Re: Unable to SSH to stack of two 3850s

rodrigma2 · ‎11-14-2022

I just added vlan 777 for management but I can't access it via SSH, and I can't ping it. See attached configs of the core and the problematic switch.

HDQ is the problem switch.
DtnCore is the core switch that the HDQ switch connects to for WAN uplinks.

balaji.bandi · ‎11-14-2022

need some clarification :

SCPL_HDQ_3850 (your dtn core have hostname this ? ) so is this correct what we referring ?

SCPL_DtnCore ( your HDQ config hostname)

so to validate please confirm which switch.

from what device you trying to SSH , what is the IP address of your device ?

I can't ping it - what IP you try to ping, which one works and which one not ?

can you post from bot the devices ? (is the telnet works ?)

# sh ip ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rodrigma2 · ‎11-14-2022

Yes, the core is SCPL_DtnCore, and the problem switch is SCPL_HDQ_3850. I can ping out from the SCPL_HDQ_3850, but can't ping it, nor can I SSH into it. Right now we access SCPL_HDQ_3850 with an int vlan description Locust Union Data
ip address 10.253.10.254 255.255.255.0.

The new int vlan 777 10.18.43.17 is the one I can't ping and what I configured as a management address. Telnet and SSH don't work, as I can't ping it but I can ping out to the core and other remote sites on the 10.0.0.0 network. I'm trying to access the switch from any switch within our network 10.0.0.0. See below. Thanks.

SCPL_DtnCore#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCLgWSYQ6yT1KiE6NcROfafwbQkjED3xa5WcWsrMgEq
99esEtTraeVd/+pNZ/Or+Xt5oWX/hj3qFKmJ7uCnjUbpt/bime/fhA55QX/75AVgM95OjlH4/Ih+8EOV
e1Axkvg/rVGBcZGroaULDY1aesXw3ie33Dl7JrQbGfHBmdltHw==
SCPL_DtnCore#
SCPL_DtnCore#

SCPL_HDQ_3850#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCfRlNhYGt/8xkH+E6KjpPaYTDt29dEkw2XidSZCcfc
H7gGr4kyuOTEQ/gsDpOBdh6WJbrK9Wv97qJZKZGBP7A8GXUAHsxlgS2bMI3Mc72yqByRbT7CjW7j7dvn
TTzC0LlyHdgEOj171LEzK5dUjfpH0LkNQCiOcW4H1KOT3Id8XQ==
SCPL_HDQ_3850#

Dariusz Gora · ‎11-14-2022

Please check your vlan configuration:

DtnCore
interface Vlan777
description Management VLAN
ip address 10.18.43.17 255.255.255.248

HDQ
interface Vlan777
description Management VLAN
ip address 10.18.43.1 255.255.255.248

Those are two different networks, If you want to have both IPs in same vlan you would need to have at least /27 mask (255.255.255.224)

rodrigma2 · ‎11-14-2022

Dariusz,

These are two separate buildings, and I want each to be in its own 777 VLAN (subnet). Hence the different numbers. I already configured other remote sites with VLAN 777 with the .248 (/29) subnets, and those are working fine and I didn't have to do anything special, they just worked because the subnet was advertised by OSPF. Thanks.

Dariusz Gora · ‎11-14-2022

Ok, understood.

If you cannot ping this may be something basic which was missed. Let's summarize:

other switches on vlan 777 are pingable (vlan config should be fine)
HDQ is reachable via other vlan (connectivity is fine)
you can ping other switches from HDQ (default gateway or even routing is fine) [however ping could be sourced from different interface]

Did you check if that vlan is up? "sh int vlan 777"

rodrigma2 · ‎11-14-2022

Yes to everything.

balaji.bandi · ‎11-14-2022

here is my observation based on the config provided :

On SCPL_HDQ_3850 - remove below default route

no ip default-gateway 10.254.200.1

Please confirm are you able to build neighbourship each other using EIGRP ?

or you are depending on the static route?

if you are using EIGRP I do not see network statement for your vlan 777 10.18.43.X/X (on both the side)

post below output :

1. show IP eigrp neigh

2. show IP route | in 10.18.43 (from both the routers)

3. traceroute 10.18.43.1 and 10.18.43.17 (and post the results)

Do you have any high-level network diagram - since you have many static routes going to different places ?(why ?)

each switch has a different static route, so they go on a different path.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rodrigma2 · ‎11-14-2022

I started this job and I'm trying to fix things and make sense of this network. Here are the show commands you requested.

