Routing Issue

waqas.arshad · ‎01-20-2023

Hi,

I have a situation where i am trying to access from 172.16.226.0/24 172.18.156.2 but traffic is not leaving my switch outing interface. I have another subnet 172.18.158.2 and i can ping it successfully.

172.18.158.2 is accessible via default routing. I don't see any specific entry for this subnet.

debaswco01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.16.100.4 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.16.100.4
10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
C 10.1.1.0/30 is directly connected, TenGigabitEthernet1/2/2
L 10.1.1.2/32 is directly connected, TenGigabitEthernet1/2/2
C 10.1.1.4/30 is directly connected, TenGigabitEthernet2/2/2
L 10.1.1.6/32 is directly connected, TenGigabitEthernet2/2/2
C 10.10.201.0/24 is directly connected, Vlan201
L 10.10.201.1/32 is directly connected, Vlan201
C 10.10.202.0/24 is directly connected, Vlan202
L 10.10.202.1/32 is directly connected, Vlan202
C 10.16.1.0/24 is directly connected, Vlan1
L 10.16.1.1/32 is directly connected, Vlan1
L 10.16.1.2/32 is directly connected, Vlan1
O 10.16.2.0/24 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
172.16.0.0/16 is variably subnetted, 91 subnets, 3 masks
C 172.16.1.0/24 is directly connected, Vlan601
L 172.16.1.1/32 is directly connected, Vlan601
C 172.16.2.0/24 is directly connected, Vlan602
L 172.16.2.1/32 is directly connected, Vlan602
C 172.16.3.0/24 is directly connected, Vlan603
L 172.16.3.1/32 is directly connected, Vlan603
C 172.16.4.0/24 is directly connected, Vlan604
L 172.16.4.1/32 is directly connected, Vlan604
C 172.16.5.0/24 is directly connected, Vlan605
L 172.16.5.1/32 is directly connected, Vlan605
C 172.16.6.0/24 is directly connected, Vlan606
L 172.16.6.1/32 is directly connected, Vlan606
C 172.16.7.0/24 is directly connected, Vlan607
L 172.16.7.1/32 is directly connected, Vlan607
C 172.16.8.0/24 is directly connected, Vlan608
L 172.16.8.1/32 is directly connected, Vlan608
C 172.16.9.0/24 is directly connected, Vlan609
L 172.16.9.1/32 is directly connected, Vlan609
C 172.16.10.0/24 is directly connected, Vlan610
L 172.16.10.1/32 is directly connected, Vlan610
C 172.16.12.0/24 is directly connected, Vlan612
L 172.16.12.1/32 is directly connected, Vlan612
C 172.16.14.0/24 is directly connected, Vlan614
L 172.16.14.1/32 is directly connected, Vlan614
C 172.16.16.0/24 is directly connected, Vlan616
L 172.16.16.1/32 is directly connected, Vlan616
C 172.16.17.0/24 is directly connected, Vlan617
L 172.16.17.1/32 is directly connected, Vlan617
C 172.16.18.0/24 is directly connected, Vlan618
L 172.16.18.1/32 is directly connected, Vlan618
C 172.16.19.0/24 is directly connected, Vlan619
L 172.16.19.1/32 is directly connected, Vlan619
C 172.16.20.0/24 is directly connected, Vlan620
L 172.16.20.1/32 is directly connected, Vlan620
C 172.16.22.0/24 is directly connected, Vlan622
L 172.16.22.1/32 is directly connected, Vlan622
C 172.16.23.0/24 is directly connected, Vlan623
L 172.16.23.1/32 is directly connected, Vlan623
