Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Wierd - Procurve 2626 Ping to Firewall Fails

Toby211
Occasional Advisor

Wierd - Procurve 2626 Ping to Firewall Fails

I'm having problem with a new install. I want to access my 2626 switches across a VPN. I have a 2824 wired to my Watchguard X700 firewall. I can ping this thro the VPN fine!
What i can't ping is the 2626 which are linked by fibre to the 2824.
I have run troubleshooting and found - alothough the 2626s have a default gateway of the firewall - they can't ping it.
I have no VLANs, STP, Stacking or anything else complicated. Everything is on same calss C subnet. VPN works fine.
Anyone got any ideas - PLEASE!!
10 REPLIES
Matt Hobbs
Honored Contributor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

If they're all in the same VLAN and have the right default gateways set, it should be fine. Can you attach the running-config of the 2824 and the 2626 here? (remove any sensitive info).
Paulen
Regular Advisor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

We have seen this many times if we change the IP address of the firewall, or change IP/subnet of the switch. Seems that there is an ARP thingy; won't update with the new details.
Toby211
Occasional Advisor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

I have checeked the ARP tables of both the working 2824 and the failing 2626 switches and both appear fine (ie. same MAC for the firewall).

-----2626 config-----
Running configuration:
; J4900B Configuration Editor; Created on release #H.08.86
hostname "PC2626 - Graphics"
snmp-server contact "CSC IT Ltd"
snmp-server location "Graphics Department"
ip default-gateway 10.0.11.254
no timesync
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-26
ip address 10.0.11.201 255.255.255.0
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
password manager
password operator


-----2824 config-----
Running configuration:
; J4903A Configuration Editor; Created on release #I.08.87
hostname "PC2824 - Central"
snmp-server contact "CSC IT Ltd"
snmp-server location "Server Room"
ip default-gateway 10.0.11.254
no timesync
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address 10.0.11.200 255.255.255.0
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-HDx sensitivity high
fault-finder duplex-mismatch-FDx sensitivity high
password manager
password operator


Thanks in advance all!
Matt Hobbs
Honored Contributor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Your config is fine... possibly there is something else that has the same IP address as the 2626 which is causing a conflict? If you can telnet to the 2824 across the VPN, from the 2824 can you then telnet to the 2626?
Toby211
Occasional Advisor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Definately not an IP conflict!
I've double-checked the suggested telnet then telnet and this is fine.
Any comms on the customers LAN between switches, PCs, etc is fine. The only thing that fails is comms between the problem switches and the firewall or thru the firewall. I did think intially that it was an arp/mac problem (as was suggested) but it doesn't seem to be.
Matt Hobbs
Honored Contributor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Can you see the ARP table on the firewall itself? Can you clear it and try again? Very strange...

Although no one has helped you find a solution yet, don't forget to assign points along the way to any replies that you receive here.
Toby211
Occasional Advisor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Don't worry - points will be distributed soon!

Ok, got the arp and routing table from firewall. VERY STRANGE... what on earth are the !H entries for my problem switch addresses?!?

Routes:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
217.40.87.41 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
217.40.87.42 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
217.40.87.43 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
217.40.87.44 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.0.11.201 - 255.255.255.255 !H 0 - 546 -
10.0.11.202 - 255.255.255.255 !H 0 - 372 -
10.0.11.203 - 255.255.255.255 !H 0 - 392 -
10.0.11.204 - 255.255.255.255 !H 0 - 0 -
10.0.11.205 - 255.255.255.255 !H 0 - 0 -
217.40.87.40 0.0.0.0 255.255.255.248 U 0 0 7 eth0
10.0.11.0 0.0.0.0 255.255.255.0 U 0 0 2221 eth1
10.0.47.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
10.10.2.0 0.0.0.0 255.255.255.0 U 0 0 14 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 94 lo
0.0.0.0 217.40.87.46 0.0.0.0 UG 0 0 14512 eth0

ARP Table:
Address HWtype HWaddress Flags Mask Iface
10.0.11.48 ether 00:13:72:83:92:D8 C eth1
10.0.11.1 ether 00:00:00:00:00:00 - eth1
10.0.11.3 ether 02:14:22:78:9D:99 C eth1
10.0.11.68 ether 00:00:B4:C6:30:08 C eth1
10.0.11.5 ether 00:11:43:EC:71:47 C eth1
10.0.11.200 ether 00:15:60:FB:D3:40 C eth1
10.0.11.9 ether 00:14:22:78:9C:EF C eth1
10.0.11.154 ether 00:0A:95:BB:5D:12 C eth1
217.40.87.46 ether 00:20:6F:0D:33:C5 C eth0
Toby211
Occasional Advisor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Have figured out a bit more myself.

The !H is a reject single host route.

Have asked Watchguard - firewall manfacturer to tell me why it's doing this. Will post back their response when i get it.

Thanks all thus far!!

Toby.
Mohieddin Kharnoub
Honored Contributor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Hi Toby

My dear i think you should delete these routes, many people had the same complain (linux issue):

10.0.11.201 - 255.255.255.255 !H 0 - 546 -
10.0.11.202 - 255.255.255.255 !H 0 - 372 -
10.0.11.203 - 255.255.255.255 !H 0 - 392 -
10.0.11.204 - 255.255.255.255 !H 0 - 0 -
10.0.11.205 - 255.255.255.255 !H 0 - 0 -

I think this will help you too much.
more info about flushing these routes :
http://linux-ip.net/html/tools-ip-route.html#tools-ip-route-flush

Good Luck.
Science for Everyone
Toby211
Occasional Advisor

Re: Wierd - Procurve 2626 Ping to Firewall Fails

Thanks Mohieddin.

I'm trying to however, this doesn't seem very easy on the Watchguard Firebox I have, as there is no command line access/utility.
I have tried rebooting but this doesn't do it.
I am waiting to hear back from Watchguard...