Re: C9300 Routing issue?

Fredriguez · ‎12-18-2020

This is a diagram of my simple network.

The firewall is a FortiGate. I have my LAN and VLAN interfaces under my LAN.

The issue is when I placed my PC on VLAN20, the internet bounces. Found out, I can ping my firewall gateway of 10.5.20.254, but I couldn't traceroute to it. When pinging 40 or 60% of packets failed. I have no static routes.

Routes...

https://ibb.co/c6ss90f

balaji.bandi · ‎12-18-2020

What is the PC IP address in VLAN 20, what is the GW setup ?

where is your Layer 2 spanning Root for VLAN 10/20/3040 ( Hope that is Cat 9300 root bridge right ?)

By default some FW dont allow PING and Traceroute.

Couple of test : ( also post full configuration of Cat 9300 and Nexus to look)

1. is your ping from 10.5.20.249 to 10.5.20.254 ok ? both the sides ?

2. PC can ping 10.5.20.2 249 ? with out packet Loss ?

3. PC can ping 10.5.20.2 250 ? with out packet Loss ?

Do you have any static route on FW back to switch - and NAT for these VLAN 10 20 30 40 range IP address ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Fredriguez · ‎12-18-2020

I resolved the internet bouncing issue. But I still cannot traceroute. No static routes exist on the firewall, I was thinking they are directly connected to the LAN? No need?

1. is your ping from 10.5.20.249 to 10.5.20.254 ok ? both sides ? YES both sides ping

2. PC can ping 10.5.20.2 249 ? without packet Loss? YES, using SSH into Nexus

3. PC can ping 10.5.20.2 250 ? without packet Loss ? YES, using SSH into Nexus

Traceroute from PC to 20.254 seemed to work.

balaji.bandi · ‎12-18-2020

if the VLAN Stretched all over until FW, sure it should work. (with that output i am guessing)

Still, the basic question remains the same - what is the PC IP address, post from PC ipconfig /all to view.

But I still cannot traceroute. - what traceroute not working post the example output to understand better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Fredriguez · ‎12-18-2020

I also showed you can ping the 20.254.

Maybe doesn't matter, since the devices connected (Nutanix) are reporting DHCP addresses from the firewall.

IP of PC is 10.5.20.4, with a default gateway of 10.5.20.254 - And I have the PC plugged into the Nexus. So means it is transversing through the C9300 to fortigate

balaji.bandi · ‎12-18-2020

Ok only Traceroute not working, but the rest of the Service is ok?

If you leave the traceroute what happens until the 30th Hop. same traceroute if you do from Fortinet console what is the results.

The issue not really related to cisco product - this could be your provider not allowing or you need to look Fortinet point of view :

https://www.fortinetguru.com/2017/01/how-to-run-ping-and-traceroute/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎12-18-2020

Hello,

you are trying to traceroute to the Fortigate ? As far as I recall, "the FortiGate is designed not to allow UDP packets in the local-in policy. UDP packets destined for the interface of the FortiGate are dropped when a standard UDP-based traceroute is performed."

Check the local policy for the Fortigate interface you are trying to traceroute to. Since ping is working, I have a feeling that this might be the problem...

Check the 'set allowaccess' settings for your Vlan interface, it should look like this:

set ip 10.5.20.254 255.255.255.0
set allowaccess ping https ssh snmp http telnet