C 172.16.24.0/24 is directly connected, Vlan624
L 172.16.24.1/32 is directly connected, Vlan624
C 172.16.25.0/24 is directly connected, Vlan625
L 172.16.25.1/32 is directly connected, Vlan625
C 172.16.26.0/24 is directly connected, Vlan626
L 172.16.26.1/32 is directly connected, Vlan626
C 172.16.31.0/24 is directly connected, Vlan631
L 172.16.31.1/32 is directly connected, Vlan631
C 172.16.32.0/24 is directly connected, Vlan632
L 172.16.32.2/32 is directly connected, Vlan632
C 172.16.33.0/24 is directly connected, Vlan633
L 172.16.33.1/32 is directly connected, Vlan633
C 172.16.34.0/24 is directly connected, Vlan634
L 172.16.34.1/32 is directly connected, Vlan634
C 172.16.35.0/24 is directly connected, Vlan635
L 172.16.35.1/32 is directly connected, Vlan635
C 172.16.36.0/23 is directly connected, Vlan636
L 172.16.36.1/32 is directly connected, Vlan636
C 172.16.40.0/24 is directly connected, Vlan640
L 172.16.40.1/32 is directly connected, Vlan640
C 172.16.42.0/24 is directly connected, Vlan642
L 172.16.42.1/32 is directly connected, Vlan642
C 172.16.50.0/24 is directly connected, Vlan11
L 172.16.50.1/32 is directly connected, Vlan11
C 172.16.52.0/24 is directly connected, Vlan652
L 172.16.52.1/32 is directly connected, Vlan652
C 172.16.53.0/24 is directly connected, Vlan653
L 172.16.53.1/32 is directly connected, Vlan653
C 172.16.54.0/24 is directly connected, Vlan654
L 172.16.54.1/32 is directly connected, Vlan654
C 172.16.100.0/24 is directly connected, Vlan100
L 172.16.100.1/32 is directly connected, Vlan100
C 172.16.133.0/24 is directly connected, Vlan705
L 172.16.133.1/32 is directly connected, Vlan705
C 172.16.134.0/24 is directly connected, Vlan707
L 172.16.134.1/32 is directly connected, Vlan707
C 172.16.151.0/24 is directly connected, Vlan151
L 172.16.151.1/32 is directly connected, Vlan151
C 172.16.152.0/23 is directly connected, Vlan152
L 172.16.152.1/32 is directly connected, Vlan152
C 172.16.154.0/23 is directly connected, Vlan154
L 172.16.154.1/32 is directly connected, Vlan154
C 172.16.156.0/23 is directly connected, Vlan156
L 172.16.156.1/32 is directly connected, Vlan156
C 172.16.200.0/24 is directly connected, Vlan200
L 172.16.200.1/32 is directly connected, Vlan200
C 172.16.201.0/24 is directly connected, Vlan702
L 172.16.201.1/32 is directly connected, Vlan702
O 172.16.220.0/23 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.222.0/23 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.224.0/23 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.226.0/24 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
O 172.16.227.0/24 [110/41] via 10.1.1.5, 7w0d, TenGigabitEthernet2/2/2
[110/41] via 10.1.1.1, 7w0d, TenGigabitEthernet1/2/2
debaswco01#
debaswco01#
debaswco01#ping 172.18.158.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.158.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms
debaswco01#
debaswco01#
debaswco01#ping 172.18.156.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.156.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

