Solved: Ping/SNMP between L2 Switch and Remote-Site over VPN

J-Blair · ‎03-22-2019

Deploying an additional site to our network via site-to-site VPN and am having trouble access SNMP/ICMP on a L2 switch from my SolarWinds monitor at the remote site.

From SITE-A, I can access SNMP/ICMP on DEVICES connected to the L2-SWITCH in SITE-B but not the switch itself. From SITE-A, I am able to access SNMP/ICMP on the FIREWALL in SITE-B and the L3-SWITCH (as well as the SERVERS on the L3-SWITCH) in SITE-B, just not the L2-SWITCH itself. To further confuse me, I can access SNMP/ICMP on the L2-SWITCH from multiple VLANs in SITE-B, just note over the Site-to-Site.

I am a novice at anything beyond basic networking, so any help would be appreciated. Below is a diagram:

Deepak Kumar · ‎03-25-2019

Hi,

Where is default-gateway on Layer 2?

Ip default gateway 10.10.10.1

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

paul driver · ‎03-25-2019

Hello

Your core switch looks okay providing the default 10.10.10.1 is the next hop residing on the FW?

I would suggest removing portfast on the trunks if those trunks connect to other switches.

Your L2 switch has no default-gateway or default route so thats why this L2 switch it isnt reachable from anything off its own MGT vlan and why the core switch any other device in vlan 10 can connect and nothing off vlan 10 cannot.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

balaji.bandi · ‎03-22-2019

Does your L2 switch have Mangement IP ? can you able to ping that IP from NMS ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

J-Blair · ‎03-22-2019

L2-SWITCH does have a management IP but I am unable to ping it from NMS in SITE-A. I can ping devices plugged into L2-SWITCH from SITE-A and I can ping the L2-SWITCH from anywhere within SITE-B itself. the NMS (nor anything in SITE-A) can ping the L2-SWITCH that is in SITE-B, nor can the L2-SWITCH ping anything in SITE-A either (including the NMS).

Larry Sullivan · ‎03-22-2019

Sounds like a routing issue. Is the L2 SVI subnet on a different subnet than the devices plugged into the L2 switch? Look into whether or not the SVI (management IP) subnet is being advertised across to site A.

J-Blair · ‎03-25-2019

The SVI is on the same subnet as the devices.

balaji.bandi · ‎03-23-2019

So you have reachability to connected host, not to the Management IP, so check the ACL and routing for the Manangement IP

If still issue, post the config to have a look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Deepak Kumar · ‎03-23-2019

Hi,

Could you verify some points:

1. Are you enabled "IP Routing" command on L2 switch? If yes, Then you must remove this command.

2. Are you defined correct "IP Default-gateway" IP on the core switch?

3. Are you created any VRF for management or using MGNT port for admin access? If yes, Please share the running-config.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

J-Blair · ‎03-25-2019

1. IP Routing is not enabled on the L2 switch.
2. IP Default-Gateway on the L3 (Core) switch points to the ASA. Traffic is routing fine, Everything in Site-B can reach itself (even across different VLANs). My only issue is that i cannot access the management interface of the L2 switch from the remote site.
3. Not using the MGMT port, the management IP is on the VLAN interface.

paul driver · ‎03-23-2019

Hello

@J-Blair wrote:

I can access SNMP/ICMP on the L2-SWITCH from multiple VLANs in SITE-B, just note over the Site-to-Site.

Seems to suggest the switch has a default-gateway or default route, possible look towards an access-control list or fw rule denying access?

Can you post the configs of the l2/3 switch first.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

J-Blair · ‎03-25-2019

L3-SWITCH-CONFIG
=========
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname CORE
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret 5 ##########
enable password ##########
!
username admin secret 5 ##########
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time Pacific recurring
switch 1 provision ws-c3650-24ts
!
!
!
!
!
coap http enable
!
!
!
!
!
!
no ip source-route
ip routing
no ip gratuitous-arps
!
no ip domain-lookup
ip domain-name corp
!
!
qos queue-softmax-multiplier 100
vtp domain corp
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-177940434
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-177940434
revocation-check none
rsakeypair TP-self-signed-177940434
!
!
crypto pki certificate chain TP-self-signed-177940434
certificate self-signed 01
##########
##########
quit
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
vlan 2
name INTERNET-CIRCUIT
!
vlan 10
name SERVER-INF-OPS
!
vlan 20
name USER-VOICE
!
vlan 21
name USER-DATA
!
vlan 22
name USER-WIFI
!
vlan 30
name SERVER-DEV-QA
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/3
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/4
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/5
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/6
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
description Server-Access-Trunk-MGMT
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/13
description Server-Access-Trunk-MGMT
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/14
description Server-Access-Trunk-MGMT
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/15
description Server-Access-Trunk-VMNET
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/16
description Server-Access-Trunk-VMNET
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/17
description Server-Access-Trunk-VMNET
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/18
description Server-Access-Trunk-VMNET
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/19
description Server-Access-Trunk-VMNET
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/20
description Server-Access-Trunk-VMNET
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22

