Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cannot ping 1841 router from 3560 switch

I have a brand new 1841 running IOS 12.4.13 Advanced Security that I am planning to set up as a VPN endpoint to allow VPN connections to my LAN. I have connected it do my core switch (Cisco 3560G-48), but cannot ping the router from the switch.

I have gone through the configuration many, many times, and I can't seem to figure out what is wrong, so I am posting here.

The router is connected to the core switch via Fa0/0, which has an IP address of 10.99.1.1, mask is 255.255.255.252. The interface on the core switch is G0/44, which has an IP address of 10.99.1.2, mask is 255.255.255.252.

I can ping anywhere out on the Internet from the router, but I cannot ping the switch.

I don't believe the problem is routing as each device shows the subnet 10.99.1.0/30 connected directly via the correct interface.

I am wondering, is there something simple that I am completely missing here?

Here is the config from the 1841:

Current configuration : 3140 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cnc.1841

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 ***

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip cef

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1213459445

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1213459445

revocation-check none

rsakeypair TP-self-signed-1213459445

!

!

crypto pki certificate chain TP-self-signed-1213459445

c9D4D7ECC

...

6F19CA

quit

username admin privilege 15 secret 5 ***

!

!

!

!

!

interface FastEthernet0/0

description Uplink to core

ip address 10.99.1.1 255.255.255.252

speed 100

full-duplex

!

interface FastEthernet0/1

description Internet

ip address 67.105.138.xxx 255.255.255.240

speed 10

full-duplex

!

ip classless

ip route 0.0.0.0 0.0.x.x.x.138.145

ip route 10.100.0.0 255.255.0.0 10.99.1.2

ip route 192.168.100.0 255.255.255.0 10.99.1.2

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 23 permit 10.100.0.0 0.0.255.255

access-list 23 permit 192.168.100.0 0.0.0.255

access-list 23 permit 10.99.1.0 0.0.0.4

!

!

control-plane

!

!

line con 0

password 7 ***

login

line aux 0

line vty 0 4

access-class 23 in

password 7 ***

login

transport input telnet ssh

line vty 5 15

access-class 23 in

password 7 ***

login

transport input telnet ssh

!

end

Here is the output from "sh ip route":

Gateway of last resort is 67.105.138.145 to network 0.0.0.0

67.0.0.0/28 is subnetted, 1 subnets

C 67.105.138.144 is directly connected, FastEthernet0/1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.99.1.0/30 is directly connected, FastEthernet0/0

S 10.100.0.0/16 [1/0] via 10.99.1.2

S 192.168.100.0/24 [1/0] via 10.99.1.2

S* 0.0.0.0/0 [1/0] via 67.105.138.145

(continued in next post)

46 REPLIES
Community Member

Re: Cannot ping 1841 router from 3560 switch

Here is the interface config from the switch:

!

interface GigabitEthernet0/44

description VPN Router cnc.1841

no switchport

ip address 10.99.1.2 255.255.255.252

speed 100

duplex full

!

And here is the output of "sh ip route":

Gateway of last resort is 10.254.1.1 to network 0.0.0.0

S 172.16.0.0/16 [1/0] via 10.250.250.2

C 192.168.200.0/24 is directly connected, GigabitEthernet0/45

10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks

C 10.250.250.0/24 is directly connected, Vlan250

C 10.100.10.0/24 is directly connected, Vlan10

C 10.100.11.0/24 is directly connected, Vlan11

C 10.99.1.0/30 is directly connected, GigabitEthernet0/44

C 10.100.1.0/24 is directly connected, Vlan2

C 10.100.29.0/24 is directly connected, Vlan29

C 10.100.20.0/24 is directly connected, Vlan20

C 10.100.19.0/24 is directly connected, Vlan19

C 10.100.200.0/24 is directly connected, Vlan200

C 10.100.201.0/24 is directly connected, Vlan201

C 10.254.1.0/30 is directly connected, GigabitEthernet0/48

S 192.168.112.0/24 [1/0] via 192.168.200.1

C 192.168.102.0/24 is directly connected, Vlan998

C 192.168.1.0/24 is directly connected, Vlan999

C 192.168.100.0/24 is directly connected, Vlan192

S* 0.0.0.0/0 [1/0] via 10.254.1.1

I have other L3 links between this switch and other routers that are configured the exact same way (different IP subnets of course) and working fine.

