Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
0
Helpful
5
Replies

Can ping, Telnet, SSH TO, but cannot ping FROM Cisco 2960X switch

Dean Romanelli
Level 4
Level 4

‎03-29-2020 06:26 AM - edited ‎03-29-2020 06:30 AM

Hi,

I have a location in Dubai with a stacked Cisco WS-C2960X-24PD-L. This switch connects to an ASA 5505, which has a VPN to three locations: My US data center, my UK data center, and our internet cloud security provider (Zscaler). The strangest issue is happening:

 

From both of my data centers, I can ping, telnet and SSH to this switch, but from the switch, I CANNOT ping anything in either data center. However, I CAN ping anything on the internet from the switch. From the ASA 5505, I can ping to and from everything without a problem including the data centers. I've reloaded and power cycled the switch, checked the logs; nothing suspicious, etc... When I run the sniffer on the ASA and ping FROM the switch, I see no traffic coming into the ASA from the switch, UNLESS the ping destination is a pubic IP.

 

Anything behind this switch has no connectivity to the data centers, but the internet is fine. Config attached. 

Labels:
Preview file
8 KB
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-29-2020 07:08 AM

Couple of questions :

 

what is the ASA  IP address ? 192.168.58.1 ? what port this ASA connected on the switch ?

 

Try below option to start with :

 

no ip default-gateway 192.168.58.1
ip route 0.0.0.0 0.0.0.0 192.168.58.1

 

Other side you do have route back to Switch from ASA  for that IP address configured on Switch to reach ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to balaji.bandi

‎03-29-2020 07:18 AM

Hi,

I was thinking the same;  ip default-gateway and ip route 0.0.0.0 0.0.0.0 192.168.58.1 both together might be a problem. I will try to pull one and see what happens. What is odd is this worked fine like this for a year.

 

As for the route on the ASA, yes I do have that via the direct connection, as the subnet I am sourcing the pings from is the main vlan 1 subnet that the inside interface of the ASA has an IP assigned to.  i.e. ASA inside = 58.1, which can ping the data centers fine, and core switch is 58.230 which cannot ping.

 

ASA inside IP = 192.168.58.1

Port on 2960 connected to 58.1 is gi2/0/24:

interface GigabitEthernet2/0/24
description To_FW58Dubai-SC5505_58.1_e0/1
end

 

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to Dean Romanelli

‎03-29-2020 07:57 AM

No luck on that front.  I removed ip default-gateway 192,168,58,1 but still no ping. I also put it back and removed ip routing from the switch instead and still could not ping.  Other things I have tried: no ip redirects on the vlan interfaces, as well as no ip proxy-arp.  Reloading switch, power cycling. 

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to Dean Romanelli

‎03-29-2020 08:20 AM

Firewall ACL issue. You can disregard. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Dean Romanelli

‎03-29-2020 09:07 AM

thanks for the sharng the input back, i know that was not the issue of routing, but like to try, since i was not aware what kind of setup you have.

 

i was also suspected due to ASA ACL issue, good and glad all resolved, shall we mark as solution here. for community user further reference.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card