Re: Cannot ping or reach the IP

timothy_MTS · ‎10-09-2025

Hello everyone,

I found a situation that it looks like we may have some configuration issues on our Nexus switches. So I wanted to see where does the root cause. Can anyone give me some directions on what to check?

I have a vendor who setup some servers into the VLAN 20. There are two servers 10.20.1.1 and 10.20.1.2 to form a cluster and also with configure with one Virtual IP 10.20.1.100 for the cluster. According to the vendor, their servers are in Linux based.

The Nexus switches is having configured with some other VLANs too. Just because of this VLAN20 is mission-critical to us, ACLs are applied (ip access-group ACL_Name in)

Now, I found some issues when I tried to ping to 10.20.1.1 and 10.20.1.2, they are working fine. These two servers enabled with web browse access, I can ping and access to the web interfaces.

However, I noticed that in one of the many VLANs in our Nexus switches, one specific VLAN (VLAN 10) with our corporate servers like Active Directory, (e.g. 10.10.1.1) are not able to ping or web access to the Virtual IP (10.20.1.100). But if I ping or web access to the physical servers IPs, it's all working fine. Just only NOT accessible to this Virtual IP.

To compare, I got another User PC VLAN 50 (10.50.1.0/24), it works perfectly fine, means I can ping and web access to all the IPs

To summarize,

[host 10.10.1.1] ping 10.20.1.1 - OK

[host 10.10.1.1] ping 10.20.1.2 - OK

[host 10.10.1.1] ping 10.20.1.100 - Timeout

[host 10.50.1.1] ping 10.20.1.1 - OK

[host 10.50.1.1] ping 10.20.1.2 - OK

[host 10.50.1.1] ping 10.20.1.100 - OK

I tried to tracert on the server,

from the [host 10.10.1.1] to [10.20.1.1], it firstly go to 10.10.1.253 (the VLAN10 gateway), then 10.20.1.1

from the [host 10.10.1.1] to [10.20.1.2], it firstly go to 10.10.1.253 (the VLAN10 gateway), then 10.20.1.2

from the [host 10.10.1.1] to [10.20.1.100], it firstly go to 10.10.1.253 (the VLAN10 gateway), then timeout...

from the [host 10.50.1.1] to [10.20.1.1], it firstly go to 10.50.1.253 (the VLAN50 gateway), then 10.20.1.1

from the [host 10.50.1.1] to [10.20.1.2], it firstly go to 10.50.1.253 (the VLAN50 gateway), then 10.20.1.2

from the [host 10.50.1.1] to [10.20.1.100], it firstly go to 10.50.1.253 (the VLAN50 gateway), then 10.20.1.100

I did the similar test from the Nexus switch.

ping 10.20.1.1 source-interface vlan10 - OK

ping 10.20.1.2 source-interface vlan10 - OK

ping 10.20.1.100 source-interface vlan10 - timeout

ping 10.20.1.1 source-interface vlan50 - OK

ping 10.20.1.2 source-interface vlan50 - OK

ping 10.20.1.100 source-interface vlan50 - OK

The vendor also tried to do some testing from the servers 10.20.1.1 and 10.20.1.2 to access / ping to outside, it works fine. Now I cannot confirm whether the problem is on the network side or in the vendor configuration of their systems. I don't have any access to these Linux machines.

Thanks for your reading and thanks for your help in advance.

Regards,

Timothy

David Ruess · ‎10-10-2025

Hello,

Can you provide some configuration. You mention an ACL, can you provide that config as well as routing table entries for the Nexus devices?

-David

timothy_MTS · ‎10-13-2025

Thanks for your email.

Let me try to show as much as I can. This is one of the two Nexus switches configuration. The other one is almost the same except the interface IP addresses. These are part of the configs that are related to this situation. Some of the ACLs are also omitted as it has hundreds of the lines.

interface Vlan10
description Corp_Server_Vlan
no shutdown
mtu 9216
ip address 10.10.1.253/24
no ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
ip igmp version 3
hsrp version 2
hsrp 10
preempt
ip 10.10.1.254

interface Vlan20
description Vendor_Server_Vlan
no shutdown
mtu 9216
ip access-group ACL_Name in
ip address 10.20.1.253/24
hsrp version 2
hsrp 20
preempt
ip 10.20.1.254

interface Vlan50
description User_Vlan
no shutdown
mtu 9216
ip address 10.50.1.253/24
hsrp version 2
hsrp 50
preempt
ip 10.50.1.254

IP access list ACL_Name
100 permit icmp any any
110 permit tcp any any eq www
120 permit tcp any any eq 443
130 permit tcp 10.20.1.1/32 eq 8826 any established
140 permit tcp 10.20.1.2/32 eq 8826 any established
150 permit tcp 10.20.1.100/32 eq 8826 any established
160 permit tcp 10.20.1.1/32 eq 443 any established
170 permit tcp 10.20.1.2/32 eq 443 any established
180 permit tcp 10.20.1.100/32 eq 443 any established
190 permit tcp 10.20.1.1/32 eq www any established
200 permit tcp 10.20.1.2/32 eq www any established
210 permit tcp 10.20.1.100/32 eq www any established

0.0.0.0/0, ubest/mbest: 1/0
*via 192.168.128.253, [1/0], 25w2d, static

10.10.1.0/24, ubest/mbest: 1/0, attached
*via 10.10.1.253, Vlan10, [0/0], 25w2d, direct
10.10.1.253/32, ubest/mbest: 1/0, attached
*via 10.10.1.253, Vlan10, [0/0], 25w2d, local
10.10.1.254/32, ubest/mbest: 1/0, attached
*via 172.22.0.254, Vlan10, [0/0], 25w2d, hsrp

10.20.1.0/24, ubest/mbest: 1/0, attached
*via 10.20.1.253, Vlan20, [0/0], 25w2d, direct
10.20.1.253/32, ubest/mbest: 1/0, attached
*via 10.20.1.253, Vlan20, [0/0], 25w2d, local
10.20.1.254/32, ubest/mbest: 1/0, attached
*via 10.20.1.254, Vlan20, [0/0], 25w2d, hsrp

10.50.1.0/24, ubest/mbest: 1/0, attached
*via 10.50.1.253, Vlan50, [0/0], 25w2d, direct
10.50.1.253/32, ubest/mbest: 1/0, attached
*via 10.50.1.253, Vlan50, [0/0], 25w2d, local
10.50.1.254/32, ubest/mbest: 1/0, attached
*via 10.50.1.254, Vlan50, [0/0], 25w2d, hsrp

Regards,

Timothy