SCPL_DtnCore#
SCPL_DtnCore#sh ip eig
SCPL_DtnCore#sh ip eigrp ne
SCPL_DtnCore#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(700)
EIGRP-IPv4 Neighbors for AS(500)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.192.240.1 Vl104 10 1w1d 7 100 0 607496
SCPL_DtnCore#
SCPL_DtnCore#

SCPL_DtnCore#show ip route | in 10.18.43
C 10.18.43.0/29 is directly connected, Vlan777
L 10.18.43.1/32 is directly connected, Vlan777
SCPL_DtnCore#
SCPL_DtnCore#

SCPL_DtnCore#traceroute 10.18.43.17
Type escape sequence to abort.
Tracing the route to 10.18.43.17
VRF info: (vrf in name/id, vrf out name/id)
1 10.254.255.4 0 msec 0 msec 10 msec
2 10.254.255.4 0 msec 0 msec 10 msec
3 10.254.255.4 0 msec 0 msec 0 msec
4 10.254.255.4 0 msec 10 msec 0 msec
5 10.254.255.4 10 msec 0 msec 0 msec
6 10.254.255.4 10 msec 0 msec 10 msec
7 10.254.255.4 0 msec 0 msec 10 msec
8 10.254.255.4 10 msec 0 msec 10 msec
9 10.254.255.4 0 msec 10 msec 0 msec
10 10.254.255.4 10 msec 0 msec 10 msec
11 10.254.255.4 0 msec 10 msec 0 msec
12 10.254.255.4 10 msec 10 msec 0 msec
13 10.254.255.4 10 msec 0 msec 10 msec
14 10.254.255.4 10 msec 0 msec 20 msec
15 10.254.255.4 10 msec 10 msec 10 msec
16 10.254.255.4 10 msec 0 msec 10 msec
17 10.254.255.4 10 msec 10 msec 10 msec
18 10.254.255.4 10 msec 10 msec 10 msec
19 10.254.255.4 10 msec 10 msec 0 msec
20 10.254.255.4 10 msec 10 msec 10 msec
21 10.254.255.4 0 msec 10 msec 10 msec
22 10.254.255.4 10 msec 0 msec 0 msec
23 10.254.255.4 10 msec 10 msec 10 msec
24 10.254.255.4 10 msec 10 msec 10 msec
25 10.254.255.4 10 msec 10 msec 10 msec
26 10.254.255.4 10 msec 10 msec 10 msec
27 10.254.255.4 10 msec 10 msec 10 msec
28 10.254.255.4 10 msec 10 msec 10 msec
29 10.254.255.4 10 msec 10 msec 10 msec
30 10.254.255.4 10 msec 10 msec 0 msec
SCPL_DtnCore#
SCPL_DtnCore#

SCPL_DtnCore#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.254.255.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.254.255.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, Loopback0
L 1.1.1.14/32 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 43 subnets, 8 masks
C 10.18.43.0/29 is directly connected, Vlan777
L 10.18.43.1/32 is directly connected, Vlan777
C 10.192.240.0/30 is directly connected, Vlan104
L 10.192.240.2/32 is directly connected, Vlan104
D EX 10.195.10.0/23 [170/2560000768] via 10.192.240.1, 1w1d, Vlan104
C 10.241.10.0/24 is directly connected, Vlan10
L 10.241.10.254/32 is directly connected, Vlan10
S 10.241.20.0/24 [1/0] via 10.254.241.1
S 10.241.50.0/24 [1/0] via 10.254.241.1
S 10.241.60.0/24 [1/0] via 10.254.255.1
S 10.243.10.0/24 [1/0] via 10.254.255.1
S 10.244.10.0/24 [1/0] via 10.254.255.1
S 10.245.10.0/24 [1/0] via 10.254.255.1
S 10.246.10.0/24 [1/0] via 10.254.255.1
S 10.247.10.0/24 [1/0] via 10.254.255.1
S 10.248.10.0/24 [1/0] via 10.254.255.1
S 10.249.10.0/24 [1/0] via 10.254.255.1
S 10.250.10.0/24 [1/0] via 10.254.255.1
S 10.251.10.0/24 [1/0] via 10.254.255.1
S 10.252.10.0/24 [1/0] via 10.254.255.1
S 10.253.10.0/24 [1/0] via 10.254.200.12
S 10.253.33.0/24 [1/0] via 10.254.200.12
S 10.253.212.0/24 [1/0] via 10.254.200.12
C 10.254.10.0/23 is directly connected, Vlan11
L 10.254.10.254/32 is directly connected, Vlan11
C 10.254.110.0/24 is directly connected, Vlan110
L 10.254.110.1/32 is directly connected, Vlan110
D 10.254.142.0/26 is a summary, 7w0d, Null0
C 10.254.142.0/27 is directly connected, Vlan142
L 10.254.142.1/32 is directly connected, Vlan142
C 10.254.200.0/28 is directly connected, Vlan200
L 10.254.200.1/32 is directly connected, Vlan200
C 10.254.210.0/24 is directly connected, Vlan210
L 10.254.210.1/32 is directly connected, Vlan210
C 10.254.211.0/24 is directly connected, Vlan211
L 10.254.211.1/32 is directly connected, Vlan211
C 10.254.241.0/29 is directly connected, Vlan241
L 10.254.241.2/32 is directly connected, Vlan241
C 10.254.242.0/27 is directly connected, Vlan242
L 10.254.242.1/32 is directly connected, Vlan242
S 10.254.242.64/27 [1/0] via 10.254.200.12
C 10.254.255.0/29 is directly connected, Vlan255
L 10.254.255.4/32 is directly connected, Vlan255
50.0.0.0/24 is subnetted, 1 subnets
S 50.203.49.0 [1/0] via 10.241.10.253
172.29.0.0/22 is subnetted, 1 subnets
D 172.29.4.0 [90/3072] via 10.192.240.1, 1w1d, Vlan104
172.31.0.0/16 is variably subnetted, 5 subnets, 2 masks
S 172.31.140.0/24 [1/0] via 10.241.10.248
S 172.31.140.170/32 [1/0] via 10.241.10.249
S 172.31.140.171/32 [1/0] via 10.241.10.249
S 172.31.140.172/32 [1/0] via 10.241.10.249
S 172.31.140.173/32 [1/0] via 10.241.10.249
S 192.168.253.0/24 [1/0] via 10.254.200.12
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.254.0/24 is directly connected, Vlan254
L 192.168.254.1/32 is directly connected, Vlan254
SCPL_DtnCore#

****************************************************************

SCPL_HDQ_3850#

SCPL_HDQ_3850#sh ip eigrp ne
EIGRP-IPv4 Neighbors for AS(700)
SCPL_HDQ_3850#
SCPL_HDQ_3850#
SCPL_HDQ_3850#
SCPL_HDQ_3850#sh ip route | in 10.18.43
C 10.18.43.16/29 is directly connected, Vlan777
L 10.18.43.17/32 is directly connected, Vlan777

SCPL_HDQ_3850#traceroute 10.18.43.1
Type escape sequence to abort.
Tracing the route to 10.18.43.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.254.200.1 10 msec * 0 msec
SCPL_HDQ_3850#

SCPL_HDQ_3850#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.254.200.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.254.200.1
10.0.0.0/8 is variably subnetted, 14 subnets, 5 masks
C 10.18.43.16/29 is directly connected, Vlan777
L 10.18.43.17/32 is directly connected, Vlan777
C 10.253.10.0/24 is directly connected, Vlan17
L 10.253.10.254/32 is directly connected, Vlan17
C 10.253.33.0/24 is directly connected, Vlan33
L 10.253.33.1/32 is directly connected, Vlan33
C 10.253.141.0/29 is directly connected, Vlan141
L 10.253.141.1/32 is directly connected, Vlan141
C 10.253.212.0/24 is directly connected, Vlan212
L 10.253.212.1/32 is directly connected, Vlan212
C 10.254.200.0/28 is directly connected, Vlan200
L 10.254.200.12/32 is directly connected, Vlan200
C 10.254.242.64/27 is directly connected, Vlan242
L 10.254.242.65/32 is directly connected, Vlan242
172.31.0.0/16 is variably subnetted, 3 subnets, 3 masks
S 172.31.140.0/24 [1/0] via 10.253.141.2
C 172.31.140.168/29 is directly connected, Vlan140
L 172.31.140.170/32 is directly connected, Vlan140
192.168.253.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.253.0/24 is directly connected, Vlan253
L 192.168.253.1/32 is directly connected, Vlan253
SCPL_HDQ_3850#

rodrigma2 · ‎11-14-2022

I was thinking perhaps adding the 10.18.43.16 subnet to IP EIGRP 700 to the DtnCore switch so it can advertise this subnet to others?

router eigrp 700
network 10.254.10.0 0.0.1.255
network 10.254.110.0 0.0.0.255
network 10.254.142.0 0.0.0.63
network 10.254.200.0 0.0.0.15
network 10.254.210.0 0.0.0.255
network 10.254.211.0 0.0.0.255
network 10.254.242.0 0.0.0.31
network 192.168.254.0
redistribute connected
eigrp router-id 1.1.1.14
eigrp stub connected summary
no eigrp log-neighbor-warnings
!

rodrigma2 · ‎11-14-2022

This is the interface vlan 200 that is using the 10.254.200.1 where you mentioned removing it with the "no ip default-gateway 10.254.200.1."

SCPL_DtnCore#sh run int vlan 200
Building configuration...

Current configuration : 462 bytes
!
interface Vlan200
description Link to CENIC branch Inter-connects
ip address 10.254.200.1 255.255.255.240
ip summary-address eigrp 700 10.254.10.0 255.255.254.0
ip summary-address eigrp 700 10.254.110.0 255.255.255.0
ip summary-address eigrp 700 10.254.142.0 255.255.255.192
ip summary-address eigrp 700 10.254.200.0 255.255.255.240
ip summary-address eigrp 700 10.254.210.0 255.255.255.0
ip summary-address eigrp 700 10.254.242.0 255.255.255.224
end

SCPL_DtnCore#

Richard Burts · ‎11-15-2022

I suspect that there are probably multiple issues involved in this. I suggest that we address them one at a time until things are working. I suggest that the first issue to address is that the 3850 does not have any EIGRP neighbors. And so is not learning any networks that are not locally connected. I am not clear what the connectivity is and so am not sure what to suggest as the fix. Perhaps the output of show cdp neighbors might help? Or a diagram showing connectivity?

I would like to comment on this statement "This is the interface vlan 200 that is using the 10.254.200.1 where you mentioned removing it with the "no ip default-gateway 10.254.200.1". This appears to be a misunderstanding. The suggestion was not to remove the interface vlan 200 or to change it in any way. The suggestion was to remove the default-gateway command. This command is used when a switch is operating only in layer 2 mode. When ip routing is enabled (as it is in both of your switches) then the switch becomes layer 3 and the default-gateway command is ignored. It does no harm to have it in the configuration. But it does no good to have it in the configuration. So as a matter of general Good Housekeeping I support the suggestion to remove default-gateway.

HTH

Rick

rodrigma2 · ‎11-15-2022

Hi Richard. Understood about removing the default gateway but it doesn't hurt to have it in the config. Here are the sh cdp nei

SCPL_DtnCore#sh cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
Core-Switch-01 Gig 1/0/24 163 S I WS-C3850- Gig 0/0
SEP64167f51b14a Gig 3/0/33 162 H P Polycom V Port 1
SEP64167f519dbd Gig 3/0/43 151 H P Polycom V Port 1
SCPL_Dtn_Cluster.infocruz.santacruzpl.or
Ten 1/1/2 152 R S I WS-C3850- Ten 1/1/1
SCPL_Dtn_Cluster.infocruz.santacruzpl.or
Ten 2/1/2 162 R S I WS-C3850- Ten 2/1/1
SCPL_EdgeSw Gig 1/0/28 122 R S I WS-C4948E Gig 1/1
CsSDC1.cityofsantacruz.org
Ten 1/1/3 154 R S I C6880-X-L Ten 1/1/8
SCPL_HDQ_3850.infocruz.santacruzpl.org
Ten 2/1/1 174 R S I WS-C3850- Ten 1/1/1

Total cdp entries displayed : 47 //removed a bunch of VoIP phones from this
SCPL_DtnCore#

SCPL_HDQ_3850#sh cdp ne
SCPL_DtnCore.infocruz.santacruzpl.org
Ten 1/1/1 148 R S I WS-C3850- Ten 2/1/1
SCPL_HDQ_sw02.santacruzpl.org
Ten 1/1/3 151 R S I WS-C3850- Ten 1/1/2
SCPL_HDQ_sw02.santacruzpl.org
Ten 1/1/2 171 R S I WS-C3850- Ten 1/1/1
SCPL_Dtn_Cluster.infocruz.santacruzpl.or
Ten 1/1/4 139 R S I WS-C3850- Ten 1/1/4

Richard Burts · ‎11-15-2022

Thank you for the output that I requested. Unfortunately it was not helpful. The output of cdp neighbor is done in terms of physical interface. But what we need is in terms of interfaces with IP addresses, which in this case are vlan interfaces. So let us take a different approach. The default route on the 3850 uses vlan 200 as its exit interface. I see that the core does have a network statement in its EIGRP 700 configuration for this subnet. But the 3850 does not have a network statement for that subnet. So I suggest that you add a network statement for 10.254.200.0 0.0.0.15 on the 3850. Make this change and let us know the results.

HTH

Rick

rodrigma2 · ‎11-15-2022

Got it. You mean add this to the SCPL_HDQ_3850 (not the core switch)?
router eigrp 700
10.254.200.0 0.0.0.15 // the .15 would allow all the 15 hosts on this small subnet /28 (.240)

After I add that statement it would look like this?
router eigrp 700
network 10.195.253.0 0.0.0.3
network 10.253.10.0 0.0.0.255
network 10.253.33.0 0.0.0.255
network 10.253.212.0 0.0.0.255
network 10.254.242.64 0.0.0.31
network 10.254.200.0 0.0.0.15
network 192.168.253.0
eigrp stub connected summary