cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2057
Views
0
Helpful
46
Replies

Cannot ping 1841 router from 3560 switch

olighec
Level 1
Level 1

I have a brand new 1841 running IOS 12.4.13 Advanced Security that I am planning to set up as a VPN endpoint to allow VPN connections to my LAN. I have connected it do my core switch (Cisco 3560G-48), but cannot ping the router from the switch.

I have gone through the configuration many, many times, and I can't seem to figure out what is wrong, so I am posting here.

The router is connected to the core switch via Fa0/0, which has an IP address of 10.99.1.1, mask is 255.255.255.252. The interface on the core switch is G0/44, which has an IP address of 10.99.1.2, mask is 255.255.255.252.

I can ping anywhere out on the Internet from the router, but I cannot ping the switch.

I don't believe the problem is routing as each device shows the subnet 10.99.1.0/30 connected directly via the correct interface.

I am wondering, is there something simple that I am completely missing here?

Here is the config from the 1841:

Current configuration : 3140 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cnc.1841

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 ***

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip cef

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1213459445

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1213459445

revocation-check none

rsakeypair TP-self-signed-1213459445

!

!

crypto pki certificate chain TP-self-signed-1213459445

c9D4D7ECC

...

6F19CA

quit

username admin privilege 15 secret 5 ***

!

!

!

!

!

interface FastEthernet0/0

description Uplink to core

ip address 10.99.1.1 255.255.255.252

speed 100

full-duplex

!

interface FastEthernet0/1

description Internet

ip address 67.105.138.xxx 255.255.255.240

speed 10

full-duplex

!

ip classless

ip route 0.0.0.0 0.0.x.x.x.138.145

ip route 10.100.0.0 255.255.0.0 10.99.1.2

ip route 192.168.100.0 255.255.255.0 10.99.1.2

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 23 permit 10.100.0.0 0.0.255.255

access-list 23 permit 192.168.100.0 0.0.0.255

access-list 23 permit 10.99.1.0 0.0.0.4

!

!

control-plane

!

!

line con 0

password 7 ***

login

line aux 0

line vty 0 4

access-class 23 in

password 7 ***

login

transport input telnet ssh

line vty 5 15

access-class 23 in

password 7 ***

login

transport input telnet ssh

!

end

Here is the output from "sh ip route":

Gateway of last resort is 67.105.138.145 to network 0.0.0.0

67.0.0.0/28 is subnetted, 1 subnets

C 67.105.138.144 is directly connected, FastEthernet0/1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.99.1.0/30 is directly connected, FastEthernet0/0

S 10.100.0.0/16 [1/0] via 10.99.1.2

S 192.168.100.0/24 [1/0] via 10.99.1.2

S* 0.0.0.0/0 [1/0] via 67.105.138.145

(continued in next post)

46 Replies 46

olighec
Level 1
Level 1

Here is the interface config from the switch:

!

interface GigabitEthernet0/44

description VPN Router cnc.1841

no switchport

ip address 10.99.1.2 255.255.255.252

speed 100

duplex full

!

And here is the output of "sh ip route":

Gateway of last resort is 10.254.1.1 to network 0.0.0.0

S 172.16.0.0/16 [1/0] via 10.250.250.2

C 192.168.200.0/24 is directly connected, GigabitEthernet0/45

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks

C 10.250.250.0/24 is directly connected, Vlan250

C 10.100.10.0/24 is directly connected, Vlan10

C 10.100.11.0/24 is directly connected, Vlan11

C 10.99.1.0/30 is directly connected, GigabitEthernet0/44

C 10.100.1.0/24 is directly connected, Vlan2

C 10.100.29.0/24 is directly connected, Vlan29

C 10.100.20.0/24 is directly connected, Vlan20

C 10.100.19.0/24 is directly connected, Vlan19

C 10.100.200.0/24 is directly connected, Vlan200

C 10.100.201.0/24 is directly connected, Vlan201

C 10.254.1.0/30 is directly connected, GigabitEthernet0/48

S 192.168.112.0/24 [1/0] via 192.168.200.1

C 192.168.102.0/24 is directly connected, Vlan998

C 192.168.1.0/24 is directly connected, Vlan999

C 192.168.100.0/24 is directly connected, Vlan192

S* 0.0.0.0/0 [1/0] via 10.254.1.1

I have other L3 links between this switch and other routers that are configured the exact same way (different IP subnets of course) and working fine.

Is there something there that I am not seeing?

Thanks,

Chris

Are you able to see each device over CDP ?

Is there any traffic going over this link ?

Yes, L2 appears to be up and working properly. "sh cdp neighbors" on each device lists the other one.

No, there is no traffic going over the link, the only time the link lights have flickers is when I am trying to ping each side from the other.

Turn debugging on ICMP with an ACL on both devices and see if the packet makes it to the other end.

Also, check the MAC address from the router and see if the switch has it on its mac-address-table.

Do the same at the router.

from the switch, can you ping 10.99.1.2?

or from the router, can you ping 10.99.1.1?

have you tried a crossover cable?

It's really odd.

I can ping 10.99.1.1 from the router, and I can ping 10.99.1.2 from the switch.

I did try a crossover cable as well, and couldn't get layer 1 to come up.

There are no ACLs defined on the switch, and only one ACL defined on the router, and that is only applied to control access to the vty and http interfaces.

Oddly enough, there is no mac-address in the switch's table for int G0/44. I will run upstairs and check the rtr with a console cable and verify the other side.

on both devices, type the following:

term mon

debug ip icmp

ping and capture the output at each end, see if the packet makes it.

Then turn off debugging with

un all

command.

I agree that debug ip icmp is a good way to determine whether the ping is getting across the link.

I believe that it would also be helpful to see the results of show cdp neighbor detail from both the switch and the router. This would demonstrate layer 2 connectivity and would also be a way to make sure that the address seen in the output is the address that we believe is configured.

HTH

Rick

HTH

Rick

Have you checked to see what each device has as an arp entry for the other? "Show ip arp 10.99.1.x". I suspect that it will be "incomplete". Hmmm.... definitely sounds like a layer 3 issue. Since you see no ICMP traffic when you do your debug it sounds like neither device quite knows which interface to use. Try "sho ip int " on both the router and the switch and see if that tells you anything. I assume that when you "show interface" they both show up/up?

vinayrajkp
Level 1
Level 1

Hi,

Your "running upstairs.." makes me think. Is the switch and router on different floors? May be you have not patched properly. What I mean is that the cable from the router is not really going to port 44 but going to someother port say port 34.

Shut down the port on router and see if port 44 goes down or the other way. Which ports show up in "sh cdp neigh" ? Of course , in case you have tested and ruled these possibilities just ignore this reply !!

Yeah, my comment about running upstairs makes it sound confusing. Actually, the router and switch are in the same room connected with a 2 ft. patch cord, but my desk is downstairs and I only have telnet access to the switch, so every time I need console access to the router I have to plug in a console cable.

When I turned on ICMP debugging on the switch and pinged the router's IP address, I saw no packets transmitted. When I pinged other random addresses, I got the 5 echo reply sent/received pairs just like I should. That makes me think the problem is with the switch.

The output of sh cdp neighbors lists the correct IP address for the router, as well as the correct local and remote interfaces.

I am going to do the same with the router now.

OK, the sh cdp neighbors output on both devices is correct. It lists the correct IP address, local, and remote interfaces on both devices.

I also have turned on ICMP debugging and have been pinging. Neither the switch nor the router show any packets being sent or received when I ping the other. When I ping any other valid address (on the Internet from the router or on the LAN from the switch), I see good ICMP echo packets in the debug.

As far as the mac-address table goes, there is nothing in the mac-address table on the router, and the switch does not have the router's mac-address in the table (but it does have several others as it is our working core device).

I am seriously stumped. I have a 2821 ISR that is connected the exact same way to the same switch and it has been working fine.

When you ping from the switch, you should observe the router side (with ICMP turned on) and see if the router is able to receive the traffic.

Yeah, I finally ditched my desk and am in the wiring closet with 2 laptops, one connected to the console of each device.

When I ping the router from the switch with ICMP debugging enabled on both devices, I see no packets on either device. Same when I ping the switch from the router.

The router is running 12.4(3) (c1841-advsecurity-k9), not 12.4(13) as I had originally posted. Is it possible that this is a software bug? I am fairly sure that my configuration is correct.

I have also verified on the 1841 that the firewall, IDS, NAC, and all other security services are disabled.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco