Solved: Re: Unable to ping Firewall after moving gateways onto Nexus

Garry Cooper · ‎03-12-2019

e are in the process of migrating to Cisco Nexus 9k. They are in and up and running and I am moving all the gateways from the 6500 to the nexus. The 6500's are running hsrp between for this network I need to move.

When I move them onto the nexus, I am unable to ping the firewall. I see the arp entry for the firewall and can ping it from the same svi. there is some intermediate switching between the 6500 and the nexus to provide layer 2 transport, and vlans are all present.

Any help would be much appreciated, as I need to move another firewall with the same setup.

Config..on both 9K's

interface Vlan994
description "NCC_VPN_Firewall"
no ip redirects
ip address 192.168.11.10/24 "different ip on other nexus"
no ipv6 redirects
ip router ospf 10 area 0.0.0.0
no ip arp gratuitous hsrp duplicate
hsrp version 2
hsrp 994
authentication md5 key-chain ******
preempt
priority 110
ip 192.168.11.1

Garry Cooper · ‎04-01-2019

Just want to update this issue I had, which is now resolved.

FIX: We enabled ospf on the inside interface of the firewall, added a few static routes for the specific networks that need access to this FW.

View solution in original post

Dennis Mink · ‎03-12-2019

So you are able to ping the fw from the nexus. Sourcing it with the vlan 994 interface of the nexus. Yet something else in vlan 994 cant ping the fw. Is this roughly the problem? And how xoes the 6500 sit in the path between fw and nexus?

Please remember to rate useful posts, by clicking on the stars below.

Garry Cooper · ‎03-12-2019

Dennis.

I can ping the FW from the same SVI vlan 994, but not from another subnet setup on the 9k.

The path between 9K and 6500 is just layer 2 switching. (there is a pair of Nexus 93108 providing layer 2 between)

Garry Cooper · ‎03-21-2019

Any Gurus out there can help??

chrihussey · ‎03-21-2019

So there is a simple L2 connection between the 6500 and Nexus. The FW is connected to the 6500 via VLAN 994 and associated SVI. You have a subnet w/ L3 SVI on the Nexus and that subnet can ping the FW interface. When you move the VLAN 994 SVI to the Nexus, you can ping the FW interface from the Nexus, but not from the other subnet? Is the FW still connected to the 6500?

Just trying to understand. It may be helpful to provide a diagram so as to avoid any confusion.

Thanks

Deepak Kumar · ‎03-21-2019

Hi,

I noticed that you have implemented OSPF on this VLAN. "ip router ospf 10 area 0.0.0.0". Is same OSPF configured on the Firewall and Neighborship is up?

Can you verify Routes on the Firewall? All routes are installed or configured correctly for another VLANs?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Garry Cooper · ‎03-27-2019

Deepak.

THanks for the reply..

This ospf config on the 9K's was done my the install engineer, and is replicated from the 6500, this also has an network entry in the router ospf 10.

interface Vlan994
description ***NCC_VPN_Firewall***
ip address 192.168.11.10 255.255.255.0
standby 10 ip 192.168.11.1
standby 10 priority 110
standby 10 preempt

Garry Cooper · ‎04-01-2019

Just want to update this issue I had, which is now resolved.

FIX: We enabled ospf on the inside interface of the firewall, added a few static routes for the specific networks that need access to this FW.