Is there something there that I am not seeing?

Thanks,

Chris

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

Are you able to see each device over CDP ?

Is there any traffic going over this link ?

Community Member

Re: Cannot ping 1841 router from 3560 switch

Yes, L2 appears to be up and working properly. "sh cdp neighbors" on each device lists the other one.

No, there is no traffic going over the link, the only time the link lights have flickers is when I am trying to ping each side from the other.

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

Turn debugging on ICMP with an ACL on both devices and see if the packet makes it to the other end.

Also, check the MAC address from the router and see if the switch has it on its mac-address-table.

Do the same at the router.

Gold

Re: Cannot ping 1841 router from 3560 switch

from the switch, can you ping 10.99.1.2?

or from the router, can you ping 10.99.1.1?

have you tried a crossover cable?

Community Member

Re: Cannot ping 1841 router from 3560 switch

It's really odd.

I can ping 10.99.1.1 from the router, and I can ping 10.99.1.2 from the switch.

I did try a crossover cable as well, and couldn't get layer 1 to come up.

There are no ACLs defined on the switch, and only one ACL defined on the router, and that is only applied to control access to the vty and http interfaces.

Oddly enough, there is no mac-address in the switch's table for int G0/44. I will run upstairs and check the rtr with a console cable and verify the other side.

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

on both devices, type the following:

term mon

debug ip icmp

ping and capture the output at each end, see if the packet makes it.

Then turn off debugging with

un all

command.

Hall of Fame Super Gold

Re: Cannot ping 1841 router from 3560 switch

I agree that debug ip icmp is a good way to determine whether the ping is getting across the link.

I believe that it would also be helpful to see the results of show cdp neighbor detail from both the switch and the router. This would demonstrate layer 2 connectivity and would also be a way to make sure that the address seen in the output is the address that we believe is configured.

HTH

Rick

Community Member

Re: Cannot ping 1841 router from 3560 switch

Have you checked to see what each device has as an arp entry for the other? "Show ip arp 10.99.1.x". I suspect that it will be "incomplete". Hmmm.... definitely sounds like a layer 3 issue. Since you see no ICMP traffic when you do your debug it sounds like neither device quite knows which interface to use. Try "sho ip int " on both the router and the switch and see if that tells you anything. I assume that when you "show interface" they both show up/up?

Community Member

Re: Cannot ping 1841 router from 3560 switch

Hi,

Your "running upstairs.." makes me think. Is the switch and router on different floors? May be you have not patched properly. What I mean is that the cable from the router is not really going to port 44 but going to someother port say port 34.

Shut down the port on router and see if port 44 goes down or the other way. Which ports show up in "sh cdp neigh" ? Of course , in case you have tested and ruled these possibilities just ignore this reply !!

Community Member

Re: Cannot ping 1841 router from 3560 switch

Yeah, my comment about running upstairs makes it sound confusing. Actually, the router and switch are in the same room connected with a 2 ft. patch cord, but my desk is downstairs and I only have telnet access to the switch, so every time I need console access to the router I have to plug in a console cable.

When I turned on ICMP debugging on the switch and pinged the router's IP address, I saw no packets transmitted. When I pinged other random addresses, I got the 5 echo reply sent/received pairs just like I should. That makes me think the problem is with the switch.

The output of sh cdp neighbors lists the correct IP address for the router, as well as the correct local and remote interfaces.

I am going to do the same with the router now.

Community Member

Re: Cannot ping 1841 router from 3560 switch

OK, the sh cdp neighbors output on both devices is correct. It lists the correct IP address, local, and remote interfaces on both devices.

