?
Solved

Problem with two Cisco switches to save the configuration by tftp

Posted on 2014-12-15
15
Medium Priority
?
109 Views
Last Modified: 2015-06-09
Hi,
we have a vlan containing all switch management interfaces. I can save all configurations by tftp apart from two C2960-12 with IOS 15 running. All other switches have a IOS 12.2.. When being connected to these two switches, I can't ping the tftp server, but I can ping other servers in the same network segment as the tftp server. I can ping the tftp server from all other switches. The tftp server debugging shows no connection from these two switches. A bit odd. Is there a way to debug the way of the tftp packets through the LAN? They have to pass other switches, as they are cascaded.

Thanks in advance

Olaf
0
Comment
Question by:olaf_joerk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40500242
I can't ping the tftp server, but I can ping other servers in the same network segment as the tftp server. I can ping the tftp server from all other switches. The tftp server debugging shows no connection from these two switches.

If you can't ping the TFTP server then there's not going to be any attempt to transfer data.  Assuming that no ACL's are in place.

So the first task is to determine the connectivity problem.  Is the switch management interface on the same network as the TFTP server?  Or do you have to get routed between the two?
0
 

Author Comment

by:olaf_joerk
ID: 40500606
Hi Don,
the management interfaces are in a 192.168.50.0/24 subnet. The servers are in a 10.91.200.0/22 subnet. The core switch has routing functionality. I can ping servers in the server subnet but not the tftp server. I checked also the firewall. No difference if switched on or off. The core switch has no vlan ACLs.

Thanks for your help.

Olaf
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40504161
If no ACL is involved, my first thought is physical connection, then ARP cache.

I wouldn't rule out ACL though

When being connected to these two switches, I can't ping the tftp server,

I need more clarity here. Is it the TFTP server that is connected to the switch or PC. Please sketch a simple topology diagram and post
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 40504467
There could be an ACL on the core switch.  
There could be a firewall on the server blocking the traffic.

Can the server ping its default gateway?
Can the the server ping core switch SVI on the 192.168.50.0 network?
0
 

Author Comment

by:olaf_joerk
ID: 40504574
Hi,
I attach a scheme to explain more in detail, what I mean. My tftp server can ping everything except Switch202 and 203. TS1 can ping all switches. Both TFTP and TS1 reside on the same ESX host using the same distributed vSwitch. Switch202/203 can't ping TFTP but can ping TS1 and all the switches on the path. Same with tftp client. There must be something special with TS1 or with Switch202/203? But what?

Regards

Olaf
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40506282
Ok
We're getting closer.
I'm suspecting a route issue or connection issue on Switch 201.

Post the result of show ip route on the core switch
you may need to configure single host routes on the core switch or switch 201 for 202 and 203, but let's identify the bottleneck first.
Also, are switches 202 and 203 connected to trunk ports on 201?

On 202 and 203, run both traceroute 10.91.200.2 and traceroute 10.91.200.2
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40506521
My tftp server can ping everything except Switch202 and 203. TS1 can ping all switches

This would indicate that traffic can flow from the server network to all switches.

So I'm going with an ACL either on the core switch, switch 201 or the switch between the core and the vswtch.
0
 

Author Comment

by:olaf_joerk
ID: 40506837
Hi,
that's what I can do from TS1:

C:\Users\TEMP>tracert switch203
Tracing route to switch203.domain [192.168.50.x] over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.91.203.254 (that's the core switch)
  2     2 ms     1 ms     1 ms  switch203.domain [192.168.50.x]

Trace complete.

From TFTP it looks like:
C:\Users\administrator.ENAS>tracert switch203
Tracing route to switch203.domain [192.168.50.x] over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.91.203.254 (that's the core switch)
  2    *    *     ^C  --> time out

I switched on the ICMP debugging at switch201. But I can see only packet with the switch itself as destination, like:

4005173: Dec 18 13:24:41: ICMP: echo reply sent, src 192.168.91.65, dst 192.168.91.85
:
4005177: Dec 18 13:24:41: ICMP: echo reply sent, src 192.168.91.65, dst 192.168.91.85

There are no ACLs between the VLANs at the core switch and no ACLs on the other switches.

Is it possible to use RSPAN to watch the packet going through the switches?

Thanks
Olaf
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40506945
It looks like ACL but it could still be route related.
I'm suspecting a NULL route issue if it is not ACL or firewall related

How about the route info from the core switch and a traceroute from the switches to the tftp

Post the result of show ip route on the core switch
On 202 and 203, run both traceroute 10.91.200.1 and traceroute 10.91.200.2
0
 

Author Comment

by:olaf_joerk
ID: 40506994
Here it is:

Switch203#traceroute ts1
Translating "ts1"...domain server (10.91.200.10) [OK]
i
Type escape sequence to abort.
Tracing the route to ts1.domain (10.91.200.1)
VRF info: (vrf in name/id, vrf out name/id)
  1 coreswitch.domain (192.168.50.254) 8 msec 9 msec 0 msec
  2  *  *  *
  3  *

Switch203#ping ts1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Switch203#traceroute tftp
Translating "tftp".domain server (10.91.200.2) [OK]
i
Type escape sequence to abort.
Tracing the route to tftp.domain (10.91.200.2)
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2  *
Switch203#ping tftp
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.91.200.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Core Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
:
Gateway of last resort is 153.x.x.x to network 0.0.0.0
     153.96.0.0/24 is subnetted, 1 subnets
:
C    192.168.50.0/24 is directly connected, Vlan200
     10.0.0.0/8 is variably subnetted, 16 subnets, 3 masks
:
C       10.91.200.0/22 is directly connected, Vlan208
S*   0.0.0.0/0 [1/0] via 153.x.x.x

To be honest, it makes no sense to me ... A bit to odd.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40508193
Behaves just like it would if there was an ACL somewhere in between.

The core switch only has two routes??? How is your default route working if you don't have a connection to the 153.x.x.x?
0
 

Author Comment

by:olaf_joerk
ID: 40533108
I shortened the output of the routing table. I left the routes to the considered networks and the default route. The default route points to a perimeter router/firewall. If this connection is down, we have no internet access but the internal networks are still reachable.

Is there a way to debug the ping or tftp packets on their way across the network? We are using Cisco IOS switches. One should see on which switch the packets will be blocked, shouldn't one?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40535495
A packet capture like Wireshark may be helpful.

The route seem okay, meaning there is some filtering happening somewhere.
If possible, swap the cable connections between the TFTP servers (either on the switch or the NIC if the servers are close to each other). Let's see if the problem travels with the connection
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1000 total points
ID: 40651620
your IP default-gateway for switch 202 and 203 is wrong.  It should be your management network gateway.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question