description ASA-Inside
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

!
interface GigabitEthernet1/0/23
description ASA-Outside
switchport access vlan 2
switchport mode access
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/24
description Internet-Circuit
switchport access vlan 2
switchport mode access
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
!
interface Vlan1
no ip address
!
interface Vlan2
description CIRCUIT
ip address 10.10.2.10 255.255.255.0
!
interface Vlan10
description SERVER-INF-OPS
ip address 10.10.10.10 255.255.255.0
ip helper-address 10.10.10.2
!
interface Vlan20
description USER-VOICE
ip address 10.10.20.10 255.255.255.0
ip helper-address 10.10.10.2
!
interface Vlan21
description USER-DATA
ip address 10.10.21.10 255.255.255.0
ip helper-address 10.10.10.2
!
interface Vlan22
description USER-WIFI
ip address 10.10.22.10 255.255.255.0
ip helper-address 10.10.10.2
!
interface Vlan30
description SERVER-DEV-QA
ip address 10.10.30.10 255.255.255.0
ip helper-address 10.10.10.2
!
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip ssh version 2
!
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ##########
line vty 5 15
password ##########
!
ntp server time-a.nist.gov
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end

J-Blair · ‎03-25-2019

L2-SWITCH CONFIG
##########
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACCESS01
!
boot-start-marker
boot-end-marker
!
logging console emergencies
enable secret 5 ##########
enable password ##########
!
username admin secret 5 ##########
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time Pacific recurring
switch 1 provision ws-c2960x-48fps-l
!
!
ip domain-name corp
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3049753216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3049753216
revocation-check none
rsakeypair TP-self-signed-3049753216
!
!
crypto pki certificate chain TP-self-signed-3049753216
certificate self-signed 01
##########
##########
quit
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/3
description Wireless-Access-Point
switchport access vlan 22
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/4
description Wireless-Access-Point
switchport access vlan 22
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/5
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/6
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/7
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/8
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/9
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/11
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/12
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/13
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/14
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/15
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/16
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/17
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/18
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/19
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/20
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/21
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/22
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/23
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/24
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/25
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/26
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/27
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/28
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/29
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/30
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/31
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/32
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/33
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/34
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/35
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/36
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/37
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/38
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/39
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/40
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/41
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/42
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/43
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/44
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/45
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/46
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/47
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/48
description User-Access
switchport access vlan 10
switchport voice vlan 20
spanning-tree portfast
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
no ip address
!
interface Vlan10
description MGMT
ip address 10.10.10.11 255.255.255.0
ip helper-address 10.10.10.2
!
interface Vlan20
description VOICE
no ip address
ip helper-address 10.10.10.2
!
interface Vlan21
description DATA
no ip address
ip helper-address 10.10.10.2
!
interface Vlan22
description WIFI
no ip address
ip helper-address 10.10.10.2
!
ip http server
ip http secure-server
!
ip ssh version 2
!
no vstack
!
line con 0
line vty 0 4
password ##########
line vty 5 15
password ##########
!
ntp server time-a.nist.gov
end

balaji.bandi · ‎03-25-2019

you need route to add in L2 Switch for the management IP to reachable from other network.

if you are in same IP range 10.10.x.x of VLAN10 you no need to route, but if you accessing from different network you need to route required to add.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Deepak Kumar · ‎03-25-2019

Hi,

Where is default-gateway on Layer 2?

Ip default gateway 10.10.10.1

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

balaji.bandi · ‎03-25-2019

I can find some config on L2 and L3 Switch -- user need to confirm is this ports connected to Core ?

L3

interface GigabitEthernet1/0/12
description Server-Access-Trunk-MGMT
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

L2

interface GigabitEthernet1/0/1
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
description User-Access-Trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎03-25-2019

Hello

Your core switch looks okay providing the default 10.10.10.1 is the next hop residing on the FW?

I would suggest removing portfast on the trunks if those trunks connect to other switches.

Your L2 switch has no default-gateway or default route so thats why this L2 switch it isnt reachable from anything off its own MGT vlan and why the core switch any other device in vlan 10 can connect and nothing off vlan 10 cannot.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul