Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2784
Views
10
Helpful
6
Replies

Cisco 9300 Routing Traffic Weirdly

Go to solution
Stephen Carville
Level 1
Level 1

‎05-16-2018 02:32 PM - edited ‎03-08-2019 03:02 PM

I have a new stack of three 9300s that seem to route traffic in some very confusing ways. I can reach the vlan address on the switch (10.214.184.1) from my workstation:

# mtr -rnc 10 10.214.184.1
HOST: c00464.lereta.com Loss% Snt Last Avg Best Wrst StDev
1. 198.204.114.232       0.0% 10  0.3  0.4 0.3   0.6  0.1
2. 10.212.3.178          0.0% 10  0.2  0.3 0.2   0.4  0.1
3. 10.214.184.1          0.0% 10 47.8 46.7 33.0 65.3  9.4

Next I plugged a laptop to the new stack and it got an address (10.214.184.50) from the DHCP server. However, when I try to traceroute to the laptop the traffic does not get there or the return packets are not getting through.

# mtr -rnc 10 10.214.184.50
HOST: c00464.lereta.com Loss% Snt Last Avg Best Wrst StDev
1. 198.204.114.232       0.0% 10  0.3 26.4 0.3  261.7 82.7
2. 10.212.3.178          0.0% 10  0.3  0.3 0.2    0.3 0.0
3. ???                  100.0 10  0.0  0.0 0.0    0.0 0.0

If I ping the laptop IP from the switch it works fine.

# ping 10.212.184.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.212.184.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/56 ms

If I scan the laptop IP things start to get really weird:

# nmap -A 10.214.184.50
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-16 14:07 PDT
Nmap scan report for 10.214.184.50
Host is up (0.055s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http nginx
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=IOS-Self-Signed-Certificate-909702223
| Not valid before: 2018-05-11T23:07:54
|_Not valid after: 2020-01-01T00:00:00
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_ http/1.1
8090/tcp open http nginx
|_http-server-header: nginx
|_http-title: 502 Bad Gateway
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X (91%), Crestron 2-Series (87%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 3.2 - 4.8 (91%), Linux 3.10 - 4.8 (89%), Linux 3.18 (87%), Crestron XPanel control system (87%), Linux 3.16 (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.35 ms 198.204.114.232
2 0.34 ms mx400-01.lereta.net (10.212.3.178)
3 64.13 ms 10.214.184.50
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.81 seconds

I am absolutely certain there is no web server at all on the laptop much less nginx. When I use a browser to reach out to 10.214.184.50 I get the web management interface for the switch stack! I can log in and everything. What I cannot do is connect to anything beyond the stack and that makes no sense at all to me.

In the old days I could stack 3750s or 3850s, define some VLANs, set some routes, and everything worked.  I cannot figure out what the 9300s do differently.

(Some of the preformatted text above did not format clearly so I hope it is readable.)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Carville
Level 1
Level 1
In response to mvsheik123

‎05-18-2018 11:59 PM

This was so simple I am still kicking myself over it.
# conf t
(config)# ip routing
^Z

 

It all works now.


When in the heck did Cisco stop turning on IP routing by default?

 

View solution in original post

6 Replies 6

Go to solution
mvsheik123
Level 7
Level 7

‎05-16-2018 03:57 PM

Hi,

Is laptop is getting correct IP configuration from DHCP server? Also, per your posting :I can reach the vlan address on the switch (10.212.184.1) -> I guess this is 10.214.184.1? Also check the IPs posted here that you try to Ping & traceroute. Make sure they are correct. 

 

hth

MS

 

 

 

 

0 Helpful

Go to solution
Stephen Carville
Level 1
Level 1
In response to mvsheik123

‎05-17-2018 07:47 AM

The laptop is picking up a correct configuration for the site.

 

Most of the local addresses here are 10.212.X.X but the new site will be 10.214.X.X and I typed 212 in a few place I meant 214. Sorry for the confusion. I edited the original post to fix that error.

 

JIC, Lat night I also shut down the stack (it's still in the lab) and scanned for any 10.214.0.0/16 addresses that might be laying around the LAN. I found none so I guess it is not a duplicate IP.

0 Helpful

Go to solution
Stephen Carville
Level 1
Level 1

‎05-17-2018 03:45 PM

Someone elsewhere suggested the problem may be licensing.  However they look OK to me:

#show license right-to-use        
Slot#       License Name          Type   Period left
----------------------------------------------------
    1 network-essentials     Permanent      Lifetime
    1  network-advantage     Permanent      Lifetime
    1      dna-advantage  Subscription  CSSM Managed
----------------------------------------------------
License Level on Reboot: network-advantage+dna-advantage Subscription


Slot#       License Name          Type   Period left
----------------------------------------------------
    2 network-essentials     Permanent      Lifetime
    2  network-advantage     Permanent      Lifetime
    2      dna-advantage  Subscription  CSSM Managed
----------------------------------------------------
License Level on Reboot: network-advantage+dna-advantage Subscription


Slot#       License Name          Type   Period left
----------------------------------------------------
    3 network-essentials     Permanent      Lifetime
    3  network-advantage     Permanent      Lifetime
    3      dna-advantage  Subscription  CSSM Managed
----------------------------------------------------
License Level on Reboot: network-advantage+dna-advantage Subscription

OTOH, I do not know much about the so-called "smart" licensing.

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to Stephen Carville

‎05-18-2018 08:55 PM

Hi,

Your testing is related to simple basic switching/routing. So it should work irrespective of any 'smart' licenses :). Here what I suggest..

1. For traceroute -> make sure laptop does not have any built in firewall enabled. With unit ping and tracerroute uses different packets (icmp & udp)- so make sure no firewall rules blocking trace route.

 

2. Stack interface with laptop ip: To test this - I would remove the laptop from the switch and then ping and http to same IP (that laptop was getting and you see stack) and see if anything comes up. As this is Lab setup- try reboot the switch test again if you notice any anomalies.

 

hth

MS

0 Helpful

Go to solution
Stephen Carville
Level 1
Level 1
In response to mvsheik123

‎05-18-2018 11:59 PM

This was so simple I am still kicking myself over it.
# conf t
(config)# ip routing
^Z

 

It all works now.


When in the heck did Cisco stop turning on IP routing by default?

 

Go to solution
rhaker
Level 1
Level 1
In response to Stephen Carville

‎12-15-2021 03:30 AM

Let me join you in the self kicking. I have two C9300 stacks, one was routing the other wasn't.

Took me forever to spot the minor difference.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card