ā01-20-2023 07:27 AM
Hi,
I have a situation where i am trying to access from 172.16.226.0/24 172.18.156.2 but traffic is not leaving my switch outing interface. I have another subnet 172.18.158.2 and i can ping it successfully.
172.18.158.2 is accessible via default routing. I don't see any specific entry for this subnet.
debaswco01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 172.16.100.4 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.100.4
10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
C 10.1.1.0/30 is directly connected, TenGigabitEthernet1/2/2
L 10.1.1.2/32 is directly connected, TenGigabitEthernet1/2/2
C 10.1.1.4/30 is directly connected, TenGigabitEthernet2/2/2
L 10.1.1.6/32 is directly connected, TenGigabitEthernet2/2/2
C 10.10.201.0/24 is directly connected, Vlan201
L 10.10.201.1/32 is directly connected, Vlan201
C 10.10.202.0/24 is directly connected, Vlan202
L 10.10.202.1/32 is directly connected, Vlan202
C 10.16.1.0/24 is directly connected, Vlan1
L 10.16.1.1/32 is directly connected, Vlan1
L 10.16.1.2/32 is directly connected, Vlan1
O 10.16.2.0/24 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
172.16.0.0/16 is variably subnetted, 91 subnets, 3 masks
C 172.16.1.0/24 is directly connected, Vlan601
L 172.16.1.1/32 is directly connected, Vlan601
C 172.16.2.0/24 is directly connected, Vlan602
L 172.16.2.1/32 is directly connected, Vlan602
C 172.16.3.0/24 is directly connected, Vlan603
L 172.16.3.1/32 is directly connected, Vlan603
C 172.16.4.0/24 is directly connected, Vlan604
L 172.16.4.1/32 is directly connected, Vlan604
C 172.16.5.0/24 is directly connected, Vlan605
L 172.16.5.1/32 is directly connected, Vlan605
C 172.16.6.0/24 is directly connected, Vlan606
L 172.16.6.1/32 is directly connected, Vlan606
C 172.16.7.0/24 is directly connected, Vlan607
L 172.16.7.1/32 is directly connected, Vlan607
C 172.16.8.0/24 is directly connected, Vlan608
L 172.16.8.1/32 is directly connected, Vlan608
C 172.16.9.0/24 is directly connected, Vlan609
L 172.16.9.1/32 is directly connected, Vlan609
C 172.16.10.0/24 is directly connected, Vlan610
L 172.16.10.1/32 is directly connected, Vlan610
C 172.16.12.0/24 is directly connected, Vlan612
L 172.16.12.1/32 is directly connected, Vlan612
C 172.16.14.0/24 is directly connected, Vlan614
L 172.16.14.1/32 is directly connected, Vlan614
C 172.16.16.0/24 is directly connected, Vlan616
L 172.16.16.1/32 is directly connected, Vlan616
C 172.16.17.0/24 is directly connected, Vlan617
L 172.16.17.1/32 is directly connected, Vlan617
C 172.16.18.0/24 is directly connected, Vlan618
L 172.16.18.1/32 is directly connected, Vlan618
C 172.16.19.0/24 is directly connected, Vlan619
L 172.16.19.1/32 is directly connected, Vlan619
C 172.16.20.0/24 is directly connected, Vlan620
L 172.16.20.1/32 is directly connected, Vlan620
C 172.16.22.0/24 is directly connected, Vlan622
L 172.16.22.1/32 is directly connected, Vlan622
C 172.16.23.0/24 is directly connected, Vlan623
L 172.16.23.1/32 is directly connected, Vlan623
C 172.16.24.0/24 is directly connected, Vlan624
L 172.16.24.1/32 is directly connected, Vlan624
C 172.16.25.0/24 is directly connected, Vlan625
L 172.16.25.1/32 is directly connected, Vlan625
C 172.16.26.0/24 is directly connected, Vlan626
L 172.16.26.1/32 is directly connected, Vlan626
C 172.16.31.0/24 is directly connected, Vlan631
L 172.16.31.1/32 is directly connected, Vlan631
C 172.16.32.0/24 is directly connected, Vlan632
L 172.16.32.2/32 is directly connected, Vlan632
C 172.16.33.0/24 is directly connected, Vlan633
L 172.16.33.1/32 is directly connected, Vlan633
C 172.16.34.0/24 is directly connected, Vlan634
L 172.16.34.1/32 is directly connected, Vlan634
C 172.16.35.0/24 is directly connected, Vlan635
