Cannot ping secondary IP address on subinterface from SVI interface.

Hi to all.
We have a border router with lots of subinterfaces and some of them have few secondary networks from different subnets on it. I've configured SVI interface on same VLAN in same subnet, but can't ping from this SVI  the secondary address, that applied on subinterface on a router.
It seems strange, because on other subinterface, with few secondary networks - all works fine.
All links between swithes and routers are in trunk mode, all switches contains appropriate vlans on their vlan.dat, all appropriate vlans are allowed on switches, all arp entries are present on border router and on switches, all appopriate mac addresses are in mac-add table present.int v
BR conf:
int gi0/1.10
encapsulation dot1q 10
ip add 192.168.1.1 255.255.255.0
ip add 192.168.2.1 255.255.255.0 secondary
int gi0/1.20
encapsulation dot1q 20
ip add 192.168.10.1 255.255.255.0
ip add 192.168.11.1 255.255.255.0 secondary
sw101 conf:
int vlan10
ip add 192.168.1.2 255.255.255.0
no ip route-cache
int vlan20
ip add 192.168.10.2 255.255.255.0
no ip route-cache
ip default-gateway 192.168.1.1
sw102 conf:
int vlan10
ip add 192.168.1.3 255.255.255.0
no ip route-cache
int vlan20
ip add 192.168.10.3. 255.255.255.0
no ip route cache
ip default-gateway 192.168.1.1
Connection scheme is trivial: br-->sw101-----L2VPN(QinQ) ISP-->sw102
ping 192.168.1.1 from sw101 & sw102 are successful.
ping to 192.168.10.1 from sw101 & sw102 are fails (sometimes some packets reach to destination - about 1-2 from 5 sended packets)
When i remove secondary ip address from BR (192.168.11.1/24) subinterface - all works fine.
Cannot understand, what's wrong ?
br -  7206VXR (NPE-G2)
sw101 - WS-C3560X-48T-L
sw102 - WS-X45-SUP7L-E
I haven't attach the other configurations of ports (trunk port configuration, vlan database and etc) bcoz i believe the problem not in L2 Layer, i think problem as for arp entries.
P.S. Sorry guys for my english, sorry for probably a stupid question, but i really can't catch it - pls help me to understand that.

Hi sgulyamov,
did you try to debug ARP request on Br ? 
Could you post the configuration of the Swtich interface connected to Br ?
Bye,
enrico

Similar Messages

  • Cannot ping LAN IP Address but can ping WAN IP Address. Please help

    I have LinkSys Wireless Access Point Router, after I upgrade the firmware from another router I can ping the WAN IP ADdress but I cannot ping the LAN IP address, please help.
    thanks

    I have two Networks here.
    1st Network (6th Floor)
    -- I have Cisco VPN Concentrator, Cisco Router and 3Com Switches
    -- My PDC Server also located
    -- IP Range 10.11.10.x
    -- Gateway 10.11.10.6
    2nd Network (10th FLoor)
    -- I have Linksys Wireless (WIreless G Broadband Rotuer w/4 Port Switch Model: WRT54G)
    -- I have 3Com Switch
    -- The Internet Port of the Linksys is connected directly to 6th floor 3com switch
    -- The Lan Port of the Linksys is connected to the 10th FLoor 3com switch then the server and workstations all connected to the 10th Floor 3 Com Switch
    -- IP Range 192.168.85.x
    -- Gateway 192.168.85.1
    -- Internet IP Address of the Wireless
      IP: 10.11.10.11
     SM: 255.255.255.0
      GW: 10.11.10.6
    -- Local IP Address of the Wireless
      IP: 192.168.85.1
     SM: 255.255.255.0
    Firmware: 4.21.1
    This what happen
    1) Users, SErvers, computers located at 10Th Floor dont have a problem connecting to the servers and computers at 6th Floor (10.11.10.x)
    2) Users, Servers and computers located at 6th Floor CANNOT CONNECT to the Servers, computers located at 10th FLoor
    3) After firmware upgrade, servers and computer can ping Linksys Internet IP of 10.11.10.11
    What we require.
    WE NEED TO CONNECT COMPUTERS, SERVERS FROM 6TH FLOOR TO 10TH FLOOR AS WELL. MEANING WE WANT BOTH NETWORK PING OR SEE EACH OTHER
    YOUR HELP IS GREATLY APPRECIATED
    THANKS A LOT
    CYNTHIA

  • IPV6 clients cannot ping each other while getting IP from DHCP server running in windows 2008

    I have two windows 7 clients and a windows 2008 server connected to a switch with static IP 172:16:5::1/64.
    DHCP server is configured with static IP 172:16:5::20/64
    when i statically assign IP to windows 7 clients like 172:16:5::21 & ::22, they can ping each other. if they get ip from DHCP server, they cannot ping each other.
    if i configure the gateway (172:16:5::1) in the clients manually, they can ping each other.
    is there any way we can make dhcp server to give gateway to the clients along with IP?

