Solved

Unable to ping Cisco switch

Posted on 2013-01-22
18
828 Views
Last Modified: 2013-02-16
Hi Guys,

     Recfently, one of our Cisco switches has stopped responding to ping.  It was contactable a few days ago but one day it stopped responding to ping only.  We can successfully telnet to the device and login.  This device cannot ping any device in the same domain except one router that is directly connected to it.  It can also ping 4 switches that are connected together via trunk ports and are in the same VTP domain.  There is another router connected to it that it cannot ping nor can the router ping it however, the router can ping the other 4 switches.  It was also able to do this last week.

I have had a look at the config but i cannot see anything that would be stopping it from responding.

Any ideas?
0
Comment
Question by:BCSITS
  • 8
  • 5
  • 2
  • +3
18 Comments
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 38808833
any vlans or access lists in switch configuration?
can you post cli config here (redact sensitive data)

JAN MA CCNA
0
 
LVL 6

Expert Comment

by:airwrck
ID: 38808922
why do devices stop responding to ping requests?

Maybe the arp tables on the directly connected router need to be cleared.

if the ip default-gateway was set incorrectly, you wouldn't be able to telnet to it

you could try clear int vlan1 to see if that fixes it

take a look at the physical interface (sh int) that you're coming in on the switch - see if anything there looks unusual, you could also clear int on that interface.

If you can reboot the switch, I'd give that a try
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 38810762
I'd check for ACLs..  The fact that you can telnet to it means that ARP is working, so you can resolve the MAC address and communicate to it..  Unless it is a failure that a reboot would fix, I'd think it's probably an access control list on the switch, restricting ICMP in some way,


Also, check VLANs to verify subnet masks on the devices in question..

Can you post configs?
0
 

Author Comment

by:BCSITS
ID: 38812571
SWITCH CONFIG

interface Vlan1
 ip address 192.168.10.2 255.255.255.0
!
ip default-gateway 192.168.10.254
ip classless
ip http server
!
snmp-server community XXXXXX RO
snmp-server ifindex persist
!
control-plane
!
banner motd ^C



******************************************************
*                                                    *
*      ---- Unauthorised Access Prohibited ----      *
*                                                    *
*      Your access to this device will be logged     *
*                                                    *
******************************************************


^C
!
line con 0
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet
line vty 5 15
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet
!
ntp clock-period 36029858
ntp server 192.168.1.253
ntp server 192.168.1.252 prefer
end


DIRECTLY CONNECTED ROUTER THAT CAN CONNECT

class-map match-any Citrix
 match access-group name Citrix-ACL
!
!
policy-map WAN
 class Citrix
  priority percent 80
  set dscp af41
 class class-default
  bandwidth remaining percent 100
  random-detect
policy-map Global
 class class-default
  shape average 10240000
  service-policy WAN
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.253 255.255.255.0 secondary
 ip address 192.168.10.252 255.255.255.0
 ip helper-address 192.168.1.203 redundancy hsrp-Fa0/0.1-2
 ip helper-address 192.168.1.201 redundancy hsrp-Fa0/0.1-2
 ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.1-2
 no keepalive
 standby 2 ip 192.168.2.254
 standby 2 preempt
 standby 10 ip 192.168.10.254
 standby 10 priority 105
 standby 10 preempt delay minimum 120
 standby 10 track FastEthernet0/1
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip address 192.168.3.252 255.255.255.0
 ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.3-3
 standby 3 ip 192.168.3.254
 standby 3 priority 105
!
interface FastEthernet0/1
 bandwidth 10240
 ip address 10.10.10.254 255.255.255.252
 ip route-cache flow
 speed 100
 full-duplex
 service-policy output Global
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.10.0
 timers bgp 15 45
 neighbor 10.10.10.253 remote-as 7474
 neighbor 10.10.10.253 weight 100
 neighbor 10.10.10.253 route-map PREPEND_BACKUP out
 neighbor 192.168.2.252 remote-as 65000
 neighbor 192.168.2.252 next-hop-self
 neighbor 192.168.2.252 weight 50
 no auto-summary
!
ip forward-protocol nd
ip route 192.168.44.0 255.255.255.0 192.168.10.1
!
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 192.168.1.57 9996
!
no ip http server
no ip http secure-server
!
ip access-list extended Citrix-ACL
 permit tcp any 192.168.1.0 0.0.0.255 eq 1494
 permit udp any 192.168.1.0 0.0.0.255 eq 2598
!
access-list 71 permit 192.168.2.0 0.0.0.255
access-list 72 permit any
snmp-server community XXXXXX RO
snmp-server ifindex persist
no cdp run
route-map PREPEND_BACKUP permit 10
 match ip address 71
 set as-path prepend 65000 65000
!
route-map PREPEND_BACKUP permit 20
 match ip address 72
!
!
!
!
control-plane
!
!
!
!
!
!
!
banner motd ^C



******************************************************
*                                                    *
*      ---- Unauthorised Access Prohibited ----      *
*                                                    *
*      Your access to this device will be logged     *
*                                                    *
******************************************************