debaswco01#show ip route 172.18.158.2
% Network not in table

anyone can help me to resolve the issue?

Regards,

Warshad

Georg Pauwen · ‎01-20-2023

Hello,

post a schematic drawing of your topology showing all devices involved, and indicate the location of the source and destination IP addresses...

balaji.bandi · ‎01-20-2023

Since this device do not learn that routes, so it rely on this gateway to aware and forward traffic, if this device not learning then there is no way to route out - 172.16.100.4 (check on this IP see you learning that route there)

you can do traceroute and see where it dropping ?

traceroute 172.18.156.2

traceroute 172.18.158.2

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Warshad · ‎01-20-2023

Thank you for reply. 172.16.100.4 is firewall ip and i can ping 172.16.156.2 from Firewall. I dont see anything in tracerout output as traffic is not leaving the switch.

balaji.bandi · ‎01-20-2023

i can ping 172.16.156.2 from Firewall < this shows me that your default gateway FW , so FW is blocking the request here, what kind of Firewall ? have you checked Firewall log is this request allowed ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-20-2023

show ip route 172.18.156.2 longest <<- this give you exact which path SW use.

Harold Ritter · ‎01-20-2023

Good point @MHM Cisco World . You can also do a "show ip cef 172.18.156.2" to see whether there is a specific route of if the traffic to the destination will be forwarded via a less specific prefix, which could be the default route as well.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

waqas.arshad · ‎01-20-2023

I can only see the default route .

debaswco01#show ip cef 172.18.156.2
0.0.0.0/0

debaswco01#show ip cef 172.18.158.2
0.0.0.0/0
nexthop 172.16.100.4 Vlan100

nexthop 172.16.100.4 Vlan100

debaswco01#show ip cef 172.18.158.2
0.0.0.0/0
nexthop 172.16.100.4 Vlan100

I can ping tp 172.18.158.2 but cant ping to 172.18.156.2

Regards,

Arshad

MHM Cisco World · ‎01-20-2023

debaswco01#show ip cef 172.18.156.2
0.0.0.0/0

debaswco01#show ip cef 172.18.158.2
0.0.0.0/0
nexthop 172.16.100.4 Vlan100

the CEF can not build full adj.
there is issue with ARP

clear adjacency
clear arp

and do show ip cef again
the both preifx must show same output

waqas.arshad · ‎01-20-2023

Thank you for your reply. How should i investigate arp issue ?

Warshad

MHM Cisco World · ‎01-20-2023

show arp <<- if you see incomplete then this issue of ARP,

I mention above two command you can use to force the CEF build new L2 adj.

Harold Ritter · ‎01-20-2023

Hi @MHM Cisco World ,

Unless there are two next hops (which does not seem to be the case) for the default route, both destinations would have the exact same adjacency.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold Ritter · ‎01-20-2023

Hi @waqas.arshad ,

The "show ip cef" giving you a different output for the two destinations is peculiar. Can you do a "show ip route 0.0.0.0 0.0.0.0".

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

paul driver · ‎01-20-2023

Hello
If you ping that subnet from the FW and you can reach the FW from your local subnet , and that FW is in-between both source /destination addresses then it suggests the FW is negating the connection,

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

waqas.arshad · ‎01-21-2023

Hi Everyone Thank you for the answer.

Following rules are configured on firewall and i dont see if traffic is blocked from the firewall. You can also the ping result from FW.

debafwin001/pri/act# show access-list | I 172.18.156.2
access-list INSIDE line 224 extended permit tcp host 172.16.226.21 host 172.18.156.21 range 8080 8180 (hitcnt=0) 0xc4f9ddb7
access-list INSIDE line 224 extended permit tcp host 172.16.226.21 host 172.18.156.21 eq www (hitcnt=0) 0xc0e096cd
access-list INSIDE line 224 extended permit tcp host 172.16.226.21 host 172.18.156.21 eq https (hitcnt=0) 0x7dc5dd9f
access-list INSIDE line 224 extended permit tcp host 172.16.226.22 host 172.18.156.21 range 8080 8180 (hitcnt=76782) 0x1db1010a
access-list INSIDE line 224 extended permit tcp host 172.16.226.22 host 172.18.156.21 eq www (hitcnt=0) 0x70d0a587
access-list INSIDE line 224 extended permit tcp host 172.16.226.22 host 172.18.156.21 eq https (hitcnt=0) 0x5ef3afdd
access-list INSIDE line 224 extended permit tcp host 172.16.226.23 host 172.18.156.21 range 8080 8180 (hitcnt=0) 0x9b57b65e
access-list INSIDE line 224 extended permit tcp host 172.16.226.23 host 172.18.156.21 eq www (hitcnt=0) 0x736ebc21
access-list INSIDE line 224 extended permit tcp host 172.16.226.23 host 172.18.156.21 eq https (hitcnt=0) 0xfaeb2e21

access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq 8001 (hitcnt=0) 0x90b570ff
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq 8002 (hitcnt=0) 0x0b5158bf
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq www (hitcnt=0) 0x6d2f83fa
access-list OUTSIDE line 15 extended permit tcp host 172.18.156.21 172.16.226.0 255.255.255.0 eq https (hitcnt=0) 0x1bdc376a
access-list OUTSIDE line 16 extended permit icmp host 172.18.156.21 172.16.226.0 255.255.255.0 (hitcnt=0) 0xd5d0f09e

debafwin001/pri/act# ping 172.18.156.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.156.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/30 ms
debafwin001/pri/act#
debafwin001/pri/act#
debafwin001/pri/act#
debafwin001/pri/act# ping 172.18.156.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.156.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/30 ms

Please note Vise versa ping is working fine. i can ping 172.18.226.2 or 172.18.226.21 from 172.18.156.0 subnet.

Regards,

Warhsad