the Default Gateway (10.20.1.254) 

Packet Capture in the Firewall (Default Gateway) shows that the ICMP Reply is send to the correct Interface with the correct VLAN Tag.

 

Anybody any Idea?

 

Preview file
5 KB
0 Helpful
13 Replies 13

Richard Burts
Hall of Fame
Hall of Fame

‎05-27-2023 01:02 AM

I do not have experience with CBS350 so am not clear how to get the information I want to see. On Catalyst switches I would ask for the output of show ip interface brief to verify that interface vlan 201 is in the up state. Can you provide that output from your switch?

Also on Catalyst switches I would ask for the output of show interface trunk to verify that vlan 201 is included in the active trunks. Can you provide that output from your switch?

HTH

Rick
0 Helpful

tgt
Level 1
Level 1
In response to Richard Burts

‎05-29-2023 11:06 PM

Hi, 

I had attached the running config of the switch in the Original Post. There you can find that the Port-Channel have all vlans allowed. 

And yes, the Interfaces are "up".

0 Helpful

Flavio Miranda
VIP
VIP

‎05-28-2023 04:57 AM

Hi

 When problems arise after software upgrade I suspect of bug and not misconfiguration.

 I went through the release notes  of 3.3.x but failed to find a known bug with similar behavior but it can be a new one.

 I would downgrade at least one device just to make sure.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Flavio Miranda

‎05-28-2023 01:03 PM

I am wondering about this in the original post "Packet Capture in the Firewall (Default Gateway) shows that the ICMP Reply is send to the correct Interface with the correct VLAN Tag." Am I correct in understanding that packet capture on the firewall shows the ping request received and a response sent, but not received at the originating device? What was the originating device? It is good that the reply had the correct vlan tag. Did it have the correct destination mac address?

HTH

Rick
0 Helpful

tgt
Level 1
Level 1
In response to Richard Burts

‎05-30-2023 12:35 AM

Hi,

Destination and Source MAC Addresses do match.

The Source of the Request is the Destination of the reply.

0 Helpful

tgt
Level 1
Level 1
In response to Flavio Miranda

‎05-29-2023 11:07 PM

Hi,

I have tried downgrading one switch to the last known good. But I was not able to get the configuration back up running.

0 Helpful

paul driver
VIP
VIP

‎05-29-2023 01:18 AM

Hello

@tgt wrote:

Hello,

we have a couple of CBS350, and after Updating them to Version 3.3.x we where no longer able to access the VLAN IP Interface from outside of the subnet.

Anybody any Idea?

From your L3 routing switch/rtr ( 10.20.1.254) if vlan 201 isn’t being advertised to the other subnets then that would be the reason
So from 10.20.1.254 can you ping 10.20.1.1 sourced from another active L3 interface


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

tgt
Level 1
Level 1
In response to paul driver

‎05-30-2023 12:43 AM

Hi, 

the router is our firewall that is aware of the vlan and the traffic is allowed. It has worked before.

We see in the firewall log that other traffic is routed to the switch (snmp requests and other ping requests).

But it seams that switch is dropping all requests to the vlan ip interface. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to tgt

‎05-30-2023 01:36 AM

Thank you for the additional information. It is interesting that the ping request does reach the firewall. And interesting that the source mac and destination mac match up. Am I correct in assuming that the ping is from the switch and not from some connected device? In the packet capture is the destination mac the mac of the switch?

Can you tell us how the firewall connects to the switch (which interface of the switch)?

HTH

Rick
0 Helpful

tgt
Level 1
Level 1
In response to Richard Burts

‎05-30-2023 01:47 AM - edited ‎05-30-2023 01:49 AM

Hi,

yes, the destination mac is the mac of the switch. And yes, the ping is from the switch itself (via ssh to the oob interface)

The Firewall is connected to Port-Channel 1 (Switchport 1/0/11 and 2/0/11)

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to tgt

‎05-30-2023 08:30 AM

Thank you for the additional information. Am I correct in understanding that the problem is only about ping from the switch to the firewall? Ping from the switch to other devices in the network work? Other traffic from the switch to the firewall works?

I am wondering about the oob interface. What happens if you remove the IP address from that interface?

What kind of firewall is this? Are you sure that ping from the switch to the firewall used to work? Some of the firewalls that I have worked with have a security policy that suppresses response to ping request to firewall interfaces. I wonder if that might be the situation here?

HTH

Rick
0 Helpful

tgt
Level 1
Level 1
In response to Richard Burts

‎05-31-2023 02:31 AM

No, the problem is about reaching the VLAN IP Interface (ping, ssh or https)

That is why I do not want to remove the IP from the OOB Interface, because that is right now my only way to access the switch.

0 Helpful

tgt
Level 1
Level 1

‎06-06-2023 05:14 AM

Update:

It seams that the switch was not able to register the ARP Reply.

After adding the ARP Entry for the Gateway the communication works mostly. Still not 100%.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card