L 172.16.35.1/32 is directly connected, Vlan635
C 172.16.36.0/23 is directly connected, Vlan636
L 172.16.36.1/32 is directly connected, Vlan636
C 172.16.40.0/24 is directly connected, Vlan640
L 172.16.40.1/32 is directly connected, Vlan640
C 172.16.42.0/24 is directly connected, Vlan642
L 172.16.42.1/32 is directly connected, Vlan642
C 172.16.50.0/24 is directly connected, Vlan11
L 172.16.50.1/32 is directly connected, Vlan11
C 172.16.52.0/24 is directly connected, Vlan652
L 172.16.52.1/32 is directly connected, Vlan652
C 172.16.53.0/24 is directly connected, Vlan653
L 172.16.53.1/32 is directly connected, Vlan653
C 172.16.54.0/24 is directly connected, Vlan654
L 172.16.54.1/32 is directly connected, Vlan654
C 172.16.100.0/24 is directly connected, Vlan100
L 172.16.100.1/32 is directly connected, Vlan100
C 172.16.133.0/24 is directly connected, Vlan705
L 172.16.133.1/32 is directly connected, Vlan705
C 172.16.134.0/24 is directly connected, Vlan707
L 172.16.134.1/32 is directly connected, Vlan707
C 172.16.151.0/24 is directly connected, Vlan151
L 172.16.151.1/32 is directly connected, Vlan151
C 172.16.152.0/23 is directly connected, Vlan152
L 172.16.152.1/32 is directly connected, Vlan152
C 172.16.154.0/23 is directly connected, Vlan154
L 172.16.154.1/32 is directly connected, Vlan154
C 172.16.156.0/23 is directly connected, Vlan156
L 172.16.156.1/32 is directly connected, Vlan156
C 172.16.200.0/24 is directly connected, Vlan200
L 172.16.200.1/32 is directly connected, Vlan200
C 172.16.201.0/24 is directly connected, Vlan702
L 172.16.201.1/32 is directly connected, Vlan702
O 172.16.220.0/23 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.222.0/23 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.224.0/23 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.226.0/24 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.227.0/24 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
debaswco01#
debaswco01#
debaswco01#ping 172.18.158.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.158.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms
debaswco01#
debaswco01#
debaswco01#ping 172.18.156.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.156.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
debaswco01#show ip route 172.18.158.2
% Network not in table
anyone can help me to resolve the issue?
Regards,
Warshad
ā01-20-2023 07:37 AM
Hello,
post a schematic drawing of your topology showing all devices involved, and indicate the location of the source and destination IP addresses...
ā01-20-2023 07:39 AM
Since this device do not learn that routes, so it rely on this gateway to aware and forward traffic, if this device not learning then there is no way to route out - 172.16.100.4 (check on this IP see you learning that route there)
you can do traceroute and see where it dropping ?
traceroute 172.18.156.2
traceroute 172.18.158.2
ā01-20-2023 08:38 AM
Thank you for reply. 172.16.100.4 is firewall ip and i can ping 172.16.156.2 from Firewall. I dont see anything in tracerout output as traffic is not leaving the switch.
ā01-20-2023 09:15 AM
i can ping 172.16.156.2 from Firewall < this shows me that your default gateway FW , so FW is blocking the request here, what kind of Firewall ? have you checked Firewall log is this request allowed ?
ā01-20-2023 08:28 AM
show ip route 172.18.156.2 longest <<- this give you exact which path SW use.
ā01-20-2023 08:45 AM - edited ā01-20-2023 08:54 AM
Good point @MHM Cisco World . You can also do a "show ip cef 172.18.156.2" to see whether there is a specific route of if the traffic to the destination will be forwarded via a less specific prefix, which could be the default route as well.
