Cannot ping SVI gateway and traceroute bouncing between routers

Little Bunny · ‎07-21-2017

Hello

I have configured a new SVI on a pair of Cisco 6509 routers using HSRP, but for some reason I cannot ping the gateway. I have other vlans set up the same and they are pingable and working fine. Here are the configs and HSRP outputs for the working and non-working vlans:

NON-WORKING VLAN:

ANGUHUB22#sh run int vlan 2105

interface Vlan2105
description ELEC01-F5-FWGLUE=ELEC-LB
mtu 8500
ip vrf forwarding ELEC-LB
ip address 10.45.24.197 255.255.255.248
standby 0 ip 10.45.24.198
standby 0 priority 105
standby 0 preempt
standby 0 authentication md5 key-string 7 xxx
end

ANGUHUB22#sh standby vlan 2105
Vlan2105 - Group 0
State is Active
2 state changes, last state change 6w1d
Virtual IP address is 10.45.24.198
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.168 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.45.24.196, priority 100 (expires in 9.680 sec)
Priority 105 (configured 105)
Group name is "hsrp-Vl2105-0" (default)

**********************************************************************

WORKING VLAN:

ANGUHUB22#sh run int vlan 1962
interface Vlan1962
description ENTS01-F5-FWGLUE=ENTS-PRODLB
mtu 8500
ip vrf forwarding ENTS-PRODLB
ip address 10.45.24.93 255.255.255.248
standby 0 ip 10.45.24.94
standby 0 priority 105
standby 0 preempt
standby 0 authentication md5 key-string 7 xxx

ANGUHUB22#sh standby vlan 1962
Vlan1962 - Group 0
State is Active
5 state changes, last state change 10w3d
Virtual IP address is 10.45.24.94
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.960 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.45.24.92, priority 100 (expires in 9.232 sec)
Priority 105 (configured 105)
Group name is "hsrp-Vl1962-0" (default)

**********************************************************************

From my laptop I can ping the virtual address of vlan 1962 but not of 2105:

C:\Windows\System32\BIND9.10.4-P8.x64>ping 10.45.24.94

Pinging 10.45.24.94 with 32 bytes of data:
Reply from 10.45.24.94: bytes=32 time=139ms TTL=249
Reply from 10.45.24.94: bytes=32 time=45ms TTL=249
Reply from 10.45.24.94: bytes=32 time=17ms TTL=249
Reply from 10.45.24.94: bytes=32 time=22ms TTL=249

Ping statistics for 10.45.24.94:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 139ms, Average = 55ms

C:\Windows\System32\BIND9.10.4-P8.x64>ping 10.45.24.198

Pinging 10.45.24.198 with 32 bytes of data:
Reply from 13.8.12.113: TTL expired in transit.
Reply from 13.8.12.113: TTL expired in transit.
Reply from 13.8.12.113: TTL expired in transit.
Reply from 13.8.12.113: TTL expired in transit.

Ping statistics for 10.45.24.198:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

**********************************************************************

A traceroute to the non-working one bounces between the inner core router and the outer core router (ANGUHUB22) which is where the vlan is configured (public IPs removed/changed for privacy):

C:\Windows\System32\BIND9.10.4-P8.x64>tracert 10.45.24.198

Tracing route to 10.45.24.198 over a maximum of 30 hops

1 12 ms 12 ms 15 ms x.x.x.x
2 * * * Request timed out.
3 17 ms 13 ms 13 ms x.x.x.x
4 13 ms 17 ms 11 ms x.x.x.x
5 19 ms 18 ms 13 ms a0-a21.net.ubc.ca [13.8.12.66]
6 13 ms 19 ms 17 ms a22-a0.net.ubc.ca [13.8.12.113]
7 13 ms 18 ms 15 ms a0-a22.net.ubc.ca [13.8.12.114]
8 15 ms 17 ms 14 ms a22-a0.net.ubc.ca [13.8.12.113]
9 14 ms 17 ms 14 ms a0-a22.net.ubc.ca [13.8.12.114]
10 14 ms 15 ms 23 ms a22-a0.net.ubc.ca [13.8.12.113]
11 15 ms 14 ms 15 ms a0-a22.net.ubc.ca [13.8.12.114]
^C

**********************************************************************

Any idea what might be causing this issue with vlan 2105? Please let me know if you want more info.

Thanks in advance

Amy

Julio E. Moisa · ‎07-21-2017

Hi Amy,

Could you please provide the HSRP config of both devices and the show standby vlan 2105 and show ip interface brief outputs

Also are you passing the vlan 2105 under the trunk interface connected to both switches?

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Little Bunny · ‎07-21-2017

Hi Julio

Sure, here you go:

LFSCHUB22#sh run int vlan 2105
Building configuration...

Current configuration : 252 bytes
!
interface Vlan2105
description ELEC01-F5-FWGLUE=ELEC-LB
mtu 8500
ip vrf forwarding ELEC-LB
ip address 10.45.24.196 255.255.255.248
standby 0 ip 10.45.24.198
standby 0 preempt
standby 0 authentication md5 key-string 7 xxx

ANGUHUB22#sh run int vlan 2105
Building configuration...

Current configuration : 276 bytes
!
interface Vlan2105
description ELEC01-F5-FWGLUE=ELEC-LB
mtu 8500
ip vrf forwarding ELEC-LB
ip address 10.45.24.197 255.255.255.248
standby 0 ip 10.45.24.198
standby 0 priority 105
standby 0 preempt
standby 0 authentication md5 key-string 7 xxx

**********************************************************************

LFSCHUB22#sh standby vlan 2105
Vlan2105 - Group 0
State is Standby
4 state changes, last state change 6w2d
Virtual IP address is 10.45.24.198
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.672 secs
Authentication MD5, key-string
Preemption enabled
Active router is 10.45.24.197, priority 105 (expires in 8.960 sec)
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Vl2105-0" (default)

ANGUHUB22#sh standby vlan 2105
Vlan2105 - Group 0
State is Active
2 state changes, last state change 6w2d
Virtual IP address is 10.45.24.198
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.592 secs
Authentication MD5, key-string
Preemption enabled
Active router is local
Standby router is 10.45.24.196, priority 100 (expires in 9.600 sec)
Priority 105 (configured 105)
Group name is "hsrp-Vl2105-0" (default)

**********************************************************************

LFSCHUB22#sh ip int brief vlan 2105
Interface IP-Address OK? Method Status Protocol
Vlan2105 10.45.24.196 YES manual up up

ANGUHUB22#sh ip int brief vlan 2105
Interface IP-Address OK? Method Status Protocol
Vlan2105 10.45.24.197 YES manual up up

**********************************************************************

Yes the vlan is being passed across the trunk link between the switches. It is port-channel 1:

LFSCHUB22#sh vlan id 2105

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
2105 ELEC01-F5-FWGLUE=ELEC-LB active Po1, Po5

ANGUHUB22#sh vlan id 2105

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
2105 ELEC01-F5-FWGLUE=ELEC-LB active Po1, Po5

Thanks

Amy

cofee · ‎07-21-2017

Can you confirm if hosts on non working vlan are able to ping the gateway? it appears when you are pinging from your laptop the packet is traversing more than few hops or possibly more.

You mentioned packet is bouncing between inner and outer core, can you checking routing on those devices and make sure they are pointing towards the right next hop?

Little Bunny · ‎07-21-2017

Hi cofee

There are no hosts inside the vlan, it is a "glue" interface connecting the firewall (Cisco ASA context called ELEC) to an F5 load-balancer, which is configured with IPs 10.45.24.193, .194 and .195 (one of which is a floating IP between two physical F5 appliances).

The 2105 vlan resides on 13.8.12.113 (ANGUHUB22) and from the traceroute it shows that it reaches that device. There is a static route on ANGUHUB22 for 10.45.24.192/29 which points to the firewall:

ANGUHUB22#sh ip route 10.45.24.198
Routing entry for 10.45.24.192/29
Known via "static", distance 1, metric 0
Redistributing via ospf 2, bgp 64000
Advertised by ospf 2 metric 10 subnets
bgp 64000
Routing Descriptor Blocks:
* 13.8.254.193
Route metric is 0, traffic share count is 1

ANGUHUB22#sh run | i 10.45.24.192
ip route 10.45.24.192 255.255.255.248 13.8.254.193 name ELEC01:ELEC01-F5-FWGLUE=ELEC-LB

From ANGUHUB22 I can see and ping the gateway and the interfaces configured on the F5:

ANGUHUB22#sh ip arp vrf ELEC-LB vlan 2105
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.45.24.198 - 0000.0c07.ac00 ARPA Vlan2105
Internet 10.45.24.197 - 0064.403b.f300 ARPA Vlan2105
Internet 10.45.24.196 28 aca0.160a.3880 ARPA Vlan2105
Internet 10.45.24.195 3 000a.49bd.d9ca ARPA Vlan2105
Internet 10.45.24.194 35 000a.49d5.af4a ARPA Vlan2105
Internet 10.45.24.193 27 000a.49bd.d9ca ARPA Vlan2105

ANGUHUB22#ping vrf ELEC-LB 10.45.24.198

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.24.198, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ANGUHUB22#ping vrf ELEC-LB 10.45.24.193

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.24.193, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

ANGUHUB22#ping vrf ELEC-LB 10.45.24.194

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.24.194, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Hope this helps

Thanks

Amy

Little Bunny · ‎07-21-2017

I've uploaded a diagram

Julio E. Moisa · ‎07-21-2017

Thank you Amy,

From which device you were testing?

C:\Windows\System32\BIND9.10.4-P8.x64>ping 10.45.24.198

Pinging 10.45.24.198 with 32 bytes of data:
Reply from 13.8.12.113: TTL expired in transit.
Reply from 13.8.12.113: TTL expired in transit.
Reply from 13.8.12.113: TTL expired in transit.
Reply from 13.8.12.113: TTL expired in transit.

From each switch are you able to ping the IP address from each other?

ping vrf ELEC-LB 10.45.24.196 (Same for .197)

Is there any ACL between the switches?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Little Bunny · ‎07-21-2017

I was pinging from my laptop which is external to that particular network.

Yes the switches can ping each other's vlan 2105 IPs from within the ELEC-LB vrf only:

LFSCHUB22#ping 10.45.24.197

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.24.197, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

LFSCHUB22#ping vrf ELEC-LB 10.45.24.197

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.45.24.197, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

There are no ACLs blocking the traffic.

Thanks

Amy

paul driver · ‎07-21-2017

Hello

It looks like you have advertised to failing vrf svi into the global rib, but have you reversed it and put the networks in to the vrf you wish that vrf to reach, And lastly advertised the vrf subnet into IGP?

ip route 10.45.24.192 255.255.255.248 13.8.254.193 name ELEC01:ELEC01-F5-FWGLUE=ELEC-LB
ip route vrf ELEC-LB x.x.x.x y.y.y.y. nexthop global

router xxx
ELEC-LB network

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul