Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
1
Helpful
7
Replies

Issue getting reply traffic back from our CBS-350 switches

Go to solution
BremmerV
Level 1
Level 1

‎08-13-2024 07:12 AM

I have a couple of CBS 350 switches stacked together. One has a VLAN trunk connected to our security gateways LAN interface which has all the sub interfaces for a "Router-on-a-stick" set up for inter VLAN routing. The switches do have three VLANs defined on them. I have two IP v4 VLAN interfaces configured. One in VLAN 20 and one in VLAN 10. When I ping the switches management IP in VLAN 10 from VLAN 20 it works. But, when I open a browser and try to go to the same IP in VLAN 10 to open the web UI it fails. My firewall logs sow the successful traffic from the PING but the attempts for the web UI it does show the traffic out but no reply traffic back from the switch. I looked at the routers runtime stats and it is routing correctly, successful pings proves that. We are just not getting reply traffic with attempts other than ping. I have tried to ssh to the switch on VLAN 10 from VLAN 20 as well to no avail.

 I looked at the switch to see if there was some default ACL that was only allowing pings between VLANs but didn't see any.

Can anyone advise what might be causing the switch to behave this way? any default behavior?

Thanks, 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amikat
Level 7
Level 7

‎08-15-2024 03:50 AM

Hi,

In my view what you are experiencing is due to the fact that when CBS350 box receives http/hhtps/ssh traffic sourced from Vlan20 it tries to respond directly via Vlan20 (ie. not back via Vlan10) and this is then blocked by PaloAlto. The reason why ping passes is that icmp is not the stateful protocol and PaloAlto my be just configured to allow both sides.

Just my idea.

To check whether this is the case I would recommend to remove (temporarily) the CBS350 interface Vlan20 address and see if there is any progress.

Best regards,

Antonin

View solution in original post

7 Replies 7

Go to solution
KJK99
Level 3
Level 3

‎08-13-2024 08:48 AM

There are no default ACL rules on the CBS350 switches. Since the routing is done on the security gateway, I would look for an issue there. Does the security gateway allow the HTTP/HTTPS/SSH traffic both ways? How did you define your subnets and interfaces?

Kris K
0 Helpful

Go to solution
BremmerV
Level 1
Level 1
In response to KJK99

‎08-13-2024 12:06 PM

Hello KJK99, Thanks for the reply.

Well, we did not find any issue with routing. I can ping from VLAN 20 to VLAN 10 no problem so reply traffic is routing back from the switch.

I have two security rules that allows all traffic from VLAN 20 to VLAN 10 and also from VLAN 10 to VLAN 20. I'm not restricting any traffic types as well as no threat scanning right now for testing. The subnets for each VLAN are set up as sub interfaces on the gateways LAN interface. The physical interface doesn't have an IP address, the sub interfaces do. I set the VLAN tags on the sub interfaces as 10 for VLAN 10 and 20 for VLAN 20. I do have a DHCP scope set for each VLAN on the gateway and I do get an IP address for my laptop when connected to each VLAN. We did a packet capture at the gateway for Tx and Rx and we just don't see return traffic from the switch for anything except pings. Also, my laptop can be connected to any of the VLANs and I can access the internet no problem, it's only between VLANs for anything except pings.

Thanks,

Thanks,

0 Helpful

Go to solution
KJK99
Level 3
Level 3

‎08-13-2024 02:48 PM

It's a mystery. I have several CBS350 switches with multiple VLANs, stacked and chain-linked, and I have never had a problem like that. The HTTP/HTTPS/SSH services must be enabled, of course, but the HTTP service is enabled by default so that should work as long as the VLAN and IPv4 configuration is correct. Also, is the firmware up-to-date? Have you disabled the Auto Smart Port feature? Well, even if the answer is no, it's a mystery. How did you set up the pocket capture? I would use port mirroring on the switch to be sure.

Kris K
0 Helpful

Go to solution
BremmerV
Level 1
Level 1
In response to KJK99

‎08-14-2024 06:36 AM

Auto smart port is disabled. I set up PCAP on our PaloAlto security gateway (NGFW) to capture all Tx and Rx traffic from the FW and from the switch VLAN 10 IP address. I guess it would be beneficial to capture at the switch as well. I am going to update the firmware just to rule out some possible bug and test again. I'll keep updating this thread as I go. Thanks for your input!! 

0 Helpful

Go to solution
amikat
Level 7
Level 7

‎08-15-2024 03:50 AM

Hi,

In my view what you are experiencing is due to the fact that when CBS350 box receives http/hhtps/ssh traffic sourced from Vlan20 it tries to respond directly via Vlan20 (ie. not back via Vlan10) and this is then blocked by PaloAlto. The reason why ping passes is that icmp is not the stateful protocol and PaloAlto my be just configured to allow both sides.

Just my idea.

To check whether this is the case I would recommend to remove (temporarily) the CBS350 interface Vlan20 address and see if there is any progress.

Best regards,

Antonin

Go to solution
BremmerV
Level 1
Level 1
In response to amikat

‎08-15-2024 06:25 AM

Hello amikat, thanks for your input,

I will try your suggestion when I get a chance today and update this thread with the results.

Thanks!!

0 Helpful

Go to solution
BremmerV
Level 1
Level 1
In response to amikat

‎08-15-2024 09:40 AM

Hey amikat,

This worked!! Thanks for your help!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card