I also have turned on ICMP debugging and have been pinging. Neither the switch nor the router show any packets being sent or received when I ping the other. When I ping any other valid address (on the Internet from the router or on the LAN from the switch), I see good ICMP echo packets in the debug.

As far as the mac-address table goes, there is nothing in the mac-address table on the router, and the switch does not have the router's mac-address in the table (but it does have several others as it is our working core device).

I am seriously stumped. I have a 2821 ISR that is connected the exact same way to the same switch and it has been working fine.

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

When you ping from the switch, you should observe the router side (with ICMP turned on) and see if the router is able to receive the traffic.

Community Member

Re: Cannot ping 1841 router from 3560 switch

Yeah, I finally ditched my desk and am in the wiring closet with 2 laptops, one connected to the console of each device.

When I ping the router from the switch with ICMP debugging enabled on both devices, I see no packets on either device. Same when I ping the switch from the router.

The router is running 12.4(3) (c1841-advsecurity-k9), not 12.4(13) as I had originally posted. Is it possible that this is a software bug? I am fairly sure that my configuration is correct.

I have also verified on the 1841 that the firewall, IDS, NAC, and all other security services are disabled.

Re: Cannot ping 1841 router from 3560 switch

Can you post the output of 'show cdp neighbor detail' and 'show int (#)' from both devices?

HTH

Sundar

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

As Sundar suggest, please let's see some output here from CDP and also show interface from both devices.

Community Member

Re: Cannot ping 1841 router from 3560 switch

Here is the output of sh cdp neighbors from the router:

cnc.1841#sh cdp nei det

-------------------------

Device ID: cnc.datacenter.1

Entry address(es):

IP address: 10.99.1.2

Platform: cisco WS-C3560G-48TS, Capabilities: Router Switch IGMP

Interface: FastEthernet0/0, Port ID (outgoing port): GigabitEthernet0/44

Holdtime : 131 sec

Version :

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(25)SEE,

RELEASE SOFTWARE (fc2)

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Fri 03-Feb-06 07:38 by antonino

advertisement version: 2

Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=0000000

0FFFFFFFF010221FF0000000000000018B96A6280FF0000

VTP Management Domain: 'cncSpokane'

Duplex: full

And here is the output of sh cdp neighbors from the switch:

cnc.datacenter.1#sh cdp nei g0/44 det

-------------------------

Device ID: cnc.1841

Entry address(es):

IP address: 10.99.1.1

Platform: Cisco 1841, Capabilities: Router Switch IGMP

Interface: GigabitEthernet0/44, Port ID (outgoing port): FastEthernet0/0

Holdtime : 163 sec

Version :

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3g), REL

EASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Mon 06-Nov-06 01:09 by alnguyen

advertisement version: 2

VTP Management Domain: ''

Duplex: full

Management address(es):

Community Member

Re: Cannot ping 1841 router from 3560 switch

Further, neither device has an entry for the other in the ARP table.

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

Looks good. Very strange, let's try something else, on the switch create VLAN 99 - assign the ip address from g0/44 to the SVI and change the port from routed to switchport, assign VLAN 99 on that port - then do a shut / no shut on the g0/44 interface.

A routed port should work but I ran out of ideas.

Re: Cannot ping 1841 router from 3560 switch

Edison,

Congratulations on getting your CCIE!!

Our posting is crossing each other's. I was about to type the samething that you had suggested about creating an SVI and making the port as switchport. I was going to ask him to try one other thing before he does that - set the speed/duplex to auto on both devices.

HTH

Sundar

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

Thanks Sundar. I was thinking about the auto/auto route as well. Perhaps MDIX would helps us there :)

Community Member

Re: Cannot ping 1841 router from 3560 switch

OK, I created Vlan99 on the switch, changed g0/44 to a L2 port, assigned it to Vlan99, and shutdown and unshut the port.

Now, the 1841 has an ARP entry for 10.99.1.2, but still cannot ping the address. The switch still does not have an ARP entry for 10.99.1.1.

While I was trying different things, I upgraded to IOS 12.4-13c on the 1841 to see if the odd behavior was being caused by a bug in 12.4-3d, which was on the router when it shipped. Same behavior.

Should I go to TAC? This seems very weird.

Thanks for all of your help!

Community Member

Re: Cannot ping 1841 router from 3560 switch

I also set the speed and duplex to auto on both sides in case that could have been causing a problem.

Re: Cannot ping 1841 router from 3560 switch

Try connecting the switch port to another device and see what happens. If that works then try the same thing with the router interface. Use a known working cable. This would rule out any hardware issue.

HTH

Sundar

Community Member

Re: Cannot ping 1841 router from 3560 switch

I am fairly sure we can rule out hardware because the same switch port was used for the old, decommissioned VPN router, so all I did was move the cable from the old router to the 1841 (arp-cache was cleared so that shouldn't have been an issue). I also connected my laptop to both ports and set it to the other IP address. I was able to ping each device from the laptop and I was able to establish a TFTP connection between the 1841 and the laptop to upgrade the boot image.

I have also used quite a few different IP subnets, but all have been in the 10. network. I will try something in 172. and see if that makes it happier. Logically, it shouldn't make a difference, but I will try it anyway. Sometimes these devices act in weird ways. :)

Hall of Fame Super Bronze

Re: Cannot ping 1841 router from 3560 switch

Can you post the show interface output from both devices ?

Community Member

Re: Cannot ping 1841 router from 3560 switch

In addition to the "sho interface", on both device interfaces:

sho ip int f0/0

sho ip cef f0/0

sho ip cache f0/0

Community Member

Re: Cannot ping 1841 router from 3560 switch

Output from sh ip cef, sh ip int f0/0, and sh ip cache f0/0

cnc.1841#sh ip cef

%CEF not running

Prefix Next Hop Interface

cnc.1841#sh ip int f0/0

FastEthernet0/0 is up, line protocol is up

Internet address is 10.99.1.1/30

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is disabled

IP Fast switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

cnc.1841#sh ip cache f0/0

IP routing cache 0 entries, 0 bytes

0 adds, 0 invalidates, 0 refcounts

Minimum invalidation interval 2 seconds, maximum interval 5 seconds,

quiet interval 3 seconds, threshold 0 requests

Invalidation rate 0 in last second, 0 in last 3 seconds

Last full cache invalidation occurred 18:35:41 ago

Prefix/Length Age Interface Next Hop

Community Member

Re: Cannot ping 1841 router from 3560 switch

Sh int g0/44 on the switch:

cnc.datacenter.1#sh int g0/44

GigabitEthernet0/44 is up, line protocol is up (connected)

Hardware is Gigabit Ethernet, address is 0018.b96a.62ac (bia 0018.b96a.62ac)

Description: VPN Router cnc.1841

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

input flow-control is off, output flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:10, output 00:00:01, output hang never

Last clearing of "show interface" counters 00:36:44

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

265 packets input, 28222 bytes, 0 no buffer

Received 40 broadcasts (0 multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 40 multicast, 0 pause input

0 input packets with dribble condition detected

1508 packets output, 111874 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

Sh int f0/0 on the router:

cnc.1841#sh int f0/0

FastEthernet0/0 is up, line protocol is up

Hardware is Gt96k FE, address is 001b.d58d.ba56 (bia 001b.d58d.ba56)

Description: Uplink to core

Internet address is 10.99.1.1/30

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:27, output 00:00:05, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

3487 packets input, 615833 bytes

Received 3487 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

8120 packets output, 835638 bytes, 0 underruns

0 output errors, 0 collisions, 15 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Note that the packet counts are very low on the switch g0/44 because I was troubleshooting a possible cable problem so I cleared the counts on that int.

484
Views
0
Helpful
46
Replies
CreatePlease to create content