Cisco – Router loop but the router causing the loop knows the correct route

ciscorouter

I have three routers – (a HSRP pair RTR2A and RTR2B and a router RTR3 and a firewall – the firewall is setup to capture packets on its interface connected to RTR2A as I am having problems with routing
RTR3 is being used to send packets to the IP addresses 172.17.4.10 and 172.17.5.10 – The routing tables for the two networks containing these addresses look the same to me

Router 2A Sho ip route output

#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.1.64.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.64.4
      10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
C        10.1.0.0/21 is directly connected, GigabitEthernet1/0/2
L        10.1.0.100/32 is directly connected, GigabitEthernet1/0/2
C        10.1.64.0/29 is directly connected, Vlan50
L        10.1.64.2/32 is directly connected, Vlan50
C        10.1.64.8/29 is directly connected, Vlan26
L        10.1.64.10/32 is directly connected, Vlan26
C        10.1.65.0/24 is directly connected, Vlan25
L        10.1.65.2/32 is directly connected, Vlan25
S        10.10.10.0/24 [1/0] via 10.1.64.12
      172.17.0.0/24 is subnetted, 2 subnets
S        172.17.4.0 [1/0] via 10.1.64.12
S        172.17.5.0 [1/0] via 10.1.64.12

Router 3 Sho ip route

#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

     172.17.0.0/24 is subnetted, 2 subnets
S       172.17.5.0 [1/0] via 10.1.64.1
S       172.17.4.0 [1/0] via 10.1.64.1
     158.89.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       158.89.24.240/28 is directly connected, Vlan2
C       158.89.23.0/24 is directly connected, Vlan4
     10.0.0.0/8 is variably subnetted, 5 subnets, 4 masks
S       10.10.10.0/24 [1/0] via 10.1.64.1
S       10.1.0.0/21 [1/0] via 10.1.64.1
C       10.1.16.0/22 is directly connected, FastEthernet1/0/23
S       10.1.65.0/24 [1/0] via 10.1.64.1
C       10.1.64.0/29 is directly connected, Vlan50
     192.168.3.0/29 is subnetted, 1 subnets
C       192.168.3.0 is directly connected, Vlan3
S*   0.0.0.0/0 [1/0] via 192.168.3.1

Router 2B sho IP route

#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.1.64.4 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.64.4
      10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
C        10.1.0.0/21 is directly connected, GigabitEthernet1/0/2
L        10.1.0.101/32 is directly connected, GigabitEthernet1/0/2
C        10.1.64.0/29 is directly connected, Vlan50
L        10.1.64.3/32 is directly connected, Vlan50
C        10.1.64.8/29 is directly connected, Vlan26
L        10.1.64.11/32 is directly connected, Vlan26
C        10.1.65.0/24 is directly connected, Vlan25
L        10.1.65.3/32 is directly connected, Vlan25
S        10.10.10.0/24 [1/0] via 10.1.64.12
      172.17.0.0/24 is subnetted, 2 subnets
S        172.17.4.0 [1/0] via 10.1.64.12
S        172.17.5.0 [1/0] via 10.1.64.12

If I tracer 172.17.4.10 The firewall sees the udp packets (which is what I want)

My problem is if I tracer 172.17.5.10 the firewall does not see the udp packets – and I see the traceroute going between 10.1.64.2 and 10.1.64.4
Tracer 172.17.5.10

10.1.64.2 0ms 0ms 0ms 
10.1.64.4 8ms 0ms 6ms
10.1.64.2 0ms 0ms 0ms 
^c

If I ping 172.17.5.10 from Router2A the firewall does see the packets

Router 3 is a 3750 , Router 2 are 3850s

There is no device with an IP in the range 172.17.5.0/25 – I am using this to demonstrate the problem to myself

So I'm close to saying this is a bug – I'm waiting for a reboot but my questions at the moment are

Does the order of the output of sho Ip route indicate some
difference in how the routes are operating?
Can anyone see a difference in the routing tables?
If not then is there some other mechanism that a router uses to route packets other than the routing tables? – in relation to this there is no ip source-route on the routers

Thanks for the attention and questions

The Level 2 A Router config

RTR2A>enable
Password:
RTR2A#
RTR2A#term len 0
RTR2A#sho run
Building configuration...

Current configuration : 10133 bytes
!
! Last configuration change at 01:23:49 UTC Wed Mar 28 2018 by admin
! NVRAM config last updated at 01:25:41 UTC Wed Mar 28 2018 by admin
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service compress-config
no service dhcp
!
hostname RTR2A
!
boot-start-marker
boot system switch all flash:cat3k_caa-universalk9.SPA.03.07.04.E.152-3.E4.bin
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 10240
no logging console
enable XXXX
!
username XXXX
no aaa new-model
switch 1 provision ws-c3850-24t
!
!
!
!
!
coap http enable
!
!
!
!
!
!
no ip source-route
ip routing
no ip gratuitous-arps
!
no ip domain-lookup
!
!
qos queue-softmax-multiplier 100
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-999999999
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-999999999
 revocation-check none
 rsakeypair TP-self-signed-999999999
!
!
crypto pki certificate chain TP-self-signed-99999999
 certificate self-signed 01
  Key Removed
        quit
no errdisable detect cause loopback
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause psp
errdisable recovery interval 180
diagnostic bootup level minimal
!
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
 mode sso
!
!
vlan 25
 name XXXX
!
vlan 26
 name FW
!
vlan 50
 name L2RTR-L3RTR
!
vlan 51
 name L2RTR-L2RTR
!
vlan 99
 name unused
!
track 2 interface GigabitEthernet1/0/2 line-protocol
 delay down 15 up 10
no cdp run
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 169.254.245.1 255.255.0.0
 negotiation auto
!
interface GigabitEthernet1/0/1
 description XXXX
 switchport access vlan 50
 switchport mode access
 speed 100
 duplex full
!
interface GigabitEthernet1/0/2
 description XXXX
 no switchport
 ip address 10.1.0.100 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 102 ip 10.1.0.1
 standby 102 timers 2 6
 standby 102 priority 105
 standby 102 preempt delay minimum 90
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/3
 description XXXX
 switchport access vlan 26
 switchport mode access
!
interface GigabitEthernet1/0/4
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/5
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
!
interface GigabitEthernet1/0/8
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
!
interface GigabitEthernet1/0/9
 description XXXX
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet1/0/10
 description XXXX
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet1/0/11
 description XXXX
 switchport access vlan 25
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/14
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/15
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/16
 description XXXX
 switchport access vlan 99
 shutdown
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/17
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 description XXXX
 switchport access vlan 25
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 description XXXX
 switchport access vlan 25
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/22
 description XXXX
 switchport access vlan 50
!
interface GigabitEthernet1/0/23
 description XXXX
 switchport access vlan 99
 shutdown
!
interface GigabitEthernet1/0/24
 description XXXX
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet1/1/1
 description XXXX
 shutdown
!
interface GigabitEthernet1/1/2
 description XXXX
 shutdown
!
interface GigabitEthernet1/1/3
 description XXXX
 shutdown
!
interface GigabitEthernet1/1/4
 description XXXX
 shutdown
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
 description XXXX
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan25
 description XXXX
 ip address 10.1.65.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 25 ip 10.1.65.1
 standby 25 timers 2 6
 standby 25 priority 101
 standby 25 preempt delay minimum 90
 standby 25 track 2 decrement 10
!
interface Vlan26
 description FW
 ip address 10.1.64.10 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 26 ip 10.1.64.9
 standby 26 timers 2 6
 standby 26 priority 101
 standby 26 preempt delay minimum 90
 standby 26 track 2 decrement 10
!
interface Vlan50
 description L2RTR-L3RTR
 ip address 10.1.64.2 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 50 ip 10.1.64.1
 standby 50 timers 2 6
 standby 50 priority 101
 standby 50 preempt delay minimum 90
 standby 50 track 2 decrement 10
!
ip default-gateway 10.1.64.4
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.64.4
ip route 10.10.10.0 255.255.255.0 10.1.64.12
ip route 172.17.4.0 255.255.255.0 10.1.64.12
ip route 172.17.5.0 255.255.255.0 10.1.64.12
!
!
logging trap notifications
!
snmp-server XXXX
snmp-server XXXX
snmp-server XXXX
snmp-server XXXX
snmp-server XXXX
!
!
!
line con 0
 exec-timeout 30 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 15 0
password XXXX
 logging synchronous
 login local
 transport input ssh
line vty 5 15
 login
!
ntp server 158.89.24.242 source GigabitEthernet1/0/1
ntp server 158.89.25.250 source GigabitEthernet1/0/1
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap group default-group
end

RTR2B config

RTR2B>enable
Password:
RTR2B#
RTR2B#term len 0
RTR2B#sho run
Building configuration...

Current configuration : 10212 bytes
!
! Last configuration change at 00:20:04 UTC Wed Mar 28 2018 by admin
! NVRAM config last updated at 01:25:44 UTC Wed Mar 28 2018 by admin
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service compress-config
no service dhcp
!
hostname RTR2B
!
boot-start-marker
boot system switch all flash:cat3k_caa-universalk9.SPA.03.07.04.E.152-3.E4.bin
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 10240
no logging console
enable XXXX
!
username XXXX
no aaa new-model
switch 1 provision ws-c3850-24t
!
!
!
!
!
coap http enable
!
!
!
!
!
!
no ip source-route
ip routing
no ip gratuitous-arps
!
no ip domain-lookup
!
!
qos queue-softmax-multiplier 100
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-999999999
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-999999999
 revocation-check none
 rsakeypair TP-self-signed-999999999
!
!
crypto pki certificate chain TP-self-signed-99999999
 certificate self-signed 01
  Key Removed
        quit
no errdisable detect cause loopback
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause psp
errdisable recovery interval 180
diagnostic bootup level minimal
!
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
 mode sso
!
!
vlan 25
 name XXXX
!
vlan 26
 name FW
!
vlan 50
 name L2RTR-L3RTR
!
vlan 51
 name L2RTR-L2RTR
!
vlan 99
 name unused
!
track 2 interface GigabitEthernet1/0/2 line-protocol
 delay down 15 up 10
no cdp run
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 169.254.245.2 255.255.0.0
 negotiation auto
!
interface GigabitEthernet1/0/1
 description XXXX
 switchport access vlan 50
 switchport mode access
 speed 100
 duplex full
!
interface GigabitEthernet1/0/2
 description XXXX
 no switchport
 ip address 10.1.0.101 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 102 ip 10.1.0.1
 standby 102 timers 2 6
 standby 102 priority 95
 standby 102 preempt delay minimum 90
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/3
 description XXXX
 switchport access vlan 26
 switchport mode access
!
interface GigabitEthernet1/0/4
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/5
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
!
interface GigabitEthernet1/0/8
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
!
interface GigabitEthernet1/0/9
 description XXXX
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet1/0/10
 description XXXX
 switchport access vlan 25
 switchport mode access
!
interface GigabitEthernet1/0/11
 description XXXX
 switchport access vlan 25
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/14
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/15
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/16
 description XXXX
 switchport access vlan 99
 shutdown
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/17
 description XXXX
 switchport access vlan 99
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 description XXXX
 switchport access vlan 25
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 description XXXX
 switchport access vlan 25
 switchport mode access
 shutdown
 speed 1000
 duplex full
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 description XXXX
 switchport access vlan 25
 switchport mode access
 speed 1000
 duplex full
!
interface GigabitEthernet1/0/22
 description XXXX
 switchport access vlan 50
!
interface GigabitEthernet1/0/23
 description XXXX
 switchport access vlan 99
 shutdown
!
interface GigabitEthernet1/0/24
 description XXXX
 switchport mode trunk
 speed 1000
 duplex full
!
interface GigabitEthernet1/1/1
 description XXXX
 shutdown
!
interface GigabitEthernet1/1/2
 description XXXX
 shutdown
!
interface GigabitEthernet1/1/3
 description XXXX
 shutdown
!
interface GigabitEthernet1/1/4
 description XXXX
 shutdown
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
 description XXXX
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan25
 description XXXX
 ip address 10.1.65.3 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 25 ip 10.1.65.1
 standby 25 timers 2 6
 standby 25 priority 95
 standby 25 preempt delay minimum 90
 standby 25 track 2 decrement 10
!
interface Vlan26
 description FW
 ip address 10.1.64.11 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 26 ip 10.1.64.9
 standby 26 timers 2 6
 standby 26 priority 95
 standby 26 preempt delay minimum 90
 standby 26 track 2 decrement 10
!
interface Vlan50
 description L2RTR-L3RTR
 ip address 10.1.64.3 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 50 ip 10.1.64.1
 standby 50 timers 2 6
 standby 50 priority 95
 standby 50 preempt delay minimum 90
 standby 50 track 2 decrement 10
!
ip default-gateway 10.1.64.4
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.64.4
ip route 10.10.10.0 255.255.255.0 10.1.64.12
ip route 172.17.4.0 255.255.255.0 10.1.64.12
ip route 172.17.5.0 255.255.255.0 10.1.64.12
!
!
logging trap notifications
!
snmp-server XXXX
snmp-server XXXX
snmp-server XXXX
snmp-server XXXX
snmp-server XXXX
!
!
!
line con 0
 exec-timeout 30 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 15 0
password XXXX
 logging synchronous
 login local
 transport input ssh
line vty 5 15
 login
!
ntp server 158.89.24.242 source GigabitEthernet1/0/1
ntp server 158.89.25.250 source GigabitEthernet1/0/1
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap group default-group
end

RTR3 172.17.5.10

RTR3#sho ip cef 172.17.5.10 detail
172.17.5.0/24, epoch 2
  recursive via 10.1.64.1
      attached to Vlan 50

RTR3 172.17.4.10

RTR3#sho ip cef 172.17.4.10 detail
172.17.4.0/24, epoch 2
  recursive via 10.1.64.1
      attached to Vlan 50

RTR2A 172.17.4.10

RTR2A#sho ip cef 172.17.4.10 detail
172.17.4.0/24, epoch 3
  recursive via 10.1.64.12
      attached to Vlan 26

RTR2A 172.17.5.10

Best Answer

Neither 172.17.4.10 nor 172.17.5.10 have specific routes in RTR2A/B. The static routes

S        172.17.4.0 [1/0] via 10.1.64.12
S        172.17.5.0 [1/0] via 10.1.64.12

miss a network mask. Accordingly, the default route back to RTR3 is chosen and the packet loops.

Edit:The config marked "One of the level 2 routers" lacks routes to the above subnets. The config marked "The Level 2 A Router config" has them included.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – 802.1x on Access VLAN Only, Not on Voice VLAN

You would need to configure MAB (Mac Auth Bypass) authentication for the ip phone in the multi-vlan interface. You also need multi-auth so the switch knows to look for more than one MAC address.

-authentication host-mode multi-auth

-authentication order mab dot1x

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – 802.1x on Access VLAN Only, Not on Voice VLAN

Related Topic