Unable to ping management address on CVG

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)

Hi everyone, I have built a new L3 CVG on prem to use within
our private WAN.  Basically I am trying to do a VPN from a remote site to the CVG for a certain group of people. The CVG is up in Hivemanager and has a routable WAN address which I can ping from anywhere within WAN. All good so far.  I have then added a management network which the CVG picks up and assigns to itself.

 

The problem I have is that I am unable to ping this management address.  I have done a trace route to the CVG from our datacenter and its last hop is the CVG’s WAN address and nothing after that.  If I SSH onto the CVG I can ping its management address fine.  The CVG has the internal network of the data center and can ping our find to the rest of the WAN.

Has anyone come across this problem before or has any pointers?

 

Ref=references; Iface=interface;
U=route is up;H=target is a host; G=use gateway;
Destination     Gateway         Netmask         Flags Metric Ref    Use Iface
--------------- --------------- --------------- ----- ------ ------ --- -----
10.103.58.64       0.0.0.0                   255.255.255.240                U     0      0        0 mgt0
127.0.0.0              0.0.0.0                   255.255.255.0                     U     0      0        0 lo
10.103.78.0         0.0.0.0                   255.255.252.0                     U     0      0        0 eth0
0.0.0.0                   10.103.78.1         0.0.0.0                                   UG    0      0        0 eth0

 

State=Operational state; Chan=Channel;
Radio=Radio profile; U=up; D=down;

Name           MAC addr      Mode   State Chan(Width) VLAN   Radio      Hive       SSID    
----------- -------------- -------- ----- ----------- ---- ---------- ---------- ---------
Mgt0        0050:5688:0dde    -        U     -          400     -        hive0        -     
Agg0        0050:5688:0de1 backhaul            D     -            1     -        hive0        -     
Eth0        0050:5688:0dde wan                      U     -            -     -          -          -     
Eth1        0050:5688:2adf wan                       U     -            -     -          -          -     
Red0        0050:5688:0de0 backhaul           D     -            1     -        hive0        -     
Tunnel0           -           -                                      U     -            1     -        hive0        -


 

Thanks Ollie

Photo of Oliver Washbrook

Oliver Washbrook

  • 13 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Rusty Wyatt

Rusty Wyatt, Technical Support Engineer

  • 14 Posts
  • 15 Reply Likes
Ollie,

It's important to remember that the CVG is basically a router.  The mgmt address is locally attached to the router process in the CVG - as you're already "on" the CVG, it can easily find it and therefore ping. 

It sounds like the problem when trying to ping the mgmt address from another internal system/client is likely on your core router.  It is required that any mgmt and client network(s) that exist behind your CVG need to be directed to the CVG's LAN interface on your core router - in the event that you are not using OSPF to distribute routes to your internal network devices, you will need to setup static routes on your core router.  As the CVG has a "default" gateway defined, the route back to your internal network is already defined.

-R
Photo of Oliver Washbrook

Oliver Washbrook

  • 13 Posts
  • 0 Reply Likes
Hi Rusty,

Thanks for responding.  I was looking at this earlier and i turned off NAT on the CVG and that allowed me to ping the mgmt addresses.  I'm a bit confused as to why that would be the case but at least its working and i can crack on with the testing a BR100.

Static routes were already on the cisco router pointing mgmt addresses and users addresses to the CVG WAN address. 

You did mention that they should be pointing to the LAN address but i havent inputted an ip address so i presume the WAN address is fine?  When looking at the documentation they all seem to say you need a WAN and a LAN address on the CVG.  In my scenario i'm hoping that its not really necessary as we we don't need a DMZ style setup as its a vpn between sites in our own WAN if that makes sense.

Thanks
Ollie
(Edited)
Photo of Rusty Wyatt

Rusty Wyatt, Technical Support Engineer

  • 14 Posts
  • 15 Reply Likes
Ollie,

Okay - yes, that would also do it.  I assume that your CVG is in a one-arm configuration since you have only the WAN interface connected.  By default, in that mode, NAT is enabled.  In two-arm mode - where there is a WAN and LAN connection, NAT is disabled and you would, indeed, point your routes to the LAN interface. 

You can certainly run the CVG in a one-arm mode - it just makes the configuration of it a bit more difficult.  The first of those would be the NAT being enabled by default.  As I recall, there is not an option in the HiveManager GUI to disable that and it must be done on the CLI.  Further, new configuration updates to the CVG will overwrite that setting and cause NAT to become enabled again - which subsequently must be disabled manually.  There are several other quirks too, but they can usually all be overcome through some level of interaction with the CLI on the CVG. 

-Rusty
Photo of Oliver Washbrook

Oliver Washbrook

  • 13 Posts
  • 0 Reply Likes
Thanks for your help Rusty.  I'll explore this one-arm route to find these querks. 

Ollie