    From what I have gathered:
    IPv6 won't route because the DHCP server is setup in 'stateless' mode and the switches do not support IPv6. (
    "But if your routers are not IPv6 supported (yet), you can
    reconfigure DHCPv6 to Disable Stateless mode, and that'll issue IPv6 addresses that
    will eliminate the Ping problem." -
    http://www.networkworld.com/article/2228461/microsoft-subnet/setting-up-dhcpv6-to-dynamically-issue-ipv6-addresses-in-a-network.html)
    So you must change to 'disable stateless' mode. Which the only way I can THINK to do this is to uninstall DHCP and reinstall DHCP and select 'disable stateless' during the installation (which I haven't confirmed). (In
    case, “Disable DHCPv6 stateless mode for this server” option was selected duringrole installation" -
    http://blogs.technet.com/b/teamdhcp/archive/2009/03/03/dhcpv6-understanding-of-address-configuration-in-automatic-mode-and-installation-of-dhcpv6-server.aspx)
    zz.. but my understanding of DHCP is fragmented, please take what I find with a grain of salt. I am off to reinstall DHCP :] .. fun.
    Mediocre Access 2010 | (Baby) Beginner C Sharp | OK at Active Directory (2012) | Fragmented understanding of DNS/DHCP | Laughable experience with Group Policy | Expert question asker on MSDN Forums

  • Secondary email addresses fail login from abroad

    From France the primary email address logs in to webmail OK, all the secondaries fail.
    Ani ideas please?

    it's a webmail issue (connection to that server or not) not a broadband issue. Lots of the wrong type of issue are posted here but since you did not get a reply it is worth posting in the correct forum and that way you are more likely to be helped basically.
    If my post was helpful then please click on the Ratings star on the left-hand side If the the reply answers your question fully then please select ’Mark as Accepted Solution’

  • Will Exchange ever support sending mail from a secondary smtp address?

    Most here probably know this but a quick recap:
    User has PrimarySMTP address of [email protected] and secondary SMTP of
    [email protected] In Outlook, if you set the secondary SMTP address in the "From" field, Exchange will throw an "undeliverable" error stating you're not authorized to send mail as
    this user. I know there's
    3rd party tools that can help you with this, and ways to circumvent this (using extra accounts or distrigroups) but it's actually really annoying. I've been involved with a lot of companies with different brands (and a domain for each brand) and
    who want to communicate with the outside world using these different brandnames. One salesmanager could be involved with different brands and right now you'll have to create a new account or group for each and every brand/domainname.
    With every new Exchange one of the first things I check if this behaviour has changed.. Will this ever be implemented? Is there anyone here that could shed some light on that? Is there a reason why this does not change?
    Kind regards,
    Remco Roxs

    Nobody who participates in these forums knows what the future holds at Microsoft.  If we did, we wouldn't be able to share it with you in any case because we'd be sworn to secrecy.
    Just buy this for your sales manager: http://www.ivasoft.biz/choosefrom2007.shtml
    Or just tell him to use two mailboxes.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

  • Any limit to number of secondary ip addresses?

    Hi,
    Is there any limit to the number of secondary ip addresses on an interface of a router?
    I just took over an existing live system.
    The previous engineer configured secondary ip addresses on a single physical interface.
    Currently, there are 1 main ip address and 2 secondary ip addresses.
    I am not allowed to change the existing configuration nor disrupt the existing live system, so I cannot use sub-interface.
    When I tried to add 1 more secondary ip addresses, to make it 1 main ip and 3 secondary ip address,
    but no matter how I tried, I cannot ping to the end device of this NEW secondary ip address subnet
    So I removed one of the existing secondary ip address, I discovered I can ping to the end device of the NEW seconday address!!!
    But when I put back the one I removed, I can no longer ping to the end device of the NEW secondary address AGAIN!
    I suspect that there is a limit to the number of secondary addresses that can be configured on the physical address.
    But, I check the link http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a008012d8f7.shtml#q21, it says
    Q. What are the maximum number of secondary IP addesses that can be configured on a router interface?
    A. There are no limits on configuring secondary IP addresses on a router interface. For more information, refer to Configuring IP Addressing.
    I think Cisco could be wrong when saying "There are no limits".
    Can someone kindly help me confirm whether there are any limits to the number of secondary ip addresses on an interface of a router?
    thank you

    Hi,
    The main ip and secondary ip addresses are all subnetted into 255.255.255.240.
    Main IP 172.16.21.155
    Secondary IP#1 = 172.16.21.141
    Secondary IP#2 = 172.16.21.93
    New Secondary IP#3 = 172.16.21.226
    As a test, I simply remove any of the existing secondary ip addresses, and it works!
    But when I put back any of the addresses I removed, the new one does not work again.
    If it is ture there is no limit, can it be due to other factors like the router hardware?
    Pls kindly advice.
    Thank you.
    Rgds,
    Rachel

  • Bringing up a third interface - cannot ping servers

    Hi All,
    I have a CSS 11503 that already had 2 interfaces up and running fine. The frontend is on vlan 26 and backend server vlan is on vlan 836. Now, I have some servers on vlan 301 that needed load balancing and brought up the third interface.
    Here is my config
    interface 1/1
    bridge vlan 836
    interface 1/2
    bridge vlan 26
    interface 2/1 (this is the new interface)
    bridge vlan 301
    circuit VLAN836
    ip address 10.10.235.5 255.255.255.128
    circuit VLAN26
    ip address 10.10.26.5 255.255.255.0
    circuit VLAN301
    ip address 10.44.0.5 255.255.252.0
    Here is the "show ip route" output
    BCMDC-CSS1# sh ip route
    prefix/length next hop if type proto age metric
    10.1.20.0/22 10.1.22.150 2 mgmt local -- --
    0.0.0.0/0 10.10.26.1 1022 remote static 5342983 0
    10.44.0.0/22 10.44.0.5 1021 local local 7122 0
    10.10.26.0/24 10.10.26.5 1022 local local 5343307 0
    10.10.235.0/25 10.10.235.5 1023 local local 5343288 0
    Show arp contains all the servers I want to ping and here is the arp table on the CSS
    10.44.0.1 00-00-0c-07-ac-1f dynamic 2/1
    10.44.0.2 00-d0-02-f3-a8-00 dynamic 2/1
    10.44.0.3 00-09-12-ed-6f-00 dynamic 2/1
    10.44.0.20 00-11-25-9d-e4-98 dynamic 2/1
    10.44.0.21 00-11-25-9d-ee-d7 dynamic 2/1
    10.44.0.30 00-11-25-9d-e6-86 dynamic 2/1
    10.44.0.31 00-14-5e-3c-71-38 dynamic 2/1
    10.44.0.32 00-11-25-4a-82-a1 dynamic 2/1
    10.44.0.33 00-14-5e-3e-60-e1 dynamic 2/1
    10.44.0.34 00-11-25-9e-e5-ce dynamic 2/1
    10.44.0.35 00-11-25-9c-66-c9 dynamic 2/1
    10.44.0.40 00-1a-64-4f-21-bc dynamic 2/1
    10.44.0.41 00-1a-64-4f-23-6e dynamic 2/1
    10.44.0.50 00-1a-64-4f-2f-74 dynamic 2/1
    10.44.0.51 00-1a-64-4f-22-72 dynamic 2/1
    10.44.0.60 00-1a-64-4f-1c-ba dynamic 2/1
    10.44.0.61 00-1a-64-4f-13-06 dynamic 2/1
    I cannot ping any of the 10.44.0.x address. The interface is up and it is connected to a 6509 switch as an accessport on vlan301 and it shows up and up.
    There are no ACLs configured. I am just trying to ping the servers before I can write the content rules.
    Any ideas?

    OK. I figured out that I cannot ping the servers. But, I cannot ping the circuit vlan 301 IP from the router which is 10.44.0.5.
    However, I can ping vlan 836 circuit IP like 10.10.235.5 Here is the ping result from the router where the css is connected to
    gw1>ping 10.10.235.5
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.235.5, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
    gw1>ping 10.44.0.5
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.44.0.5, timeout is 2 seconds:
    Success rate is 0 percent (0/5)

  • Secondary IP address in ASA5510/PIX515e

    Hi All,
    Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.
    One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for statically
    mapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also
    use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this
    but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there
    a workaround for this kind of scenario?
    Many Thanks!

    Lloyd
    Pix/ASA firewalls do not support using secondary addressing on an interface. However the good news is that they don't need to.
    As long as the ISP routes the new block of IP addresses to the outside interface of your firewall then you simply use the new block of IPs as you have the existing block ie. you set up static translations and allow access via the access-list.
    The new IP block does not actually have to be allocated to an interface.
    Jon

  • ACE 4700 - Cannot Ping the Alias

    I cannot ping my alias addresses. I can ping the actual interface addresses but not the alias. When I look at the ARP entry on the switch it's connected to for the alias, it comes up INCOMPLETE.
    Below is my config.
    interface gigabitEthernet 1/1
    description Fault Tolerant Port
    ft-port vlan 990
    no shutdown
    interface gigabitEthernet 1/2
    shutdown
    interface gigabitEthernet 1/3
    shutdown
    interface gigabitEthernet 1/4
    switchport trunk allowed vlan 10,112,200,254
    no shutdown
    resource-class RC1
    limit-resource all minimum 20.00 maximum unlimited
    limit-resource sticky minimum 8.00 maximum unlimited
    boot system image:c4710ace-mz.A1_7b.bin
    hostname atl-ace-01
    access-list ALL line 8 extended permit ip any any
    class-map type management match-any PING
    2 match protocol icmp any
    class-map type management match-all SNMP-ALLOW_CLASS
    2 match protocol snmp source-address 10.150.100.202 255.255.255.255
    class-map type management match-any remote_access
    2 match protocol xml-https any
    4 match protocol icmp any
    5 match protocol telnet any
    6 match protocol ssh any
    7 match protocol http any
    8 match protocol https any
    9 match protocol snmp any
    policy-map type management first-match AllowICMP
    class PING
    permit
    policy-map type management first-match SNMP-ALLOW_POLICY
    class SNMP-ALLOW_CLASS
    policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
    permit
    interface vlan 200
    ip address 10.10.200.110 255.255.254.0
    alias 10.10.200.120 255.255.254.0
    peer ip address 10.10.200.111 255.255.254.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input SNMP-ALLOW_POLICY
    service-policy input AllowICMP
    no shutdown
    ft interface vlan 990
    ip address 192.168.254.1 255.255.255.0
    peer ip address 192.168.254.2 255.255.255.0
    no shutdown
    ft peer 1
    heartbeat interval 250
    heartbeat count 10
    ft-interface vlan 990
    ip route 0.0.0.0 0.0.0.0 10.10.201.254
    context Exchange-CAS
    allocate-interface vlan 112
    allocate-interface vlan 254
    member RC1
    ft group 1
    peer 1
    priority 200
    peer priority 190
    associate-context Exchange-CAS
    inservice

    Nevermind. I found an old Context on the redundant ACE with overlapping info.

  • Cisco C6500 CSM - Real server cannot ping its VIP.

    I've been running into an issue with Cisco CSM for a number of years, but always found a way around it.  Im attempting to get to the bottom of this to find out once and for all, if this is infact a limitation of the device, or a config issue/work around is possible.
    Here is my situation.  My CSM's are configured in bridging mode.  Traffic works great, traffic bridges across vlans correctly.  Everything works and have many instances of smilar configurations running in production.  Every once and a while, a client requests that a "real" server (ie LWCMW-021)
    cannot ping its VIP address (10.95.88.68).  I am assuming this is related to the NAT Server, but not 100% sure.  Clients have requested this functionality for some type of application based purpose, but Im unaware if CSM in bridging mode can provide this or not. 
    Any suggestions?
    real LWCMW-021
    address 10.95.88.59
    inservice
    real LWCMW-022
    address 10.95.88.60
    inservice
    serverfarm LWCMW-80
    nat server
    no nat client
    real name LWCMW-021 80
      inservice
    real name LWCMW-022 80
      inservice
    probe HTTP-80 (defined elsewhere)
    vserver LWCMW-80
    virtual 10.95.88.68 tcp WWW
    vlan 120
    serverfarm LWCMW-80
    persistent rebalance
    inservice

    Sorry for giving false hope. It is only possible in ACE module. In case of CSM I believe we can only use workaround.
    In case of ACE we can bind the Virtual IP to mutliple vlan. In that case we see a ARP entry like this.
    10.10.10.111    e0.5f.b9.a1.72.2b  vlan345   VSERVER    LOCAL     _         up
    10.10.10.111    e0.5f.b9.a1.72.2b  vlan346   VSERVER    LOCAL     _         up
    As Virtual IP is not bound to a particular vlan in case of CSM it does not work here, but I can say for sure it is expected behavior.
    The logic would be that the server tries to resolve the ARP for Virtual IP and it does not get a response.
    In my case virtual ip is 10.10.10.111 before applying policy on ACE  you can see that it is exhibiting the same behaviour.
    Time     | Vmware_b4:72:11                       | 10.0.0.0                              | 10.10.10.4                            |
    |         |                   | Broadcast         |                   | 224.0.0.1         |                   | 224.0.0.22        |                  
    |0.000    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |          |
    |0.999    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    |         |                   |                   |                   |                   |(0)      ------------------>  (0)      |
    |1.998    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    |3.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    |4.014    |         Who has 10.10.10.11           |                   |                   |                   |                   |ARP: Who has 10.10.10.111?  Tell 10.10.10.11
    |         |(0)      ------------------>  (0)      |                   |                   |                   |                   |
    Hope that helps.

  • Cannot ping AIR-LAP1242AG-A-K9 autonomous AP

    Hi there
    I have an access point AIR-LAP1242AG-A-K9 running IOS  C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA.
    Firstly, I can see the access point in my cdp neigh table on my switch to which the AP is connected to but I cannot ping the IP address of the AP.
    Could somebody please help me resolve this issue please???

    1.  Can you post the config of your AP?
    2.  Is the switch port configured as a trunk or an access port?

  • Cannot ping REAL server IP addresses from CSM 6500

    I have a dual 6500/CSM routed topology in which the traffic from clients to the server VIP works fine. However, in preparation for some upcoming work, I find that I cannot ping the REAL server IP addresses. This would seem to be an important troubleshooting step. Any ideas why this wouldn't work?

    Gilles, followup question. If I understand this, what you outlined above will allow traffic external coming into the 6500/CSM to be forwarded thru to the REAL server IPs. If it wasn't clear, I was trying to ping from the native-mode 6500 that contains the CSM. I've tried regular and extended pings using the CSM-configured server VLAN's IP and alias IP, but get no response back from any of the REAL server IP addresses.
    Is what you've indicated required to ping even if I'm on the 6500 which contains the CSM?

  • Cannot ping IAS RADIUS from WLC 2504

    I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server.  All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server.  The only thing that cannot ping the RADIUS server is the WLC itself.  Nothing in the FW is blocking connectivity.  Any ideas?
    (Cisco Controller) >show radius summ
    Vendor Id Backward Compatibility................. Disabled
    Call Station Id Case............................. lower
    Call Station Id Type............................. IP Address
    Aggressive Failover.............................. Disabled
    Keywrap.......................................... Disabled
    Fallback Test:
        Test Mode.................................... Off
        Probe User Name.............................. cisco-probe
        Interval (in seconds)........................ 300
    MAC Delimiter for Authentication Messages........ none
    MAC Delimiter for Accounting Messages............ hyphen
    Authentication Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1    NM    10.10.50.63       1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    2    NM    10.10.50.130      1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    Accounting Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1      N     10.10.50.63       1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none
    2      N     10.10.50.130      1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none

    It's in the arp cache through the default router
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... d0:c2:82:df:5b:c0
    IP Address....................................... 10.30.72.250
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.30.72.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. untagged
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 10.10.10.65
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Disabled
    (Cisco Controller) >show arp switch
    Number of arp entries................................ 19
        MAC Address        IP Address     Port   VLAN   Type
    50:57:A8:D6:DE:C0   10.10.19.1       1      5      Host
    50:57:A8:D6:DE:C0   10.10.20.138     1      5      Host
    50:57:A8:D6:DE:C0   10.10.50.63      1      5      Host
    64:00:F1:08:A0:D0   10.30.72.1       1      0      Host
    50:57:A8:9E:B5:CD   10.30.72.40      1      0      Host
    50:57:A8:A1:7B:C5   10.30.72.44      1      0      Host
    50:57:A8:9E:99:78   10.30.72.48      1      0      Host
    50:57:A8:3B:66:E3   10.30.72.49      1      0      Host
    00:07:7D:43:23:DA   10.30.72.58      1      0      Host
    50:57:A8:9E:B6:1D   10.30.72.59      1      0      Host
    50:57:A8:9E:95:C5   10.30.72.60      1      0      Host
    50:57:A8:A1:7C:0D   10.30.72.61      1      0      Host
    00:07:7D:65:36:DD   10.30.72.62      1      0      Host
    50:57:A8:44:57:0C   10.30.72.63      1      0      Host
    50:57:A8:CA:CC:01   10.30.72.64      1      0      Host

  • I can SSH from the outside but cannot ping ISP gateway from 2911

    Hello all,
    I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?
    Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!
    Current configuration : 1679 bytes
    ! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname StandbyGZ-2911
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
    no aaa new-model
    no ipv6 cef
    no ip source-route
    ip cef
    no ip domain lookup
    ip domain name StandbyGZ.local
    ip name-server 211.136.20.203
    ip name-server 211.139.136.68
    multilink bundle-name authenticated
    license udi pid CISCO2911/K9 sn FGL174410H9
    username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
    ip ssh version 2
    interface GigabitEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     description UPLINK TO CHINA MOBILE
     ip address 183.x.x.x 255.255.255.128
     ip access-group REMOTE-ADMIN-ACL in
     no ip redirects
     ip nat enable
     duplex auto
     speed auto
    interface GigabitEthernet0/2
     description CONNECTION TO LAN SWITCH 3650-CORE
     ip address 10.10.1.254 255.255.254.0
     no ip redirects
     ip nat enable
     duplex auto
     speed auto
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 183.x.x.x
    ip access-list standard LAN-NAT-ACL
     permit 10.10.0.0 0.0.1.255
    ip access-list extended REMOTE-ADMIN-ACL
     permit tcp host 68.107.195.213 any eq 22 log
    control-plane
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 4
     exec-timeout 0 0
     logging synchronous
     login local
     transport input ssh
     transport output ssh
    scheduler allocate 20000 1000
    end
    StandbyGZ-2911# sh ip int br
    Interface                            IP-Address        OK?   Method      Status                  Protocol
    GigabitEthernet0/0         unassigned        YES    NVRAM     administratively  down down
    GigabitEthernet0/1         183.x.x.x             YES    NVRAM     up                         up
    GigabitEthernet0/2         10.10.1.254       YES    NVRAM     up                         up
    NVI0                                 183.x.x.x             YES    unset          up                         up
    StandbyGZ-2911#sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 183.233.184.129 to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 183.233.184.129
          10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        10.10.0.0/23 is directly connected, GigabitEthernet0/2
    L        10.10.1.254/32 is directly connected, GigabitEthernet0/2
          183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        183.x.x.x/25 is directly connected, GigabitEthernet0/1
    L        183.x.x.x/32 is directly connected, GigabitEthernet0/1

    Hi Chris,
    That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config. 

  • I cannot ping any VIP from within the ACE or from rservers

    I cannot ping any VIP from within the ACE or from rservers.  Is this expected?  I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms.  Any help is greatly appreciated.

