cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
0
Helpful
5
Replies

Can ping, Telnet, SSH TO, but cannot ping FROM Cisco 2960X switch

Dean Romanelli
Level 4
Level 4

Hi,

I have a location in Dubai with a stacked Cisco WS-C2960X-24PD-L. This switch connects to an ASA 5505, which has a VPN to three locations: My US data center, my UK data center, and our internet cloud security provider (Zscaler). The strangest issue is happening:

 

From both of my data centers, I can ping, telnet and SSH to this switch, but from the switch, I CANNOT ping anything in either data center. However, I CAN ping anything on the internet from the switch. From the ASA 5505, I can ping to and from everything without a problem including the data centers. I've reloaded and power cycled the switch, checked the logs; nothing suspicious, etc... When I run the sniffer on the ASA and ping FROM the switch, I see no traffic coming into the ASA from the switch, UNLESS the ping destination is a pubic IP.

 

Anything behind this switch has no connectivity to the data centers, but the internet is fine. Config attached. 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Couple of questions :

 

what is the ASA  IP address ? 192.168.58.1 ? what port this ASA connected on the switch ?

 

Try below option to start with :

 

no ip default-gateway 192.168.58.1
ip route 0.0.0.0 0.0.0.0 192.168.58.1

 

Other side you do have route back to Switch from ASA  for that IP address configured on Switch to reach ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

I was thinking the same;  ip default-gateway and ip route 0.0.0.0 0.0.0.0 192.168.58.1 both together might be a problem. I will try to pull one and see what happens. What is odd is this worked fine like this for a year.

 

As for the route on the ASA, yes I do have that via the direct connection, as the subnet I am sourcing the pings from is the main vlan 1 subnet that the inside interface of the ASA has an IP assigned to.  i.e. ASA inside = 58.1, which can ping the data centers fine, and core switch is 58.230 which cannot ping.

 

ASA inside IP = 192.168.58.1

Port on 2960 connected to 58.1 is gi2/0/24:

interface GigabitEthernet2/0/24
description To_FW58Dubai-SC5505_58.1_e0/1
end

 

No luck on that front.  I removed ip default-gateway 192,168,58,1 but still no ping. I also put it back and removed ip routing from the switch instead and still could not ping.  Other things I have tried: no ip redirects on the vlan interfaces, as well as no ip proxy-arp.  Reloading switch, power cycling. 

Firewall ACL issue. You can disregard. 

thanks for the sharng the input back, i know that was not the issue of routing, but like to try, since i was not aware what kind of setup you have.

 

i was also suspected due to ASA ACL issue, good and glad all resolved, shall we mark as solution here. for community user further reference.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: