06-21-2007 09:57 AM - edited 03-05-2019 04:53 PM
I have a brand new 1841 running IOS 12.4.13 Advanced Security that I am planning to set up as a VPN endpoint to allow VPN connections to my LAN. I have connected it do my core switch (Cisco 3560G-48), but cannot ping the router from the switch.
I have gone through the configuration many, many times, and I can't seem to figure out what is wrong, so I am posting here.
The router is connected to the core switch via Fa0/0, which has an IP address of 10.99.1.1, mask is 255.255.255.252. The interface on the core switch is G0/44, which has an IP address of 10.99.1.2, mask is 255.255.255.252.
I can ping anywhere out on the Internet from the router, but I cannot ping the switch.
I don't believe the problem is routing as each device shows the subnet 10.99.1.0/30 connected directly via the correct interface.
I am wondering, is there something simple that I am completely missing here?
Here is the config from the 1841:
Current configuration : 3140 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cnc.1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 ***
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1213459445
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1213459445
revocation-check none
rsakeypair TP-self-signed-1213459445
!
!
crypto pki certificate chain TP-self-signed-1213459445
c9D4D7ECC
...
6F19CA
quit
username admin privilege 15 secret 5 ***
!
!
!
!
!
interface FastEthernet0/0
description Uplink to core
ip address 10.99.1.1 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
description Internet
ip address 67.105.138.xxx 255.255.255.240
speed 10
full-duplex
!
ip classless
ip route 0.0.0.0 0.0.x.x.x.138.145
ip route 10.100.0.0 255.255.0.0 10.99.1.2
ip route 192.168.100.0 255.255.255.0 10.99.1.2
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.100.0.0 0.0.255.255
access-list 23 permit 192.168.100.0 0.0.0.255
access-list 23 permit 10.99.1.0 0.0.0.4
!
!
control-plane
!
!
line con 0
password 7 ***
login
line aux 0
line vty 0 4
access-class 23 in
password 7 ***
login
transport input telnet ssh
line vty 5 15
access-class 23 in
password 7 ***
login
transport input telnet ssh
!
end
Here is the output from "sh ip route":
Gateway of last resort is 67.105.138.145 to network 0.0.0.0
67.0.0.0/28 is subnetted, 1 subnets
C 67.105.138.144 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.99.1.0/30 is directly connected, FastEthernet0/0
S 10.100.0.0/16 [1/0] via 10.99.1.2
S 192.168.100.0/24 [1/0] via 10.99.1.2
S* 0.0.0.0/0 [1/0] via 67.105.138.145
(continued in next post)
06-21-2007 09:58 AM
Here is the interface config from the switch:
!
interface GigabitEthernet0/44
description VPN Router cnc.1841
no switchport
ip address 10.99.1.2 255.255.255.252
speed 100
duplex full
!
And here is the output of "sh ip route":
Gateway of last resort is 10.254.1.1 to network 0.0.0.0
S 172.16.0.0/16 [1/0] via 10.250.250.2
C 192.168.200.0/24 is directly connected, GigabitEthernet0/45
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
C 10.250.250.0/24 is directly connected, Vlan250
C 10.100.10.0/24 is directly connected, Vlan10
C 10.100.11.0/24 is directly connected, Vlan11
C 10.99.1.0/30 is directly connected, GigabitEthernet0/44
C 10.100.1.0/24 is directly connected, Vlan2
C 10.100.29.0/24 is directly connected, Vlan29
C 10.100.20.0/24 is directly connected, Vlan20
C 10.100.19.0/24 is directly connected, Vlan19
C 10.100.200.0/24 is directly connected, Vlan200
C 10.100.201.0/24 is directly connected, Vlan201
C 10.254.1.0/30 is directly connected, GigabitEthernet0/48
S 192.168.112.0/24 [1/0] via 192.168.200.1
C 192.168.102.0/24 is directly connected, Vlan998
C 192.168.1.0/24 is directly connected, Vlan999
C 192.168.100.0/24 is directly connected, Vlan192
S* 0.0.0.0/0 [1/0] via 10.254.1.1
I have other L3 links between this switch and other routers that are configured the exact same way (different IP subnets of course) and working fine.
Is there something there that I am not seeing?
Thanks,
Chris
06-21-2007 10:14 AM
Are you able to see each device over CDP ?
