Re: Inherited VLAN mess - one way ping

HopelessATvlans · ‎11-01-2022

Hi all,

So long time reader first time poster. I have inherited a bit of a mess and mish mash of a network. My main issue is that I can not ping a subnet (VLAN300) 192.168.0.0/23 from the server stack 172.25.1.0 (VLAN200) however I can ping fine the other way.

All switches are Cisco with a fortnet Router.

I did find a static route in the fortinet that is 192.168.0.0/23 > 172.25.1.85 this .85 address being the main core switch.

I have uploaded the sh run for the main switch. One thing I did note is that the VLAN IP helper is point to 172.25.1.15 which is a DC not the router, router being 172.25.1.253

Any help is much appreciated.

balaji.bandi · ‎11-01-2022

Devices in Subnet (172.25.1.0), what is the gateway configured ?

I do not see any ACL in the switch which stop to work. all device have gateway Fortinet, then you need check any ACL which blocking ?

if you setup switch SVI as gateway for the respectd VLAN all should work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HopelessATvlans · ‎11-01-2022

Hi! Thanks for your reply! The GW for both subnets are 172.25.1.253

I do think the Access Control is done on the fortinet especially with the rule that is set.

I am ware of setting up the SVI as its a 24h business and I dont want to make live changes till weekend. I hope you under stand

balaji.bandi · ‎11-01-2022

The GW for both subnets are 172.25.1.253

i do not believe this going to work, the gateway should be different based on the subnet.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HopelessATvlans · ‎11-01-2022

I would agree with you however all devices can access the internet fine and 192 subnet can ping and connect to the 172 subnet fine. the fact that works proves two way as the eho needs a reply, I just dont know why its one way.

balaji.bandi · ‎11-01-2022

I do not believe Luck vs technology, there may be hidden config on fortinet so it working

Can you traceroute from 172 to 192 IP and 192 to 172 IP for us to look where it going ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

HopelessATvlans · ‎11-01-2022

Trace from 192 to 172 DC
over a maximum of 30 hops:

1 1 ms 8 ms 3 ms 192.168.1.254
2 1 ms 2 ms 2 ms swndc01.domain.local [172.25.1.15]

Trace complete.

Trace fails other way. 192.168.1.254 is the core stack I sh run above

balaji.bandi · ‎11-01-2022

what is the device IP you tracing ?

This because the gateway, 192 knows how to reach 172 network

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎11-01-2022

Hello,

what OS are the servers running ? One way ping issues are often related to firewall settings. If you are using Windows, check if the firewall is enabled, and if inbound ICMP is allowed (Connection Rule Settings)...

HopelessATvlans · ‎11-01-2022

Hi George, They run a mix of Server 2016 & 19. All firewalls are off internally in windows and AV is defender.

HopelessATvlans · ‎11-01-2022

from 192.168.1.97 to 172.25.1.15