05-26-2023 03:30 AM - edited 05-26-2023 03:32 AM
Hello,
we have a couple of CBS350, and after Updating them to Version 3.3.x we where no longer able to access the VLAN IP Interface from outside of the subnet.
I have tried back and forth with:
- default route
- ip routing
- VLAN Allow lists
- No Access-Lists are configured
I have no clue on why that is.
I can ping other Switches in the same Subnet 10.20.1.1 -> 10.20.1.50 but not the Default Gateway (10.20.1.254)
Packet Capture in the Firewall (Default Gateway) shows that the ICMP Reply is send to the correct Interface with the correct VLAN Tag.
Anybody any Idea?
05-27-2023 01:02 AM
I do not have experience with CBS350 so am not clear how to get the information I want to see. On Catalyst switches I would ask for the output of show ip interface brief to verify that interface vlan 201 is in the up state. Can you provide that output from your switch?
Also on Catalyst switches I would ask for the output of show interface trunk to verify that vlan 201 is included in the active trunks. Can you provide that output from your switch?
05-29-2023 11:06 PM
Hi,
I had attached the running config of the switch in the Original Post. There you can find that the Port-Channel have all vlans allowed.
And yes, the Interfaces are "up".
05-28-2023 04:57 AM
Hi
When problems arise after software upgrade I suspect of bug and not misconfiguration.
I went through the release notes of 3.3.x but failed to find a known bug with similar behavior but it can be a new one.
I would downgrade at least one device just to make sure.
05-28-2023 01:03 PM
I am wondering about this in the original post "Packet Capture in the Firewall (Default Gateway) shows that the ICMP Reply is send to the correct Interface with the correct VLAN Tag." Am I correct in understanding that packet capture on the firewall shows the ping request received and a response sent, but not received at the originating device? What was the originating device? It is good that the reply had the correct vlan tag. Did it have the correct destination mac address?
05-30-2023 12:35 AM
Hi,
Destination and Source MAC Addresses do match.
The Source of the Request is the Destination of the reply.
05-29-2023 11:07 PM
Hi,
I have tried downgrading one switch to the last known good. But I was not able to get the configuration back up running.
05-29-2023 01:18 AM
Hello
@tgt wrote:
Hello,
we have a couple of CBS350, and after Updating them to Version 3.3.x we where no longer able to access the VLAN IP Interface from outside of the subnet.
Anybody any Idea?
From your L3 routing switch/rtr ( 10.20.1.254) if vlan 201 isn’t being advertised to the other subnets then that would be the reason
So from 10.20.1.254 can you ping 10.20.1.1 sourced from another active L3 interface
05-30-2023 12:43 AM
Hi,
the router is our firewall that is aware of the vlan and the traffic is allowed. It has worked before.
We see in the firewall log that other traffic is routed to the switch (snmp requests and other ping requests).
But it seams that switch is dropping all requests to the vlan ip interface.
05-30-2023 01:36 AM
Thank you for the additional information. It is interesting that the ping request does reach the firewall. And interesting that the source mac and destination mac match up. Am I correct in assuming that the ping is from the switch and not from some connected device? In the packet capture is the destination mac the mac of the switch?
Can you tell us how the firewall connects to the switch (which interface of the switch)?
05-30-2023 01:47 AM - edited 05-30-2023 01:49 AM
Hi,
yes, the destination mac is the mac of the switch. And yes, the ping is from the switch itself (via ssh to the oob interface)
The Firewall is connected to Port-Channel 1 (Switchport 1/0/11 and 2/0/11)
05-30-2023 08:30 AM
Thank you for the additional information. Am I correct in understanding that the problem is only about ping from the switch to the firewall? Ping from the switch to other devices in the network work? Other traffic from the switch to the firewall works?
I am wondering about the oob interface. What happens if you remove the IP address from that interface?
What kind of firewall is this? Are you sure that ping from the switch to the firewall used to work? Some of the firewalls that I have worked with have a security policy that suppresses response to ping request to firewall interfaces. I wonder if that might be the situation here?
05-31-2023 02:31 AM
No, the problem is about reaching the VLAN IP Interface (ping, ssh or https)
That is why I do not want to remove the IP from the OOB Interface, because that is right now my only way to access the switch.
06-06-2023 05:14 AM
Update:
It seams that the switch was not able to register the ARP Reply.
After adding the ARP Entry for the Gateway the communication works mostly. Still not 100%.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: