10-25-2017 05:01 AM - edited 03-08-2019 12:29 PM
Hi
i need to understand why my pc cannot connect to our catalyst 3850 while my ip address is 10.1.3.3 but i can when it's either 10.1.3.1 or .2 (it seems that no other pc can from the network 10.1.3.x with x>2). Config was done by somebody who has left the company.
I'm rather new to ios so let me know if i missed anything from the config :
username admin privilege 15 password 7
no aaa new-model
switch 1 provision ws-c3850-48t
switch 2 provision ws-c3850-48t
ip ssh time-out 60
ip ssh authentication-retries 2
interface Loopback0
ip address 172.16.0.12 255.255.255.0
ip mtu 1500
line vty 0 4
login local
transport input ssh
line vty 5 15
login
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.16.0.254
SW-3850-01#sh version
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.01SE RELEASE SOFTWARE (fc1)
sorry i don't know how much is needed and how much config i cannot give to avoid troubles.
Thanks in advance
Jerome
10-25-2017 05:07 AM
10-25-2017 05:15 AM
10-25-2017 05:19 AM
10-25-2017 05:25 AM
10-25-2017 05:30 AM
debug ip ssh show no display during tries, putty terminate connection with timeout.
would it be the 4500x that block the connections attempts ?
10-25-2017 05:38 AM
10-25-2017 05:45 AM
10.99.99.2 is our internal interface for sophos firewall stack.
traceroute from working client :
>tracert 172.16.0.12
Tracing route to 172.16.0.12 over a maximum of 30 hops
1 4 ms 6 ms 3 ms sw-4500x-01 [10.1.3.254]
2 16 ms 11 ms 18 ms 172.16.0.12
Trace complete.
from a non working client :
H:\>tracert 172.16.0.12
Tracing route to 172.16.0.12 over a maximum of 30 hops
1 <1 ms 1 ms <1 ms sw-4500x-01 10.1.3.254
2 * * * Request timed out.
3 * * * Request timed out.
i
10-25-2017 05:53 AM
10-25-2017 07:51 AM
SW-4500X-01#sh ip route 172.16.0.0
Routing entry for 172.16.0.0/16, 26 known subnets
Attached (26 connections)
Variably subnetted with 2 masks
C 172.16.0.0/24 is directly connected, Vlan1720
L 172.16.0.254/32 is directly connected, Vlan1720
will put arp in a file attached, regarding the route well it's quite straight forward :
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.3.254 10.1.3.83 266
10.1.3.0 255.255.255.0 On-link 10.1.3.83 266
10.1.3.83 255.255.255.255 On-link 10.1.3.83 266
10.1.3.255 255.255.255.255 On-link 10.1.3.83 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.3.83 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.3.83 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.1.3.254 Default
===========================================================================
the crazy part for me is it all seems to be the origin IP that cause this, as i say if i change the ip on my machine i can connect. My original statement to say no ip on 10.1.3.x work is apparently quite wrong as i found out this :
working | not working |
1 | 3 |
2 | 4 |
5 | 7 |
6 | 9 |
8 | 11 |
10 | 12 |
13 | 15 |
14 | 17 |
16 | 18 |
19 | 83 |
85 | 84 |
86 | 87 |
96 | 88 |
94 |
most of them having been tested by changing the ip on the same machine and doing a ping and a putty test. i almost saw a pattern at start that 2 work, 2 not work etc but this was blown later.
Nothing make sense anymore. there is no blockage on the firewall, the traffic shouldn't even go through it as far as i know unless it goes outside the network. 4500x act as our core gateway
10-25-2017 06:36 AM
Hello
In relation to your pc and this switch stack what is the physcial topology.
Are you traversing other devices before hitting the stack?
This seems to suggest a ACL or policy restriction.
res
Paul
10-25-2017 08:06 AM
We have a layer 2 network full of cisco meraki switches while using vlans.
as i discovered in a post above is actually worse than i thought and almost half of the range 10.1.3.x is accessing while other is not without much logic to it.
10-25-2017 02:06 PM
10-26-2017 12:34 AM
soo
i see no output whatsoever with the debug ip icmp while connected through putty while both ping -t are running
i'm starting to think the problem may be with how the ssh has been configured and/or connected to the network (management port connected to one of the meraki switch) if that make sense
10-25-2017 02:24 PM
Hello
"thought and almost half of the range 10.1.3.x is accessing while other is not"
Can you confirm the subnet mask for this range for this correct on the rtr or l3 switch and it isnt mis-configured?
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide