03-29-2020 06:26 AM - edited 03-29-2020 06:30 AM
Hi,
I have a location in Dubai with a stacked Cisco WS-C2960X-24PD-L. This switch connects to an ASA 5505, which has a VPN to three locations: My US data center, my UK data center, and our internet cloud security provider (Zscaler). The strangest issue is happening:
From both of my data centers, I can ping, telnet and SSH to this switch, but from the switch, I CANNOT ping anything in either data center. However, I CAN ping anything on the internet from the switch. From the ASA 5505, I can ping to and from everything without a problem including the data centers. I've reloaded and power cycled the switch, checked the logs; nothing suspicious, etc... When I run the sniffer on the ASA and ping FROM the switch, I see no traffic coming into the ASA from the switch, UNLESS the ping destination is a pubic IP.
Anything behind this switch has no connectivity to the data centers, but the internet is fine. Config attached.
03-29-2020 07:08 AM
Couple of questions :
what is the ASA IP address ? 192.168.58.1 ? what port this ASA connected on the switch ?
Try below option to start with :
no ip default-gateway 192.168.58.1
ip route 0.0.0.0 0.0.0.0 192.168.58.1
Other side you do have route back to Switch from ASA for that IP address configured on Switch to reach ?
03-29-2020 07:18 AM
Hi,
I was thinking the same; ip default-gateway and ip route 0.0.0.0 0.0.0.0 192.168.58.1 both together might be a problem. I will try to pull one and see what happens. What is odd is this worked fine like this for a year.
As for the route on the ASA, yes I do have that via the direct connection, as the subnet I am sourcing the pings from is the main vlan 1 subnet that the inside interface of the ASA has an IP assigned to. i.e. ASA inside = 58.1, which can ping the data centers fine, and core switch is 58.230 which cannot ping.
ASA inside IP = 192.168.58.1
Port on 2960 connected to 58.1 is gi2/0/24:
interface GigabitEthernet2/0/24
description To_FW58Dubai-SC5505_58.1_e0/1
end
03-29-2020 07:57 AM
No luck on that front. I removed ip default-gateway 192,168,58,1 but still no ping. I also put it back and removed ip routing from the switch instead and still could not ping. Other things I have tried: no ip redirects on the vlan interfaces, as well as no ip proxy-arp. Reloading switch, power cycling.
03-29-2020 08:20 AM
Firewall ACL issue. You can disregard.
03-29-2020 09:07 AM
thanks for the sharng the input back, i know that was not the issue of routing, but like to try, since i was not aware what kind of setup you have.
i was also suspected due to ASA ACL issue, good and glad all resolved, shall we mark as solution here. for community user further reference.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: