I have two Windows devices, both connected to the same switch and on the same VLAN. The SVI for the VLAN exists on the firewall. From the firewall (and from other places in fact) I can ping one of the devices but not the other. The two devices' switch ports are configured for the same VLAN and I have confirmed they are identical by comparing their configurations using Notepad++. The arp table on the firewall shows the ip address of the one that won't ping, on the correct interface and corresponding with the correct MAC address of the device, but it won't ping and we can't connect to its database from its client whereas we can connect to the other one.
Any ideas why this might be. I have been racking my brains and I really can't think of any reason for it.
Thanks in advance
The pcs DONT require any routing so the FW isnt consultated, as long as they are share the same common subnet they should be able to reach reach each other.
Disable any software fw on the window host and test again
netsh advfirewall set allprofiles state off
Thanks for your replies folks. You've all said what I thought, that there should be no reason, from a networking perspective, why they shouldn't communicate. They have just been migrated from VLAN1 to a new vlan and they worked fine on vlan 1 and some of these devices work on the new vlan and some don't. We even have two on one particular switch, one of which works and the other doesn't. It has to be down to something in the PCs themselves, such as firewall, static routes or maybe static ARP entries. Having said that I checked one of them yesterday, a Linux device, and its ip config was correct, its firewall was disabled and there were no static routes. We will move them back to vlan 1 for now and investigate further another time.
They have just been migrated from VLAN1 to a new vlan and they worked fine on vlan 1 and some of these devices work on the new vlan and some don't
This thinks me may be ARP issue, clear the ARP when they move to different VLAN (if the VLAN in same switch).
Linux device, and its ip config was correct, its firewall was disabled and there were no static routes.
may be worth noting MAC address of the device, check on the switch what ARP entry they have ?
Hope you are trying to communicate same Subnet ? if different subnet, you need routing to be in place.
By the way you did not give full information here, what is the device ? what IOS code ? is all devices connected to same switch ? or different network switches ?
This turned out to be, as expected, a firewall on the device blocking incoming pings. Strangely though the firewall was set to off for private networks and on for public and we were pinging from a 10.x.x.x ip address so should have been allowed, being a private address. Evidently Microsoft thinks that particular 10.x.x.x subnet is public.
I now have a similar issue on some other devices as follows:
There are several devices on a particular subnet, let's say 10.10.43.0/24, and connected to the same switch, and they can communicate with each other fine
From outside the VLAN, and within, we can ping two of them but not others. This is the case even when pinging from the firewall where the VLAN SVI exists, thus on the same subnet and not subject to firewall rules.
The arp table on the firewall (the VLAN gateway) shows the ip addresses all associated with the correct MAC addresses
We do have network access control (Cisco ISE) in place but I can see that all the devices are authorised
An engineer from the supporting company took the devices off our network, plugged them into a standalone switch, along with his laptop, and was able to ping all of them with no problem.
I think there must be something on the non pinging devices, ie a firewall, blocking it but if that is the case I would also expect it to be blocked when on the standalone switch. These devices are, so I am told, running Windows CE and nobody has access to the operating system to do any checks or make changes.
I really cannot think of any network related reason why they won't ping, other than firewall. Does anyone have any other ideas?
I have found that these problem devices are running "industrial protocol" as opposed to standard ip. Does anyone know anything about industrial protocol, particularly in terms of it running on Cisco switches? Is there any issue with compatibility? This particular switch is a Cisco 3560CX running software version 15.2(7)E5. It was upgraded to this version a few months ago which may coincide with when these devices stopped communicating correctly. I'm thinking it could be that the earlier version of the software allowed industrial protocol but the new version is incompatible. Any thoughts from anyone?
I am not familiar with industrial protocol but I did find this link which discusses Cisco support for it. I hope this is helpful
"Cisco Systems, Inc.
The Common Industrial Protocol (CIP) is an industrial protocol for industrial automation applications. It is supported by Open DeviceNet Vendors Association (ODVA), an organization that supports network technologies based upon CIP such as DeviceNet, EtherNet/IP, CIP Safety and CIP Sync".
"Industrial protocols are real-time communications protocols, developed to interconnect the systems, interfaces, and instruments that make up an industrial control system".
"CIP, the Common Industrial Protocol, is a mechanism for organizing and sharing data in industrial devices. CIP is the core technology behind CompoNet, EtherNet/IP, DeviceNet and ControlNet. CIP provides both a common data organization and a common messaging to solve various kinds of manufacturing application problems".
Release Notes for Cisco IOS Release 15.2(7)E5
First Published: September16, 2021
Cisco IOS Release 15.2(7)E5 runs on these platforms:
■Cisco 2500 Series Connected Grid Switches (CGS2520)
■Cisco Connected Grid Ethernet Switch Module (CGR2010 ESM)
■Cisco Embedded Service 2020 Series Switches (ESS2020)
■Cisco Industrial Ethernet 2000 Series Switches (IE2000)
■Cisco Industrial Ethernet 2000U Series Switches (IE2000U)
■Cisco Industrial Ethernet 3000 Series Switches (IE3000)
■Cisco Industrial Ethernet 3010 Series Switches (IE3010)
■Cisco Industrial Ethernet 4000 Series Switches (IE4000)
■Cisco Industrial Ethernet 4010 Series Switches (IE4010)
■Cisco Industrial Ethernet 5000 Series Switches (IE5000)