Regards,
ā01-20-2023 09:06 AM
I can only see the default route .
debaswco01#show ip cef 172.18.156.2
0.0.0.0/0
debaswco01#show ip cef 172.18.158.2
0.0.0.0/0
nexthop 172.16.100.4 Vlan100
nexthop 172.16.100.4 Vlan100
debaswco01#show ip cef 172.18.158.2
0.0.0.0/0
nexthop 172.16.100.4 Vlan100
I can ping tp 172.18.158.2 but cant ping to 172.18.156.2
Regards,
Arshad
ā01-20-2023 09:14 AM - edited ā01-20-2023 09:21 AM
debaswco01#show ip cef 172.18.156.2
0.0.0.0/0
debaswco01#show ip cef 172.18.158.2
0.0.0.0/0
nexthop 172.16.100.4 Vlan100
the CEF can not build full adj.
there is issue with ARP
clear adjacency
clear arp
and do show ip cef again
the both preifx must show same output
ā01-20-2023 09:20 AM
Thank you for your reply. How should i investigate arp issue ?
Warshad
ā01-20-2023 09:23 AM
show arp <<- if you see incomplete then this issue of ARP,
I mention above two command you can use to force the CEF build new L2 adj.
ā01-20-2023 09:54 AM
Hi @MHM Cisco World ,
Unless there are two next hops (which does not seem to be the case) for the default route, both destinations would have the exact same adjacency.
Regards,
ā01-20-2023 09:32 AM
Hi @waqas.arshad ,
The "show ip cef" giving you a different output for the two destinations is peculiar. Can you do a "show ip route 0.0.0.0 0.0.0.0".
Regards,
ā01-20-2023 11:23 PM
Hello
If you ping that subnet from the FW and you can reach the FW from your local subnet , and that FW is in-between both source /destination addresses then it suggests the FW is negating the connection,
ā01-21-2023 08:57 AM
Hi Everyone Thank you for the answer.
Following rules are configured on firewall and i dont see if traffic is blocked from the firewall. You can also the ping result from FW.
debafwin001/pri/act# show access-list | I 172.18.156.2
access-list INSIDE line 224 extended permit tcp host 172.16.226.21 host 172.18.156.21 range 8080 8180 (hitcnt=0) 0xc4f9ddb7
access-list INSIDE line 224 extended permit tcp host 172.16.226.21 host 172.18.156.21 eq www (hitcnt=0) 0xc0e096cd
access-list INSIDE line 224 extended permit tcp host 172.16.226.21 host 172.18.156.21 eq https (hitcnt=0) 0x7dc5dd9f
access-list INSIDE line 224 extended permit tcp host 172.16.226.22 host 172.18.156.21 range 8080 8180 (hitcnt=76782) 0x1db1010a
access-list INSIDE line 224 extended permit tcp host 172.16.226.22 host 172.18.156.21 eq www (hitcnt=0) 0x70d0a587
access-list INSIDE line 224 extended permit tcp host 172.16.226.22 host 172.18.156.21 eq https (hitcnt=0) 0x5ef3afdd
access-list INSIDE line 224 extended permit tcp host 172.16.226.23 host 172.18.156.21 range 8080 8180 (hitcnt=0) 0x9b57b65e
access-list INSIDE line 224 extended permit tcp host 172.16.226.23 host 172.18.156.21 eq www (hitcnt=0) 0x736ebc21
access-list INSIDE line 224 extended permit tcp host 172.16.226.23 host 172.18.156.21 eq https (hitcnt=0) 0xfaeb2e21
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq 8001 (hitcnt=0) 0x90b570ff
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq 8002 (hitcnt=0) 0x0b5158bf
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq www (hitcnt=0) 0x6d2f83fa
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq https (hitcnt=0) 0x1bdc376a
access-list OUTSIDE line 16 extended permit icmp host 172.18.156.21 172.16.226.0 255.255.255.0 (hitcnt=0) 0xd5d0f09e
debafwin001/pri/act# ping 172.18.156.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.156.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/30 ms
debafwin001/pri/act#
debafwin001/pri/act#
debafwin001/pri/act#
debafwin001/pri/act# ping 172.18.156.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.156.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/30 ms
Please note Vise versa ping is working fine. i can ping 172.18.226.2 or 172.18.226.21 from 172.18.156.0 subnet.
Regards,
Warhsad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide