files attached, for info we have 2 3850 in stacks connected to 2 4500x.

when trying from a non working ip we get no message, not even a ping reply which does make me believe that it's a permit list of some sort but i cannot find any restriction 

debug ip ssh show no display during tries, putty terminate connection with timeout.

would it be the 4500x that block the connections attempts ?

10.99.99.2 is our internal interface for sophos firewall stack.

traceroute from working client : 

>tracert 172.16.0.12

Tracing route to 172.16.0.12 over a maximum of 30 hops

1 4 ms 6 ms 3 ms sw-4500x-01 [10.1.3.254]
2 16 ms 11 ms 18 ms 172.16.0.12

Trace complete.

from a non working client :

H:\>tracert 172.16.0.12

Tracing route to 172.16.0.12 over a maximum of 30 hops

1 <1 ms 1 ms <1 ms sw-4500x-01 10.1.3.254
2 * * * Request timed out.
3 * * * Request timed out.

i

SW-4500X-01#sh ip route 172.16.0.0
Routing entry for 172.16.0.0/16, 26 known subnets
Attached (26 connections)
Variably subnetted with 2 masks
C 172.16.0.0/24 is directly connected, Vlan1720
L 172.16.0.254/32 is directly connected, Vlan1720

will put arp in a file attached, regarding the route well it's quite straight forward :

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.3.254 10.1.3.83 266
10.1.3.0 255.255.255.0 On-link 10.1.3.83 266
10.1.3.83 255.255.255.255 On-link 10.1.3.83 266
10.1.3.255 255.255.255.255 On-link 10.1.3.83 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.3.83 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.3.83 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.1.3.254 Default
===========================================================================

the crazy part for me is it all seems to be the origin IP that cause this, as i say if i change the ip on my machine i can connect. My original statement to say no ip on 10.1.3.x work is apparently quite wrong as i found out this :

most of them having been tested by changing the ip on the same machine and doing a ping and a putty test. i almost saw a pattern at start that 2 work, 2 not work etc but this was blown later.

Nothing make sense anymore. there is no blockage on the firewall, the traffic shouldn't even go through it as far as i know unless it goes outside the network. 4500x act as our core gateway

We have a layer 2 network full of cisco meraki switches while using vlans.

as i discovered in a post above is actually worse than i thought and almost half of the range 10.1.3.x is accessing while other is not without much logic to it.

soo

i see no output whatsoever with the debug ip icmp while connected through putty while both ping -t are running

i'm starting to think the problem may be with how the ssh has been configured and/or connected to the network (management port connected to one of the meraki switch) if that make sense

Hello

 "thought and almost half of the range 10.1.3.x is accessing while other is not"

Can you confirm the subnet mask for this range for this correct on the rtr or l3 switch and it isnt mis-configured?

res

Paul