can't ping a switch connected to TNSR

network-admin

Hi guys,

I can't break a basic thing like a two-way ping between a server with TNSR and an L3 switch.

Switch:

set VLAN 777, set IP 172.16.7.254/24 on VLAN interface 777
I set the port leading to the TNSR server to the trunk and enable VLAN 777

TNSR:

I will set the sub interface S2_WAN1 777 according to the documentation:
https://docs.netgate.com/tnsr/en/latest/interfaces/types-vlan.html
I will add the IP address 172.16.7.102/24 to the S2_WAN1.777 interface

Now, based on experience with other network devices, I should be able to ping the other party from the switch and vice versa, but it doesn't work.

In the switch, I see the MAC address of the other party in VLAN 777, ie TNSR.

If I ping from the switch to TNSR then there is no answer.
If I run tcpdump on TNSR according to the documentation: https://docs.netgate.com/tnsr/en/latest/troubleshooting/capture.html then I only see incoming ARP requests who has IP 172.16.7.102? TNSR no longer responds to the ARP protocol.

Did I forget something in TNSR? According to the documentation, no ACLs are enabled by default and traffic should flow.

I tried the same procedure on an ordinary port of the ACCESS mode switch in a configuration without tagged VLAN, on TNSR I removed the sub interface (with problems that I describe in another thread https://forum.netgate.com/topic/169908/problem-with-remove-vlan-interface) but with the same result.

Please help.

Thank you

N.A.

Derelict

@network-admin Really hard to tell with the information provided.

What is the output of:

show config run cli

network-admin

@derelict

Hi, yes I apologize, I gave the statement in the referenced post, but it should also be here, I attach below:

TNSR(172.16.7.102):

localhost tnsr# show config run cli
nacm enable
nacm read-default deny
nacm write-default deny
nacm exec-default deny
nacm group admin
    member root
    member tnsr
exit
nacm rule-list admin-rules
    group admin
    rule permit-all
        module *
        access-operations "*"
        action permit
    exit
exit

dataplane ethernet default-mtu 1500
dataplane dpdk dev 0000:02:00.1 network
dataplane dpdk dev 0000:02:00.2 network
dataplane dpdk dev 0000:02:00.3 network
dataplane dpdk dev 0000:05:00.0 network name S2_WAN_1
dataplane dpdk dev 0000:05:00.1 network name S2_LAN_1
dataplane dpdk dev 0000:08:00.0 network name S2_WAN_2
dataplane dpdk dev 0000:08:00.1 network name S2_LAN_2
dataplane dpdk uio-driver igb_uio
dataplane buffers buffers-per-numa 32768
dataplane statseg heap-size 96M


nat global-options nat44 enabled false

interface subif S2_WAN_1 777
    exact-match
    outer-dot1q 777
exit

interface S2_LAN_1
    enable
exit
interface S2_LAN_2
    enable
exit
interface S2_WAN_1
    enable
exit
interface S2_WAN_1.777
    enable
    ip address 172.16.7.102/24
exit
interface S2_WAN_2
    enable
exit

nat ipfix logging domain 1
nat ipfix logging src-port 4739
nat nat64 map parameters
    security-check enable
exit

interface S2_LAN_1
exit
interface S2_LAN_2
exit
interface S2_WAN_1
exit
interface S2_WAN_1.777
exit
interface S2_WAN_2
exit

route dynamic manager
exit

route dynamic ospf6
exit

route dynamic bgp
    disable
exit

route dynamic ospf
exit

route dynamic rip
exit

dhcp4 server
    lease persist true
    lease lfc-interval 3600
    interface socket raw
exit

unbound server
    enable ip4
    enable tcp
    enable udp
    enable harden glue
    enable hide identity
    port outgoing range 4096
exit

snmp host disable

3COM switch cfg (172.16.7.254):

#
vlan 777
 description VLAN_WANS
#
interface Vlan-interface777
 ip address 172.16.7.254 255.255.255.0
#
interface Bridge-Aggregation2
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 777
#
interface Ten-GigabitEthernet2/1/1
 port link-mode bridge
 description SERVER2_WAN
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 777
 port link-aggregation group 2
#

and output command "display mac-address vlan 777, where 40a6-b73c-f1d8 is MAC addr TNSR NIC":

MAC ADDR       VLAN ID  STATE          PORT INDEX               AGING TIME(s)
40a6-b73c-f1d8 777      Learned        Bridge-Aggregation2      AGING

  ---  1 mac address(es) found  ---

and output command "display arp, where 40a6-b73c-f1d8 is MAC addr TNSR NIC and IP 172.16.7.102 also belongs to TNSR, so ARP partially works, but ping does not":

      Type: S-Static    D-Dynamic    O-Openflow
IP Address       MAC Address     VLAN ID  Interface              Aging Type
172.16.7.102     40a6-b73c-f1d8  777      BAGG2                  20    D

network-admin

So solved :-) I thought it would be related to the fact that the port is in line aggregation on the L3 switch. I removed the port from the line aggregation and now the ping works and everything behaves as expected.

Sorry for the confusion, the error is probably in the line aggregation configuration.

Thank you!

Derelict

@network-admin link aggregation always needs to be configured on both sides of a link. Glad you got it sorted out.