Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Unable to ping HSRP IP address from Firewall

Dear All,

Please find the topology and IP address :

Untitled.jpg

When I have configured Hsrp, I am unable to ping hsrp ip address as well as physical IP address of Router from Firewall or from router to Firewall IP address.

Can anyone find out why?

REgards

6 REPLIES
Hall of Fame Super Blue

Unable to ping HSRP IP address from Firewall

Difficult to say with the limited information.

On the switch are the ports that connect to the router and the firewall in the same vlan ?

Jon

Unable to ping HSRP IP address from Firewall

"... as well as physical IP address of Router from Firewall"

You need to get this part fixed before you can get the virtual side to work. Is the fw and router all on the same network? Is this a new install, or was it working before you configured hsrp? Is it an ASA or another vendor's fw?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Unable to ping HSRP IP address from Firewall

Hello

Looking at you topology it seems you static default routes on the router and the FW are poining  the same next hop

The router should be pointing to the fw next hop and the Fw to the hrsp virtual ip address

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Re: Unable to ping HSRP IP address from Firewall

Dear All,

Let me brief the whole scenario :

There two locations with two Internet link from one ISP.

Both are sending default Route via BGP.

From CE router two part of /24 segments are advertising with different AS-Prepend to get priority at vice- a -versa fashion.

From CE router for specfic half part (/24 segment ), static router is there pointing to respective Firewall. and from Firewall Default route to respective standby IP address.

At both location same configuration is there with different IP address.

Let me talk about 1st location.

  • Router LAN interface , Firewall connectivity to other location switch all are in the same Vlan.
  • Router is getting Default Internet route from ISP using BGP.
  • Static route for /24 Internet segment is pointign to Firewall External IP address.
  • Firewall is pointing to Internet Router with Default router that isstandby IP address.
  • Firewall External IP address is with /24 subnetmask. (1st Half part)
  • Setup is working perfectly but for establishing the redundancy using HSRP, we have configured HSRP on Router LAN interface and chaged the subnet mask of LAN interface to /23 which is previously /24.

Issue We are facing :

1. When subnetmask changed to /23 for Router LAN interface and HSRP configured (Physical IP address was changed with new one and existing Physical IP address was used for standby (HSRP) IP address so that I need not to change Firewall Default Route but after that i am unable to ping Firewall external IP address, new standby interface Ip address and Lan interface Physical IP address.

2. Even I can not ping Firewall ip address from Router with so = Lan interface of router.

3. I can not ping the ROuter Physical IP address and Standby Ip address from Firewall also.

We have tried the same post clearing arp also.

We have tried after chaning the subnetmask of firewall external IP address with /23 subnet mask.

Configuration :

Location A

Internet Router

interface GigabitEthernet0/0

description *** Inside Interface of Internet Router ***

ip address 11.11.11.3 255.255.254.0

standby 5 ip 11.11.11.1

standby 5 priority 150


ip route 11.11.11.0 255.255.255.0 11.11.11.2

Cisco ASA Firewall :

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 11.11.11.2 255.255.255.0 standby 11.11.11.4

route Outside 0.0.0.0 0.0.0.0 11.11.11.1 1

Can any one look in too what is any issue?

Regards

Unable to ping HSRP IP address from Firewall

Hi,

I'm missing the point why are you changing the subnet masks (your original diagram is even showing a 255.255.255.254 mask?)?

But as you say "When subnetmask changed to /23 for Router LAN interface and HSRP configured (Physical IP address was changed with new one and existing Physical IP address was used for standby (HSRP) IP address ...",

are you sure the ARP cache on the FW was really cleared?

Can you check the ARP entries on both your router and FW?

FWs sometimes don't reply to Pings on their external interfaces.

Are the users also not able to connect to the Internet from your Location A or is it just router/FW not replying to Pings?

Best regards,

Milan

New Member

Unable to ping HSRP IP address from Firewall

Dear All,

Latest update :

While drilled down the issue, I have found that when  I am adding static route 11.11.11.0 255.255.255.0 11.11.11.2 on Router , the ping is stopped between Router and Firewall.

In ROuting Table of Router :

one Statioc route : 11.11.11.0 255.255.255.0 11.11.11.2 (Firewall External IP address)

one Directly connected route : 11.11.11.0 255.255.254.0 11.11.11.2 (Firewall External IP address)

On Firewall :

route : 0.0.0.0 0.0.0.0 11.11.11.1 (standby ip address of Router LAN side).

Please suggest where is the issue.

Regards

940
Views
0
Helpful
6
Replies
CreatePlease to create content