^C
!
line con 0
 login local
line aux 0
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet
line vty 5 15
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 192.168.1.253
ntp server 192.168.1.252 prefer
sntp server 192.168.1.252
sntp server 192.168.1.253
sntp server 192.168.1.254
end

DIRECTLY CONNECTED ROUTER THAT CANNOT CONNECT

class-map match-any Citrix
 match access-group name Citrix-ACL
!
!
policy-map WAN
 class Citrix
  priority percent 80
  set dscp af41
 class class-default
  bandwidth remaining percent 100
  random-detect
policy-map Global
 class class-default
  shape average 100480000
  service-policy WAN
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.10.253 255.255.255.0 secondary
 ip address 192.168.2.252 255.255.255.0
 ip helper-address 192.168.1.203 redundancy hsrp-Fa0/0.1-2
 ip helper-address 192.168.1.201 redundancy hsrp-Fa0/0.1-2
 ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.1-2
 no keepalive
 standby 2 ip 192.168.2.254
 standby 2 priority 105
 standby 2 preempt delay minimum 120
 standby 2 track FastEthernet0/1
 standby 10 ip 192.168.10.254
 standby 10 preempt
!
interface FastEthernet0/0.3
 encapsulation dot1Q 3
 ip address 192.168.3.253 255.255.255.0
 ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.3-3
 standby 3 ip 192.168.3.254
 standby 3 preempt
!
interface FastEthernet0/1
 bandwidth 10240
 ip address 10.10.2.254 255.255.255.252
 ip route-cache flow
 speed 100
 full-duplex
 service-policy output Global
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.10.0
 timers bgp 15 45
 neighbor 10.10.2.253 remote-as 7474
 neighbor 10.10.2.253 weight 100
 neighbor 10.10.2.253 route-map PREPEND_BACKUP out
 neighbor 192.168.10.252 remote-as 65000
 neighbor 192.168.10.252 next-hop-self
 neighbor 192.168.10.252 weight 50
 no auto-summary
!
ip forward-protocol nd
ip route 192.168.3.0 255.255.255.0 192.168.10.4
ip route 192.168.44.0 255.255.255.0 192.168.10.1
!
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 192.168.1.57 9996
!
no ip http server
no ip http secure-server
!
ip access-list extended Citrix-ACL
 permit tcp any 192.168.1.0 0.0.0.255 eq 1494
 permit tcp any 192.168.1.0 0.0.0.255 eq 2598
!
access-list 71 permit 192.168.10.0 0.0.0.255
access-list 71 permit 192.168.3.0 0.0.0.255
access-list 72 permit any
snmp-server community XXXXXX RO
snmp-server ifindex persist
no cdp run
route-map PREPEND_BACKUP permit 10
 match ip address 71
 set as-path prepend 65000 65000
!
route-map PREPEND_BACKUP permit 20
 match ip address 72
!
!
!
!
control-plane
!
!
!
!
!
!
!
banner motd ^C



******************************************************
*                                                    *
*      ---- Unauthorised Access Prohibited ----      *
*                                                    *
*      Your access to this device will be logged     *
*                                                    *
******************************************************


^C
!
line con 0
 login local
line aux 0
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet
line vty 5 15
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 192.168.1.253
ntp server 192.168.1.252 prefer
sntp server 192.168.1.252
sntp server 192.168.1.253
sntp server 192.168.1.254
end
visio1.png
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38812715
How are the switchport interfaces configured that connect to each of these routers? I assume they're both as dot1q.


Can you try to ping the switch again but using 192.168.10.253 as source? What happens if you try to traceroute the switch from the router that cannot get to it?
0
 

Author Comment

by:BCSITS
ID: 38812753
traceroute and ping using 192.168.10.253 as a source are both successful.

using traceroute from the router that cannot connect returns 3 *

output of switchport config

interface FastEthernet0/30
 switchport trunk encapsulation dot1q
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface FastEthernet0/31
 switchport trunk encapsulation dot1q
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38812788
Can you do these two from router #2?:

sh ip route
sh standby FastEthernet0/0     (or FastEthernet0/0.1)

I suspect it's treating that 192.168.10.0 network as an external network and therefore forwarding traffic to the switch to its default route (this happens when you have secondary IPs).

As to why it was working before, perhaps a state change on hsrp could have anything to do with it? (can check last state change via sh standby)
0
 

Author Comment

by:BCSITS
ID: 38812811
sh standby fa0/0.1 output

FastEthernet0/0.1 - Group 2
  State is Active
    11 state changes, last state change 1w5d
  Virtual IP address is 192.168.2.254
  Active virtual MAC address is 0000.0c07.ac02
    Local virtual MAC address is 0000.0c07.ac02 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.076 secs
  Preemption enabled, delay min 120 secs
  Active router is local
  Standby router is 192.168.10.252, priority 100 (expires in 9.192 sec)
  Priority 105 (configured 105)
    Track interface FastEthernet0/1 state Up decrement 10
  IP redundancy name is "hsrp-Fa0/0.1-2" (default)
FastEthernet0/0.1 - Group 10
  State is Standby
    9 state changes, last state change 1w5d
  Virtual IP address is 192.168.10.254
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.140 secs
  Preemption enabled
  Active router is 192.168.10.252, priority 105 (expires in 9.300 sec)
  Standby router is local
  Priority 100 (default 100)
  IP redundancy name is "hsrp-Fa0/0.1-10" (default)


the switch that is not pingable used to have another Vlan with an ip address assigned to it which has since been removed.  i think that since then this switch has not been contactable.

