topic Re: Cannot ping next hop from vsx gateway in Firewall and Security Management

Cannot ping next hop from vsx gateway

an_technical — Sun, 26 Jan 2025 13:29:50 GMT

Hi All,

I am setting up VSX in our enviorment.

We have prod vsx that has below configuration:

eth5.30: 10.1.30.1/24

eth5 is connected to l2 switch and there is router in 10.1.30.0/24 segment.

10.1.30.2/24 is configured as sub-int in router.

When I ping 10.1.30.2 from prod vsx. I don't get any response.

I run tcpdump and get below output:

request who-has 192.168.30.2 tell 192.168.30.1 length 28

In logs I see vsx is changing source from 192.168.30.1 to internal ip address -192.168.196.17

May I know why?

How can I make next hop rechable?

Thank You

Re: Cannot ping next hop from vsx gateway

Chris_Atkinson — Sun, 26 Jan 2025 15:43:38 GMT

Have you installed policy for the VS since adding the interface?

Is there any NAT configured on this VS that might be a conflict?

Is eth5 properly set (ticked) as a trunk?

Re: Cannot ping next hop from vsx gateway

an_technical — Sun, 26 Jan 2025 17:01:09 GMT

Have you installed policy for the VS since adding the interface? Yes

Is there any NAT configured on this VS that might be a conflict? No NAT

Is eth5 properly set (ticked) as a trunk? - Yes

Re: Cannot ping next hop from vsx gateway

an_technical — Sun, 26 Jan 2025 18:52:15 GMT

@Chris_Atkinson below output looks okay?

[Expert@VSX-GW-1:0]# ifconfig
eth0 Link encap:Ethernet HWaddr 50:00:00:02:00:00
inet addr:10.199.199.15 Bcast:10.199.199.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70412 errors:7025 dropped:0 overruns:0 frame:7025
TX packets:64859 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52914863 (50.4 MiB) TX bytes:25974772 (24.7 MiB)

eth1 Link encap:Ethernet HWaddr 50:00:00:02:00:01
inet addr:11.1.1.1 Bcast:11.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:191589 errors:0 dropped:0 overruns:0 frame:0
TX packets:246849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32897764 (31.3 MiB) TX bytes:38205534 (36.4 MiB)

eth4 Link encap:Ethernet HWaddr 50:00:00:02:00:04
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:248242 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:16560624 (15.7 MiB)

eth5 Link encap:Ethernet HWaddr 50:00:00:02:00:05
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:40871 errors:0 dropped:0 overruns:0 frame:0
TX packets:114939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3411203 (3.2 MiB) TX bytes:7962524 (7.5 MiB)

lo Link encap:Local Loopback Media:unknown(auto)
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING ALLMULTI MULTICAST MTU:65536 Metric:1
RX packets:30530 errors:0 dropped:0 overruns:0 frame:0
TX packets:30530 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6288400 (5.9 MiB) TX bytes:6288400 (5.9 MiB)

This is from vsx 0. Shoud this show eth5?

eth5 interface should be on my prod vsx.

Re: Cannot ping next hop from vsx gateway

JozkoMrkvicka — Sun, 26 Jan 2025 18:57:57 GMT

Did you configure VLAN 30 within eth5 on VS0 or some other VS ? You need to access VS where this VLAN is configured using expert command "vsenv <VSID>" or using clish command "set virtual-system <VSID>". Once you are inside the correct VS, you should be able to reach 10.1.30.2.

PS: If you dont get ping response from 10.1.30.2, it can indicate the router is not allowed to answer for pings. Check if MAC of 10.1.30.2 is known using expert command from proper VS: 'arp - an | grep "10.1.30.2"'

Re: Cannot ping next hop from vsx gateway

an_technical — Sun, 26 Jan 2025 19:38:39 GMT

Hi @JozkoMrkvicka : I configured vlan 30 in prod VSX. I checked arp and I am getting incomplete arp. Eth5 is configured with l2 sw and has below configurartion.

hostname SW3
!
boot-start-marker
boot-end-marker
!
!
logging buffered 100000
!
no aaa new-model
!
ip cef
!
!
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 30
switchport mode access
duplex auto
!
interface Ethernet0/1
switchport access vlan 30
switchport mode access
duplex auto
!
interface Ethernet0/2
switchport access vlan 30
switchport mode access
duplex auto
!
interface Ethernet0/3
duplex auto
!
interface Vlan30
no ip address
!
!
no ip http server
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login

Vlan 30 is set as access port on all 3 ports. two from VSX gateway and 1 from router.

I can see mac-address table is also learnt:

SW3#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
30 5000.0002.0005 DYNAMIC Et0/0
30 5000.0005.0005 DYNAMIC Et0/1
30 aabb.cc00.7000 DYNAMIC Et0/2
Total Mac Addresses for this criterion: 3

Eth5.30 mac-address is - 50:00:00:02:00:05

I don't know why arp is coming incomplete.

I debug arp on switch side and get below log:

IP ARP req filtered src 10.1.30.1 5000.0002.0005, dst 10.1.30.2 0000.0000.0000 wrong cable, interface Vlan30

Re: Cannot ping next hop from vsx gateway

Chris_Atkinson — Mon, 27 Jan 2025 01:44:51 GMT

Switchport is not configured as a trunk per above output?

Also per above ensure the ping is originated from the correct VS context.