    Thanks for you reply.  here is the config.  I removed other rserver and serverfarm config that does not have to do with this issue.
    logging enable
    logging fastpath
    logging standby
    logging console 4
    logging timestamp
    logging trap 4
    logging history 4
    logging buffered 4
    logging persistent 4
    logging monitor 4
    logging device-id hostname
    logging host 172.26.254.185 udp/514
    logging host 172.26.221.25 udp/514
    access-list INBOUND line 8 extended permit ip any any
    access-list INBOUND line 16 extended permit icmp any any
    access-list INBOUND line 24 extended permit tcp any any
    access-list INBOUND line 32 extended permit udp any any
    access-list ORADB line 8 extended permit tcp any any
    probe http CITRIX
      interval 30
      passdetect interval 15
      passdetect count 6
      open 1
    probe tcp HYPERION
      port 19000
      interval 2
      faildetect 2
      passdetect interval 2
      passdetect count 2
      receive 2
      open 1
    probe icmp PROBE_SERVICE_ICMP
      interval 5
      passdetect interval 5
    probe tcp W15SPSWFET001_PROBE
      interval 5
      passdetect interval 5
      connection term forced
      open 1
    parameter-map type connection TIMEOUT
      set timeout inactivity 43200
    parameter-map type http test
      persistence-rebalance
      set header-maxparse-length 2006
    rserver host w0bairwatch003
      description MDM-SEG
      ip address 172.20.60.73
      inservice
    rserver host w0bairwatch004
      description MDM-SEG
      ip address 172.20.60.74
      inservice
    rserver host w0bairwatch005
      description MDM-DEVICE
      ip address 172.20.60.75
      inservice
    rserver host w0bairwatch006
      description MDM-DEVICE
      ip address 172.20.60.76
      inservice
    rserver host w0bhamobile001
      description Lotus Notes Traveler Server
      ip address 172.20.60.57
      inservice
    rserver host w0bhamobile002
      description Lotus Notes Traveler Server
      ip address 172.20.60.58
      inservice
    serverfarm host MDMDEVICE
      predictor leastconns
      probe PROBE_SERVICE_ICMP
      rserver w0bairwatch005
        inservice
      rserver w0bairwatch006
    serverfarm host MDMSEG
      predictor leastconns
      probe PROBE_SERVICE_ICMP
      rserver w0bairwatch003
        inservice
      rserver w0bairwatch004
        inservice
    serverfarm host TRAVLR
      predictor leastconns
      probe PROBE_SERVICE_ICMP
      rserver w0bhamobile001
        inservice
      rserver w0bhamobile002
        inservice
    class-map match-all MDMDEVICE-VIP
      2 match virtual-address 172.20.48.35 any
    class-map match-all MDMSEG-VIP
      2 match virtual-address 172.20.48.33 any
    class-map type management match-any REMOTE_ACCESS
      description Remote access traffic match
      201 match protocol ssh any
      202 match protocol telnet any
      203 match protocol icmp any
      204 match protocol https any
      205 match protocol http any
      206 match protocol xml-https any
      207 match protocol snmp any
    class-map match-all TRAVLR-VIP
      2 match virtual-address 172.20.48.34 any
    policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
      class REMOTE_ACCESS
        permit
    policy-map type loadbalance first-match MDMDEVICE
      class class-default
        serverfarm MDMDEVICE
    policy-map type loadbalance first-match MDMSEG
      class class-default
        serverfarm MDMSEG
    policy-map type loadbalance first-match TRAVLR
      class class-default
        serverfarm TRAVLR
    policy-map multi-match CLIENTS-VIPS
      class MDMDEVICE-VIP
        loadbalance vip inservice
        loadbalance policy MDMDEVICE
        loadbalance vip icmp-reply active
      class MDMSEG-VIP
        loadbalance vip inservice
        loadbalance policy MDMSEG
        loadbalance vip icmp-reply active
      class TRAVLR-VIP
        loadbalance vip inservice
        loadbalance policy TRAVLR
        loadbalance vip icmp-reply active
    interface vlan 48
      ip address 172.20.48.10 255.255.255.0
      access-group input INBOUND
      access-group output INBOUND
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      service-policy input CLIENTS-VIPS
      no shutdown
    interface vlan 60
      ip address 172.20.60.10 255.255.255.0
      access-group input INBOUND
      access-group output INBOUND
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      no shutdown
    ip route 0.0.0.0 0.0.0.0 172.20.48.1

Maybe you are looking for

  • Virtualization

    Hi, I have notebook HP G62-b16ER I have problem with BIOS  My BIOS version F.2B I can not find virtualization technology It's not in my BIOS

  • JavaScript documentation in Acrobat 10 SDK

    I just wanted to say a big Thank You to Adobe for providing the Acrobat 10 JavaScript documentation in PDF. This is very much appreciated!

  • ISO Code in Idocs,Language dependent settings,UoM "PCE" and Russian lang.

    Dear EDI Experts, I have to deal with the following issue: MATMAS05 Idoc created via BD10 and covnerted to an XML file. This files are "deployed" to SQL Servers in different countries, e.g. RUSSIA, UKRAINE. When transferring that material master the

  • CS2 crashes with PDF export

    I've got a 42-page file that, as of this morning, won't export to a PDF. The export crashes around page 29-30, and examination of those pages found nothing out of the ordinary. The crash sometimes refers to memory locations, but it usually just repor

  • How to open my saved report view in portal?

    Hi experts, When I opened a BI report on portal, I adjusted the the drilldown and saved a view using the toolbar on the top. but I can't find how to open the view, I can't find it anywhere.