sh ip route does not show anything out of the ordinary

C    192.168.10.0/24 is directly connected, FastEthernet0/0.1
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38812872
-Could you initiate a ping from the switch to 192.168.10.253? If successful, leave it running and then try to ping from the router again (without specifying source 192.168.10.253).


Don't think the other vlan that was removed would have anything to do, since we're looking at the native vlan and we're not routing.

Important bit: is vlan 1 your native vlan on all switches?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:BCSITS
ID: 38812918
still no result.  while pinging from switch to router (which is successful) i try pinging the switch from the router but it still fails.

yes Vlan 1 is the native Vlan across all switches.

i will check one of our primary routers for ACL and post back if i find anything or not.

switches in the same vtp domain can ping the 10.2 switch.  they are all in the same vlan.  any device outside of the 10.x nw cannot ping this device.  

i will investigate further and post the results.

thanks
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38812934
Pretty odd..

Few other things:

1. Can you see the switch in question via  'show cdp neigh det' from the router?
2. Would you be able to add a static ARP entry for the switch on the router? 'ip arp static' i believe is the syntax you need to use.
0
 

Author Comment

by:BCSITS
ID: 38813093
CDP is not configured on the router.  adding a static arp entry has not fixed it.  still cannot contact outside of its subnet.  

i will reboot this switch tonight to see if it makes any difference.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 38813297
is command

 ip route

 enabled globally (not just on interfaces) on router which cant ping to switch?
0
 

Author Comment

by:BCSITS
ID: 38816722
i have had a look at the BGP routes briefly and found something that may be of interest.  my knowledge of BGP is limited and would like some clarification.  here is a small output of the following cmd:  sh bgp  from the router 192.168.10.252.

Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.2.0      0.0.0.0                  0         32768 i
*                   10.10.10.253                         100 7474 7474 i

*> 192.168.3.0      0.0.0.0                  0         32768 i

*> 192.168.7.0      10.10.10.253                         100 7474 7474 ?
*> 192.168.9.0      10.10.10.253                         100 7474 i
*> 192.168.10.0     0.0.0.0                  0         32768 i
*> 192.168.11.0     10.10.10.253                         100 7474 i
*> 192.168.13.0     10.10.10.253                         100 7474 i
*> 192.168.15.0     10.10.10.253                         100 7474 i
*> 192.168.17.0     10.10.10.253                         100 7474 i
*> 192.168.18.0     10.10.10.253                         100 7474 i
*> 192.168.19.0     10.10.10.253                         100 7474 i
*> 192.168.20.0     10.10.10.253                         100 7474 7474 i
*> 192.168.32.0     10.10.10.253                         100 7474 i
*> 192.168.33.0     10.10.10.253                         100 7474 i
*> 192.168.34.0     10.10.10.253                         100 7474 i
r> 192.168.44.0     10.10.10.253                         100 7474 7474 ?
*> 192.168.50.0     10.10.10.253                         100 7474 7474 ?
*> 192.168.58.0     10.10.10.253                         100 7474 i

this if from the router that cannot connect, 192.168.2.252, same command:

*> 192.168.7.0      10.10.2.253                          100 7474 7474 ?
*> 192.168.9.0      10.10.2.253                          100 7474 i
*  192.168.10.0     10.10.2.253                          100 7474 7474 i
*>                  0.0.0.0                  0         32768 i
*> 192.168.11.0     10.10.2.253                          100 7474 i
*> 192.168.13.0     10.10.2.253                          100 7474 i

could this be an issue?  both of these routers are directly connected to the 192.168.10.2 switch.

thanks
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38816906
Since 192.168.10.0/24 is a directly connected network, that bgp entry will not make it to the routing table as the directly connected route takes precedence.

I'll see if i can get packet tracer going and try to replicate your environment
0
 

Expert Comment

by:gaurav_mcp
ID: 38842742
please see the interface f0/0.1 address
 this connected router
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.253 255.255.255.0 secondary
 ip address 192.168.10.252 255.255.255.0

this router is not connected
nterface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.10.253 255.255.255.0 secondary
 ip address 192.168.2.252 255.255.255.0
 

the secondary address is not same on both side
 please make sure this is right i this it should same on both side
0
 

Accepted Solution

by:
BCSITS earned 0 total points
ID: 38853387
can you explain why this is an issue as the configuration for this has been working happily for over 2 years and only recently has it stopped working properly.  all devices across the network are contactable from all devices except for this one switch.
0
 

Author Closing Comment

by:BCSITS
ID: 38896246
no answers in thread solved issue
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now