Unable to ping the VLAN ip from the PC

Gregory Forster · ‎05-16-2020

Hello,

I am using a Cisco SG250-26 switch and I have 2 VLANs on the switch. VLAN 1 and VLAN 3. VLAN 1 interface is 10.0.0.253/24 and VLAN 3 interface is 10.0.78.2/24. I have a host that has an IP address of 10.0.78.45/24. The problem I am having is that I am not able to ping the VLAN interface IP even if I assign the default gateway to 10.0.78.2. The Port that the host is connected to is assigned to VLAN 3. Now I have a Palo Alto firewall that has an IP address of 10.0.78.1/24 connected to a port on the same switch that is assigned to VLAN 3 and I am able to ping the VLAN interface on the switch with no errors.

I can't for the life of me figure out why this is not working. Has anyone ever run into the same issue?

Please help

Greg

Gregory Forster · ‎05-16-2020

Just an update to this. I am seeing arp from the host on the switch when I ping the VLAN interface.

JELA · ‎05-16-2020

Hello,

Just a quick recap of the situation.

There are 3 devices on VLAN 3:

The switch gateway (10.0.78.2/24)
A computer (10.0.78.45/24)
A firewall (10.0.78.1/24)

Theses flows are properly working:

ICMP between firewall and switch

Could you please perform the following checks (in order):

If there is any firewall active on the computer side (and disable it if existing)?
What is the netmask configured on the computer side?
If you are able to ping of the palo alto firewall
Display the ARP table on the computer and check :
- If you can see the MAC address of the switch
- If you can see the MAC address of the firewall

Gregory Forster · ‎05-16-2020

Jela,

Please see my answers highlited below

Could you please perform the following checks (in order):

If there is any firewall active on the computer side (and disable it if existing)? The firewall is disabled.
What is the netmask configured on the computer side?255.255.255.0 or /24
If you are able to ping of the palo alto firewall? No I am not able to ping the Palo Alto firewall
Display the ARP table on the computer and check :
- If you can see the MAC address of the switch - No
- If you can see the MAC address of the firewall - No

JELA · ‎05-16-2020

It seems that there is a connectivity issue on host side.

Can you provide an ouput of the switch configuration and highligh the port connected to the host.

Gregory Forster · ‎05-16-2020

Jela

To get you that info I need to get SSH configured and I am not able to. Unfortunately this switch is at a remote location with no ability to get console access.

Gregory Forster · ‎05-16-2020

Jela,

I was able to get the running config. I have pasted it here.

config-file-header
switch4c717e
v2.5.0.83 / RTESLA2.5_930_364_091
CLI v1.0
file SSD indicator excluded
@
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 2-3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch4c717e
username gforster-tech password encrypted b2e4ec7ed4fb3ba6e4d7b8aa15e3f61cd7ed0059 privilege 15
ip ssh-client source-interface vlan 1
ip ssh password-auth
ip ssh-client username gforster-tech
!
ip ssh-client server authentication
!
interface vlan 1
ip address 10.0.0.253 255.255.255.0
no ip address dhcp
!
interface vlan 2
name Int_Server
!
interface vlan 3
name DMZ
ip address 10.0.78.2 255.255.255.0
!
interface GigabitEthernet22
switchport access vlan 3
!
interface GigabitEthernet23
switchport access vlan 3
!
interface GigabitEthernet24
switchport access vlan 3
!
exit
macro auto processing type host enabled
macro auto processing type ip_phone disabled
macro auto processing type ip_phone_desktop disabled
macro auto processing type ap disabled
ip default-gateway 10.0.0.2

JELA · ‎05-17-2020

Thank you for the update.

I don't see anything strange in the configuration (I was looking for protocols like arp inspection that could have explained such behavior), I've also checkes the release notes looking for issue on 2.5.0.83 without success.

As behavior seems conform on SW (it is able to display MAC address of the host) and FW (it is able to ping switch), I suggest you have a closer look on the host side:

Is the host physical or logical?
Do you have multiple NIC on the host?
Could you check if you see any errors / drops on the interface statistics?
Is it possible to install Wireshark on host side and perform a packet capture during Ping?

Is it also possible to isolate a physical issue by:

Using another port / wire
Using another host

+

Gregory Forster · ‎05-17-2020

Jela,

Please see the answers highlited below.

Is the host physical or logical? This is a virtual machine.
Do you have multiple NIC on the host? the VM only has 1 NIC, but the Host the VM is on has multiple NICs
Could you check if you see any errors / drops on the interface statistics? I do not see any errors or drops on the interface.
Is it possible to install Wireshark on host side and perform a packet capture during Ping? I will run wireshark and get the results.

Is it also possible to isolate a physical issue by:

Using another port / wire? We have a second VM on a different Host assigned to the same VLAN and it is the same issue.
Using another host? Same answer as above.

paul driver · ‎05-17-2020

Hello

You need to make sure IP ROUTING is enable on the switch to allow inter-vlan communication

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Gregory Forster · ‎05-17-2020

Paul,

IP Routing is enabled on the switch. I have verified that numerous times as well.

JELA · ‎05-17-2020

If this machine is virtual and other virtual devices has the same issue, I also suggest the following:

Is PING working between virtual hosts? are they on the same hypervisor?
Check physical connectivity between hypervisor and switch
Check if VLAN 3 is properly configured on vswitch
Check if there is mac address is unique on both VM

Gregory Forster · ‎05-17-2020

Jela,

Please see the answers below in red

Is PING working between virtual hosts? are they on the same hypervisor? I am not able to ping the other VM on the other Host, even though they are both on the same VLAN 3
Check physical connectivity between hypervisor and switch: It is VMWare and the other VMs on VLAN 1 are not having any issues. They can ping the the VLAN 1 interface on the switch, and they can ping between each other with no issues. So to say VLAN 1 is fine, but VLAN 3 is not for some reason.
Check if VLAN 3 is properly configured on vswitch: We check this numerous times and VLAN 3 is configured correctly on the vswitch in VSphere.
Check if there is mac address is unique on both VM: The mac addresses are unique for each VM we have verified that as well. Again I am getting ARP and MAC addresses on the switch, but the VM says it can't connect to the VLAN 3 interface.

P.S. I have no way of getting wireshark in the VM at this time because the VM does not have internet access, due to the fact that it can't reach VLAN 3 on the switch.

Richard Burts · ‎05-17-2020

I am interested in the statement of the original poster that they are seeing ARP. If ARP is successful it demonstrates layer 2 connectivity. Would the original poster check the client and tell us if the client has an arp entry for the vlan interface? And check whether the switch has an entry for the client?

HTH

Rick

Gregory Forster · ‎05-17-2020

Richard,

I was asked this question yesterday by Jela. No I am not seeing ARP from the switch on the client. When I run the command arp -a on the client VM it only shows local arp.