Is there any traffic going over this link ?
06-21-2007 10:25 AM
Yes, L2 appears to be up and working properly. "sh cdp neighbors" on each device lists the other one.
No, there is no traffic going over the link, the only time the link lights have flickers is when I am trying to ping each side from the other.
06-21-2007 10:29 AM
Turn debugging on ICMP with an ACL on both devices and see if the packet makes it to the other end.
Also, check the MAC address from the router and see if the switch has it on its mac-address-table.
Do the same at the router.
06-21-2007 10:32 AM
from the switch, can you ping 10.99.1.2?
or from the router, can you ping 10.99.1.1?
have you tried a crossover cable?
06-21-2007 10:58 AM
It's really odd.
I can ping 10.99.1.1 from the router, and I can ping 10.99.1.2 from the switch.
I did try a crossover cable as well, and couldn't get layer 1 to come up.
There are no ACLs defined on the switch, and only one ACL defined on the router, and that is only applied to control access to the vty and http interfaces.
Oddly enough, there is no mac-address in the switch's table for int G0/44. I will run upstairs and check the rtr with a console cable and verify the other side.
06-21-2007 11:04 AM
on both devices, type the following:
term mon
debug ip icmp
ping and capture the output at each end, see if the packet makes it.
Then turn off debugging with
un all
command.
06-21-2007 11:12 AM
I agree that debug ip icmp is a good way to determine whether the ping is getting across the link.
I believe that it would also be helpful to see the results of show cdp neighbor detail from both the switch and the router. This would demonstrate layer 2 connectivity and would also be a way to make sure that the address seen in the output is the address that we believe is configured.
HTH
Rick
06-21-2007 01:54 PM
Have you checked to see what each device has as an arp entry for the other? "Show ip arp 10.99.1.x". I suspect that it will be "incomplete". Hmmm.... definitely sounds like a layer 3 issue. Since you see no ICMP traffic when you do your debug it sounds like neither device quite knows which interface to use. Try "sho ip int
06-21-2007 11:54 AM
Hi,
Your "running upstairs.." makes me think. Is the switch and router on different floors? May be you have not patched properly. What I mean is that the cable from the router is not really going to port 44 but going to someother port say port 34.
Shut down the port on router and see if port 44 goes down or the other way. Which ports show up in "sh cdp neigh" ? Of course , in case you have tested and ruled these possibilities just ignore this reply !!
06-21-2007 12:24 PM
Yeah, my comment about running upstairs makes it sound confusing. Actually, the router and switch are in the same room connected with a 2 ft. patch cord, but my desk is downstairs and I only have telnet access to the switch, so every time I need console access to the router I have to plug in a console cable.
When I turned on ICMP debugging on the switch and pinged the router's IP address, I saw no packets transmitted. When I pinged other random addresses, I got the 5 echo reply sent/received pairs just like I should. That makes me think the problem is with the switch.
The output of sh cdp neighbors lists the correct IP address for the router, as well as the correct local and remote interfaces.
I am going to do the same with the router now.
06-21-2007 12:49 PM
OK, the sh cdp neighbors output on both devices is correct. It lists the correct IP address, local, and remote interfaces on both devices.
I also have turned on ICMP debugging and have been pinging. Neither the switch nor the router show any packets being sent or received when I ping the other. When I ping any other valid address (on the Internet from the router or on the LAN from the switch), I see good ICMP echo packets in the debug.
As far as the mac-address table goes, there is nothing in the mac-address table on the router, and the switch does not have the router's mac-address in the table (but it does have several others as it is our working core device).
I am seriously stumped. I have a 2821 ISR that is connected the exact same way to the same switch and it has been working fine.
06-21-2007 12:51 PM
When you ping from the switch, you should observe the router side (with ICMP turned on) and see if the router is able to receive the traffic.
06-21-2007 12:57 PM
Yeah, I finally ditched my desk and am in the wiring closet with 2 laptops, one connected to the console of each device.
When I ping the router from the switch with ICMP debugging enabled on both devices, I see no packets on either device. Same when I ping the switch from the router.
The router is running 12.4(3) (c1841-advsecurity-k9), not 12.4(13) as I had originally posted. Is it possible that this is a software bug? I am fairly sure that my configuration is correct.
I have also verified on the 1841 that the firewall, IDS, NAC, and all other security services are disabled.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: