-------------------------------------------
Original Message:
Sent: Nov 13, 2025 05:16 PM
From: ariyap
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
anyway it was good that you found it. good troubleshooting!
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------
Original Message:
Sent: Nov 13, 2025 07:57 AM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Yeah, but to "Configure Prerequisites for DNS Latency Telemetry and Application Visibility" is a further step with respect to "Configure Prerequisites for Switch Telemetry" which is the initial step required to meet the minimum requirements for benefitting of (Aruba Networking Central) Switch Telemetry - as per the paragraph "This procedure configures the switch telemetry features required for access to the full capabilities of HPE Aruba Networking Central".
Read: start basic and grow with what it is really needed (to avoid issues caused by features your network probably doesn't immediately need to see deployed = know what are you doing and why).
Anyway what is the response of the TAC about that (if you really need that feature - or if it is really needed by HPE Networking Central - then it must works without hitting you with such type of issue)?
Original Message:
Sent: Nov 13, 2025 07:22 AM
From: asaraca
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Because we are in the process of moving from Cisco to Aruba switches and all the new switches are going to be managed by Aruba Central.
Original Message:
Sent: Nov 13, 2025 07:09 AM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Hi, glad you were able to solve.
The command ip flow monitor central_flow_monitor in related to (and part of) the "Step 8 Configure IPFIX on uplink LAG interfaces to export application details to Central" is indeed something related to Aruba Central telemetry ("Configure Prerequisites for DNS Latency Telemetry and Application Visibility - This procedure configures DNS latency telemetry and Application Visibility on an access switch.")...since you (I guess) don't have on your lab setup anything related to Aruba Central...why to follow that particular section of the guide?
Anyway...good you find your way!
Kind regards, Davide.
Original Message:
Sent: Nov 12, 2025 05:26 PM
From: asaraca
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
You were right ! By removing the extra settings the ping started to work normaly. The culprit is this setting:
ip flow monitor central_flow_monitor in
But what is strange is that this setting was copied from step #8 in the wired access configuration guide (Wired Access | Validated Solution Guide (hpe.com))
Original Message:
Sent: Nov 12, 2025 08:49 AM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Where is learned the MAC Address related to 10.0.200.1 that are you testing against?
Maybe posting sanitized running confugurations would help (as full sanitized outputs of various commands suggested).
More...on the Aruba CX 6200 why are needed these three settings on lag1 context:
ip flow monitor central_flow_monitor in
arp inspection trust
dhcpv4-snooping trust
personally I always prefer to start a configuration as plain as possible (and if works then add what is really needed).
By the way, if the LAG on the 6200 is correctly formed and coorectly connected to remote peer (the VSX) and the same is true on the VSX with its VSX LAG (Multi-Chassis LAG) to the 6200 peer, then you should move on an troubleshoot the routing, the SVI and the Active Gateway part on the VSX of that isolated lab.
Have you already rebooted the VSX and the 6200 before re-testing?
Original Message:
Sent: 11/12/2025 7:50:00 AM
From: asaraca
Subject: RE: Duplicate ping response: 6200 MCLAG -> 8100 VSX
On the VSX side here is the config:
interface lag 4 multi-chassis
no shutdown
description sw-ro-1c
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp fallback
spanning-tree root-guard
interface 1/1/6
no shutdown
description sw-ro-1c.1
lag 4
On the 6200 side:
interface lag 1
no shutdown
description Uplink LAG
no routing
ip flow monitor central_flow_monitor in
vlan trunk native 1
vlan trunk allowed all
lacp mode active
arp inspection trust
dhcpv4-snooping trust
interface 1/1/51
no shutdown
lag 1
interface 1/1/52
no shutdown
lag 1
Original Message:
Sent: Nov 12, 2025 07:35 AM
From: asaraca
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
What is strange is that even if one of the vsx member is down, I still get the duplicate ping response !
sw-ro-1c# sh lacp interfaces
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
Actor details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/51 lag1 52 1 ALFNCD 5c:a4:7d:73:17:00 65534 1 up
1/1/52 lag1 down
Partner details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr
Name Id Pri Pri Key
----------------------------------------------------------------------------------
1/1/51 lag1 1006 1 ALFNCD 02:01:00:00:01:00 65534 4
1/1/52 lag1
sw-ro-1c# ping 10.0.200.1
PING 10.0.200.1 (10.0.200.1) 100(128) bytes of data.
108 bytes from 10.0.200.1: icmp_seq=1 ttl=64 time=0.286 ms
108 bytes from 10.0.200.1: icmp_seq=1 ttl=64 time=0.289 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=2 ttl=64 time=0.319 ms
108 bytes from 10.0.200.1: icmp_seq=2 ttl=64 time=0.323 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=3 ttl=64 time=0.281 ms
108 bytes from 10.0.200.1: icmp_seq=3 ttl=64 time=0.284 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=4 ttl=64 time=0.284 ms
108 bytes from 10.0.200.1: icmp_seq=4 ttl=64 time=0.287 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=5 ttl=64 time=0.267 ms
Original Message:
Sent: Nov 12, 2025 02:53 AM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
A Multi-Chassis setting at LAG level on a (probably) standalone Aruba CX 6200 (or, alternatively, on a VSF made of two or more Aruba CX 6200) when uplinked to a VSX Cluster?
Isn't "multi-chassis" a LAG setting needed (exactly when the defined LAG spans from the two VSX Members to downlinked peers) on the VSX Cluster only? indeed...to downlinked peers - e.g. standalone switches, servers, VSF stacks, etc. - not knowing that they are linked to a multi-chassis cluster...the multi-chassis setting on the VSX LAG is the option making the magic but they could "ignore" that and be setup to just connect to a quite normal peer (and not a Cluster).
Maybe I missed something during these later years... ;-)
Edit: On the Aruba CX 6200 side a simple LAG should be enough to connect to the VSX (among other things, a simple LAG should also be the only one type of LAG that switch supports since it doesn't support Multi-Chassis clustering <- eventually it supports a VSF setup - not in this case as far as the OP told us - and VSF must be considered just a single logical formation so a LAG departing from a VSF stack is just a normal LAG with LACP as control protocol or with Non-Protocol aka Static).
Hope to have not overlooked above suggestions.
Original Message:
Sent: 11/12/2025 12:29:00 AM
From: shpat
Subject: RE: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Your routing/L3 setup looks just fine. I assume that duplicates means the downstream 6200 (sw-ro-1c) is sending L2 frames for the virtual MAC (02:01:00:00:00:01) to both 8100s at once. That is the reason why you see two ICMP replies per sequence. This happens when the 6200's uplink LAG is not truly acting as a multi-chassis LAG but rather two independent trunks.
Try those commands to check if something is missing:
show lacp interfaces
show interface lag
show mclag brief
show mac-address vlan 200 | include 02:01:00:00:00:01
I assume you'd need to have the configs like:
interface lag x
description "Uplink to VSX Core A/B"
multi-chassis
no shutdown
vlan trunk allowed all
lacp mode active
interface x/y/z
no shutdown
lag 1
interface x/y/z2
no shutdown
lag 1
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Nov 11, 2025 10:03 PM
From: asaraca
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Here is the routing table on the VSX side
--------------------------------------------------------------------------------------------------------
0.0.0.0/0 10.0.0.1 vlan1 - S [1/0] 00h:05m:12s
10.0.0.0/24 - vlan1 - C [0/0] -
10.0.0.6/32 - vlan1 - L [0/0] -
10.0.200.0/24 - vlan200 - C [0/0] -
10.0.200.251/32 - vlan200 - L [0/0] -
and the system-mac
sw-ro-2c-c1# show vsx status
VSX Operational State
---------------------
ISL channel : In-Sync
ISL mgmt channel : operational
Config Sync Status : In-Sync
NAE : peer_reachable
HTTPS Server : peer_reachable
Attribute Local Peer
------------ -------- --------
ISL link lag256 lag256
ISL version 2 2
System MAC 02:01:00:00:01:00 02:01:00:00:01:00
Platform 8100 8100
Software Version LL.10.16.1006 LL.10.16.1006
Device Role primary secondary
Original Message:
Sent: Nov 11, 2025 07:03 PM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
What's about the routing on the VSX side (on the VSX Primary do: show ip route and show ip route vsx-peer)? what is the assigned value for the VSX System MAC (vsx system-mac)?
Edit: check this guide.
Original Message:
Sent: Nov 11, 2025 06:36 PM
From: asaraca
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
and no ip icmp redirect is applied on both members of the VSX ...
by the way this is a lab setup, so the 6200 is connected directly to the VSX stack in a isolated environment. The routing is simple static routing
0.0.0.0/0 10.0.200.1 vlan200 - S [1/0] 06h:39m:30s
10.0.200.0/24 - vlan200 - C [0/0] -
10.0.200.5/32 - vlan200 - L [0/0] -
Original Message:
Sent: Nov 11, 2025 06:34 PM
From: asaraca
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
The ping test I shared where from the 6200 side. If I ping the 6200 from the VSX I get the same result:
PING 10.0.200.5 (10.0.200.5) 100(128) bytes of data.
108 bytes from 10.0.200.5: icmp_seq=1 ttl=64 time=0.273 ms
108 bytes from 10.0.200.5: icmp_seq=1 ttl=64 time=0.276 ms (DUP!)
108 bytes from 10.0.200.5: icmp_seq=2 ttl=64 time=0.291 ms
108 bytes from 10.0.200.5: icmp_seq=2 ttl=64 time=0.294 ms (DUP!)
108 bytes from 10.0.200.5: icmp_seq=3 ttl=64 time=0.282 ms
108 bytes from 10.0.200.5: icmp_seq=3 ttl=64 time=0.285 ms (DUP!)
108 bytes from 10.0.200.5: icmp_seq=4 ttl=64 time=0.289 ms
108 bytes from 10.0.200.5: icmp_seq=4 ttl=64 time=0.293 ms (DUP!)
108 bytes from 10.0.200.5: icmp_seq=5 ttl=64 time=0.298 ms
The config of the VSX and 6200 is almost entirely based on the Validated solution guide (Campus Wired)
Original Message:
Sent: Nov 11, 2025 06:28 PM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Can you share more than the results of your Ping test? VSX side ans 6200 side? Have you followed the latest VSX Configuration Guide (presuming AOS-CX is already updated on both VSX and the 6200...say latest build of AOS-CX 10.13 or eventually latest build of AOS-CX 10.16)?
Did you apply the no ip icmp redirect on both the VSX members (globally)?
Original Message:
Sent: 11/11/2025 5:27:00 PM
From: asaraca
Subject: RE: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Problem still present :)
Rule-1: The allowed VLAN list for ISL port must match that in config for MCLAG in sw-ro-2c-c1 (Passed)
Rule-1: The allowed VLAN list for ISL port must match that in config for MCLAG in sw-ro-2c-c2 (Passed)
Rule-2: The native VLAN must also be part of allowed VLAN list for a MCLAG in sw-ro-2c-c1 (Passed)
Rule-2: The native VLAN must also be part of allowed VLAN list for a MCLAG in sw-ro-2c-c2 (Passed)
Rule-3: The inter-switch-link Timers should be consistent across VSX peers (Passed)
Rule-4: The Keep-Alive Timers should be consistent across VSX peers (Passed)
Rule-5: Active-Gateway configurations(IP, MAC and VRF) should be consistent across the VSX peers (Passed)
Rule-6: The Keep-Alive UDP port should be consistent across VSX peers (Passed)
Rule-7: The link-up-delay-timer should be consistent across VSX peers (Passed)
Rule-8: The VSX System-MAC should be consistent across VSX peers (Passed)
Rule-9: The VSX device roles should be consistent across VSX peers (Passed)
Rule-10: VSX active-forwarding configurations should be consistent across the VSX peers (Passed)
108 bytes from 10.0.200.1: icmp_seq=1 ttl=64 time=0.276 ms
108 bytes from 10.0.200.1: icmp_seq=1 ttl=64 time=0.279 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=2 ttl=64 time=0.284 ms
108 bytes from 10.0.200.1: icmp_seq=2 ttl=64 time=0.287 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=3 ttl=64 time=0.271 ms
108 bytes from 10.0.200.1: icmp_seq=3 ttl=64 time=0.275 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=4 ttl=64 time=0.263 ms
108 bytes from 10.0.200.1: icmp_seq=4 ttl=64 time=0.266 ms (DUP!)
108 bytes from 10.0.200.1: icmp_seq=5 ttl=64 time=0.283 ms
--- 10.0.200.1 ping statistics ---
5 packets transmitted, 5 received, +4 duplicates, 0% packet loss, time 4079ms
rtt min/avg/max/mdev = 0.263/0.276/0.287/0.007 ms
sw-ro-1c# ping 10.0.200.251
PING 10.0.200.251 (10.0.200.251) 100(128) bytes of data.
108 bytes from 10.0.200.251: icmp_seq=1 ttl=64 time=13.0 ms
108 bytes from 10.0.200.251: icmp_seq=1 ttl=64 time=13.0 ms (DUP!)
108 bytes from 10.0.200.251: icmp_seq=2 ttl=64 time=0.277 ms
108 bytes from 10.0.200.251: icmp_seq=2 ttl=64 time=0.281 ms (DUP!)
108 bytes from 10.0.200.251: icmp_seq=3 ttl=64 time=0.272 ms
108 bytes from 10.0.200.251: icmp_seq=3 ttl=64 time=0.275 ms (DUP!)
108 bytes from 10.0.200.251: icmp_seq=4 ttl=64 time=0.282 ms
108 bytes from 10.0.200.251: icmp_seq=4 ttl=64 time=0.285 ms (DUP!)
108 bytes from 10.0.200.251: icmp_seq=5 ttl=64 time=0.280 ms
--- 10.0.200.251 ping statistics ---
5 packets transmitted, 5 received, +4 duplicates, 0% packet loss, time 4075ms
rtt min/avg/max/mdev = 0.272/3.095/12.953/5.268 ms
sw-ro-1c# ping 10.0.200.252
PING 10.0.200.252 (10.0.200.252) 100(128) bytes of data.
108 bytes from 10.0.200.252: icmp_seq=1 ttl=64 time=0.279 ms
108 bytes from 10.0.200.252: icmp_seq=1 ttl=64 time=0.281 ms (DUP!)
108 bytes from 10.0.200.252: icmp_seq=2 ttl=64 time=0.263 ms
108 bytes from 10.0.200.252: icmp_seq=2 ttl=64 time=0.266 ms (DUP!)
108 bytes from 10.0.200.252: icmp_seq=3 ttl=64 time=0.278 ms
108 bytes from 10.0.200.252: icmp_seq=3 ttl=64 time=0.281 ms (DUP!)
108 bytes from 10.0.200.252: icmp_seq=4 ttl=64 time=0.283 ms
108 bytes from 10.0.200.252: icmp_seq=4 ttl=64 time=0.286 ms (DUP!)
108 bytes from 10.0.200.252: icmp_seq=5 ttl=64 time=0.286 ms
Original Message:
Sent: Nov 11, 2025 05:13 PM
From: parnassus
Subject: Duplicate ping response: 6200 MCLAG -> 8100 VSX
Hi, retry your test starting with (below .251 and .252 are example values, useful for mnemonic association with, respectively, Primary and Secondary):
VSX Primary:
interface vlan 200
ip address 10.0.200.251/24
active-gateway ip mac 02:01:00:00:00:01
active-gateway ip 10.0.200.1
VSX Secondary:
interface vlan 200
ip address 10.0.200.252/24
active-gateway ip mac 02:01:00:00:00:01
active-gateway ip 10.0.200.1
it should work flawlessly.
Before trying the above do perform a check with the vsx-configmate command. Repeat after trying the two above proposed IP addresses.