Replaced Z1 with Z3 Local Static Routes No Longer Work

TonySmith
Getting noticed

Replaced Z1 with Z3 Local Static Routes No Longer Work

Hi,

Attached to my home office network I have three subnets, call them 172.17.217.0/28 which is directly attached to the Z1 inside interface. Z1 is 172.17.217.1 and is the default gateway.

Secondary subnets 172.17.1.0/24 and 172.17.88.0/24 are reached via a separate device 172.17.217.2. So that device is on the local "inside" LAN alongside the Z1 and routes to 172.17.1.0/24 and 172.17.88.0/24 are configured on the Z1 under "Teleworker Gateway" / "Addressing and VLANs" / "Routing" / "Static Routes" with (obviously) 172.17.217.2 as "Next hop IP". Both routes are Enabled and active "Always".

All this worked correctly when configured.  However recently the Z1 failed and was replaced with a Z3, and now they do not work. Trace from a host on the inside LAN times out after 172.17.217.1 the default gateway.

Any ideas would be appreciated in case I've fat fingered something, before I raise a Meraki support case.

Thanks, Tony S

10 Replies 10
cmr
Kind of a big deal
Kind of a big deal

Have you rebooted the other device in case it's ARP table still has the MAC address of the Z1?

TonySmith
Getting noticed

Thanks, I don't think I have. It's been a couple of weeks so I wouldn't expect it to hang onto the old ARP entry that long.  It's not Meraki or even Cisco device and I don't know the ARP timeout. But checking just now it has no ARP entry for anything on 172.17.217.0

ww
Kind of a big deal
Kind of a big deal

Can you ping 172.17.217.2 from the mx interface 172.17.217.1

Or the other way around

TonySmith
Getting noticed

Yes can ping either way. When the Z3 is switched on of course.

cmr
Kind of a big deal
Kind of a big deal

@TonySmith if there is no ARP entry for the Z3 then no traffic can flow.  Is the port definitely up and does the Z3 have an ARP entry for the other device?  Are both set to auto negotiate and have they negotiated the same speed and duplex?

TonySmith
Getting noticed

Sorry I should have mentioned the Z3 is only powered on when I'm working, not all the time. I was just checking there wasn't a stale ARP entry stuck for 217.2.

Just looking at the dashboard I see .2 listed as a "client" with its 217.2 address, and some traffic was registered when the Z3 was online yesterday.

PhilipDAth
Kind of a big deal
Kind of a big deal

Have you got any L3 firewall rules?

No custom rules, only the default inbound "deny any any" and outbound "permit any any".

This begs a few questions ..

1. Do these rules work differently with a Z3 vs a Z1?

2. Do they apply to traffic between hosts on the LAN ports?

3. And if so, which direction is considered "inbound" and which "outbound"?

I should add that if I add the route into the PC then it works. So traffic between PC and 217.2 isn't being blocked by the Z3.

 

VictorYang
Meraki Employee
Meraki Employee

1. Do these rules work differently with a Z3 vs a Z1?
    There is no difference. Z3 and Z1 would work the same 

2. Do they apply to traffic between hosts on the LAN ports?
    Only if you have firewall rules configured. As you check there is no additional firewall configured.  

I reckon you may take a packet capture via the dashboard Network-wide-->packet capture page. You may select the LAN interface and check the output if MX did forward the packet out while you testing the route. Or you may open a support case and call in for live troubleshooting

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
TonySmith
Getting noticed

Thanks. I had a brief chance to troubleshoot and actually the route to 172.17.88.0 works, I wouldn't swear I fully tested that before as I might have assumed that if one route worked then so would the other.

 

Doing a network wide packet capture for ping to 172.17.1.1 shows the packets being received but no answer.

 

But that's the same taking a capture for ping to 172.17.88.1 which does work, only the ping request is seen, I guess because the reply comes direct from the Mikrotik on 217.2 to my PC 217.10.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels