Solved: Unable To Ping Remote Networks

Shaqxify · ‎03-26-2020

Hello Familia,

I Do Kindly Request For Your Assistance As I Am Unable To Ping Some Remote Networks From The Switch.

For Starters He Is The Network Flow:-

HQ CORE SWITCH 2960X (Ph)===>HQ FIREWALL ASA5515X===>HQ CORE ROUTER===>MPLS CLOUD===>BRANCH CORE ROUTER===>BRANCH FIREWALL ASA5515X===>BRANCH CORE SWITCH 2960X

My Admin Powers Are Only On The 2 End Core Switches 2960X (I Was Developing A Solution For A Client And My Switches Connect To His Network Which Manages)

My Focus, And I Request Of Yours Too Is On HQ CORE SWITCH, I Rolled Back As Below On The Port Connecting To The HQ Firewall

CSW-001#sh run interface TengigabitEthernet1/0/8

interface TengigabitEthernet1/0/8

description "TO HQ ASA 5515X" {192.168.52.1)

switchport access vlan 52

no cdp enable

!

CSW-001#

Additional Information:-

CSW-001#sh run int vl 52

interface vlan 52

name Transit_FW1_LAN

ip address 192.168.52.2 255.255.255.0

!

CSW-001#

Routing On Core Switch

ip default-gateway 192.168.52.1

ip route 10.100.0.0 /24 10.100.2.163

ip route 10.100.0.0 /24 192.168.1.132

ip route 10.100.2.128 /27 10.100.2.163

ip route 10.100.2.128 /27 192.168.1.132

ip route 10.100.2.160 /27 10.100.2.163

ip route 10.100.2.160 /27 192.168.1.132

CSW-001#

ASA 5515X Firewall Interface

BNRHQ-EXT-FW1# show run | beg 0/6

interface GigabitEthernet0/6

nameif CCT_HQ

security-level 50

ip address 192.168.52.1 255.255.255.0

!

Remote Subnets

10.100.2.0 255.255.255.192

10.100.3.64 255.255.255.224

10.100.3.160 255.255.255.224

Routing Done On HW Firewall

HQ-EXT-FW1# show run | i 10.100.

object network NETWORK_OBJ_10.100.100.0_24

subnet 10.100.100.0 255.255.255.0

object network NETWORK_OBJ_10.100.100.0_28

subnet 10.100.2.0 255.255.255.192

subnet 10.100.3.64 255.255.255.224

subnet 10.100.3.160 255.255.255.224

nat (Inside,Outside) source static DM_INLINE_NETWORK_115 DM_INLINE_NETWORK_115 destination static NETWORK_OBJ_10.100.100.0_28 NETWORK_OBJ_10.100.100.0_28 no-proxy-arp route-lookup

nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.100.100.0_24 NETWORK_OBJ_10.100.100.0_24 no-proxy-arp route-lookup

nat (Inside,Outside) source static DM_INLINE_NETWORK_218 DM_INLINE_NETWORK_218 destination static NETWORK_OBJ_10.100.100.0_28 NETWORK_OBJ_10.100.100.0_28 no-proxy-arp route-lookup

nat (Inside,Outside) source static DM_INLINE_NETWORK_358 DM_INLINE_NETWORK_358 destination static NETWORK_OBJ_10.100.100.0_25 NETWORK_OBJ_10.100.100.0_25 no-proxy-arp route-lookup

route Branch 10.100.2.0 255.255.255.192 172.16.251.29 1

route Branch 10.100.3.64 255.255.255.224 172.16.251.29 1

route Branch 10.100.3.160 255.255.255.240 172.16.251.29 1

HQ-EXT-FW1#

From HQ Firewall I Can Ping Remote Networks

HQ-EXT-FW1# ping 10.100.3.163 repeat 250

Type escape sequence to abort.

Sending 250, 100-byte ICMP Echos to 10.100.3.163, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (250/250), round-trip min/avg/max = 1/3/10

HQ-EXT-FW1# ping 10.100.2.2 repeat 250

Type escape sequence to abort.

Sending 250, 100-byte ICMP Echos to 10.100.2.2, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (250/250), round-trip min/avg/max = 1/3/10

HQ-EXT-FW1# ping 10.100.3.68 repeat 250

Type escape sequence to abort.

Sending 250, 100-byte ICMP Echos to 10.100.2.2, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (250/250), round-trip min/avg/max = 1/3/10

HQ-EXT-FW1#

But From The HQ CORE SWITCH That Is Directly Connected To The Firewall (Next HOP) I Cant

CSW-001#sh ip route address 10.100.3.163

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: > - best, C - connected, S - static,

R - RIP

S 0.0.0.0/0 [1/4] via 192.168.52.1, 00:27:07, vlan 52

CSW-001#traceroute ip 10.100.3.163

Tracing the route to 10.100.3.163 (10.100.3.163) from , 30 hops max, 18 byte packets

Type Esc to abort.

1 * * *

2 * * *

[29~

Trace aborted.

HQS-BF-CSW-001#sh ip route address 10.100.3.163

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: > - best, C - connected, S - static,

R - RIP

S 0.0.0.0/0 [1/4] via 192.168.52.1, 00:40:10, vlan 52

CSW-001#

I Can Ping The Firewall From The Core Switch

-CSW-001#ping 192.168.52.1 count 15

Pinging 192.168.52.1 with 18 bytes of data:

18 bytes from 192.168.52.1: icmp_seq=1. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=2. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=3. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=4. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=5. time=10 ms

18 bytes from 192.168.52.1: icmp_seq=6. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=7. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=8. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=9. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=10. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=11. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=12. time=10 ms

18 bytes from 192.168.52.1: icmp_seq=13. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=14. time=0 ms

18 bytes from 192.168.52.1: icmp_seq=15. time=0 ms

----192.168.52.1 PING Statistics----

15 packets transmitted, 15 packets received, 0% packet loss

round-trip (ms) min/avg/max = 0/1/10

CSW-001#

Shaqxify · ‎04-06-2020

Hello Christian,

Ping And Traceroute Are Allowed On The Firewall, The Issue Has Been Resolved, The Problem Was With The Firewall. The Client Has 2 Firewalls That Have Been Clustered To Work As One, One Of The Firewalls Went Into Passive Mode. With The Client Being Quite Protective Of Their Network And Defensive Too It Took A While For To Convince Them To Check (Allow To Take A Peek). All The Time The Burden Of Blame Rested On Me Heavily And Working Remotely Remotely Did Not Make Life Easier.

Regards,

Anthony

View solution in original post

Cristian Matei · ‎03-26-2020

Hi,

1. Ensure that the interconnect between the switch and the firewall is routed end-to-end.

2. Tarceroute may not be allowed through the firewall, try using PING, but also enable ICMP inspection on the firewall

3. Maybe the firewall closest to you has some ingress or global ACL configured which does not allow traffic from the interconnect

4. Maybe the remote firewall has some ingress or global ACL configured which does not allow traffic from the interconnect

5. What is the output of "show ip route" on your switch?

Regards,

Cristian Matei.

Shaqxify · ‎03-27-2020

Hi Cristian

It Is As Below

HQS-BF-CSW-001#sh ip route address 10.100.3.163

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: > - best, C - connected, S - static,

R - RIP

S 0.0.0.0/0 [1/4] via 192.168.52.1, 00:40:10, vlan 52

CSW-001#

Shaqxify · ‎03-27-2020

Hi Cristian,

1. Ensure that the interconnect between the switch and the firewall is routed end-to-end. Yes It Is Routed I Had Given All The Outputs From The Switch And Firewall.

2. Tarceroute may not be allowed through the firewall, try using PING, but also enable ICMP inspection on the firewall

From The Firewall The Remote Networks A Pingable.

3. Maybe the firewall closest to you has some ingress or global ACL configured which does not allow traffic from the interconnect

No

4. Maybe the remote firewall has some ingress or global ACL configured which does not allow traffic from the interconnect

No

5. What is the output of "show ip route" on your switch?

CSW-001#traceroute ip 10.100.3.163
Tracing the route to 10.100.3.163 (10.100.3.163) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 * * *
2 * * *
[29~
Trace aborted.

HQS-BF-CSW-001#sh ip route address 10.100.3.163
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static,
R - RIP

S 0.0.0.0/0 [1/4] via 192.168.52.1, 00:40:10, vlan 52

CSW-001#

Shaqxify · ‎03-28-2020

CSW-001#$ sh ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static,
R - RIP

S 0.0.0.0/0 [1/4] via 192.168.52.1, 67:00:06, vlan 52
C 10.100.0.0/24 is directly connected, vlan 101
C 10.100.2.128/27 is directly connected, vlan 102
C 10.100.2.160/27 is directly connected, vlan 103
C 192.168.1.128/27 is directly connected, vlan 1
C 192.168.52.0/24 is directly connected, vlan 52

CSW-001#

Shaqxify · ‎03-28-2020

Hello @Richard Burts @balaji.bandi Please Do Assist On This Matter. Thank You In Advance

Cristian Matei · ‎03-30-2020

Hi,

"Tarceroute may not be allowed through the firewall, try using PING, but also enable ICMP inspection on the firewall

From The Firewall The Remote Networks A Pingable". It may be singable, but your point was not with a source of the Interconnect between the switch and the firewall, which may not be routed end-to-end.

Ensure both 2960x switches have their routes pointing towards the firewalls, and the firewalls have routes for the remote side firewall-switch interconnect subnet. If those are true, you may need have the firewalls that don't allow that traffic.

Regards,

Cristian Matei.

Shaqxify · ‎04-06-2020

Hello Christian,

Ping And Traceroute Are Allowed On The Firewall, The Issue Has Been Resolved, The Problem Was With The Firewall. The Client Has 2 Firewalls That Have Been Clustered To Work As One, One Of The Firewalls Went Into Passive Mode. With The Client Being Quite Protective Of Their Network And Defensive Too It Took A While For To Convince Them To Check (Allow To Take A Peek). All The Time The Burden Of Blame Rested On Me Heavily And Working Remotely Remotely Did Not Make Life Easier.

Regards,

Anthony