Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: jammin on January 06, 2015, 07:14:22 PM

Title: Router source ipv6 ping to tunnel peer address fails - 2811/IOS 15.11(4)
Post by: jammin on January 06, 2015, 07:14:22 PM
The tunnel is up but I can not ping the remote ipv6 tunnel endpoint. I see no input packets across the tunnel.  Trying to ping or access any IPV6 across the tunnel also fails.

Specifics for tunnel as supplied:

IPv6 Tunnel Endpoints
Server IPv4 Address:184.105.253.14
Server IPv6 Address:2001:470:1f10:d93::1/64
Client IPv4 Address:162.230.214.65
Client IPv6 Address:2001:470:1f10:d93::2/64

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F10:D93::2/64
ipv6 enable
ipv6 virtual-reassembly in
tunnel source 162.230.214.65
tunnel mode ipv6ip
tunnel destination 184.105.253.14
end

c2800-1#show int tun 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Description: Hurricane Electric IPv6 Tunnel Broker
  MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 162.230.214.65, destination 184.105.253.14
  Tunnel protocol/transport IPv6/IP
  Tunnel TTL 255
  Tunnel transport MTU 1480 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output 00:01:20, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 21
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     254 packets output, 23856 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
c2800-1#

System image file is "flash:c2800nm-advipservicesk9-mz.151-4.M8.bin"


c2800-1#ping 184.105.253.14    <---- HE IPV4 Tunnel endpoint
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 184.105.253.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/51/52 ms
c2800-1#

c2800-1#ping ipv6 2001:470:1f10:d93::2  <--- MY IPV6 END OF THE TUNNEL
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:1F10:D93::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
c2800-1#

c2800-1#ping ipv6 2001:470:1f10:d93::1  <--- HE IPV6 END OF THE TUNNEL
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:1F10:D93::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
c2800-1#

IPV6 ICMP DEBUG - No return traffic :-(

12124475: Jan  6 22:11:13.374 est: ICMPv6: Sent echo request, Src=2001:470:1F10:D93::2, Dst=2001:470:1F10:D93::1
12124476: Jan  6 22:11:13.374 est: IPV6: source 2001:470:1F10:D93::2 (local)
12124477: Jan  6 22:11:13.374 est:       dest 2001:470:1F10:D93::1 (Tunnel0)
12124478: Jan  6 22:11:13.374 est:       traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating
12124479: Jan  6 22:11:13.374 est: IPv6-Fwd: Created tmp mtu cache entry for 2001:470:1F10:D93::2 2001:470:1F10:D93::1 00000000
12124480: Jan  6 22:11:13.374 est: IPv6-Fwd: Sending on Tunnel0
12124481: Jan  6 22:11:15.374 est: IPv6-Fwd: Destination lookup for 2001:470:1F10:D93::1 : i/f=Tunnel0, nexthop=2001:470:1F10:D93::1
12124482: Jan  6 22:11:15.374 est: IPv6-Sas: SAS picked source 2001:470:1F10:D93::2 for 2001:470:1F10:D93::1 (Tunnel0)
12124483: Jan  6 22:11:15.374 est: ICMPv6: Sent echo request, Src=2001:470:1F10:D93::2, Dst=2001:470:1F10:D93::1
12124484: Jan  6 22:11:15.374 est: IPV6: source 2001:470:1F10:D93::2 (local)
12124485: Jan  6 22:11:15.374 est:       dest 2001:470:1F10:D93::1 (Tunnel0)
12124486: Jan  6 22:11:15.374 est:       traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating
12124487: Jan  6 22:11:15.374 est: IPv6-Fwd: Sending on Tunnel0
12124488: Jan  6 22:11:17.374 est: IPv6-Fwd: Destination lookup for 2001:470:1F10:D93::1 : i/f=Tunnel0, nexthop=2001:470:1F10:D93::1
12124489: Jan  6 22:11:17.374 est: IPv6-Sas: SAS picked source 2001:470:1F10:D93::2 for 2001:470:1F10:D93::1 (Tunnel0)
12124490: Jan  6 22:11:17.374 est: ICMPv6: Sent echo request, Src=2001:470:1F10:D93::2, Dst=2001:470:1F10:D93::1
12124491: Jan  6 22:11:17.374 est: IPV6: source 2001:470:1F10:D93::2 (local)
12124492: Jan  6 22:11:17.374 est:       dest 2001:470:1F10:D93::1 (Tunnel0)
12124493: Jan  6 22:11:17.374 est:       traffic class 0, flow 0x0, len 100+0, prot 58, hops 64, originating
12124494: Jan  6 22:11:17.374 est: IPv6-Fwd: Sending on Tunnel0

What am I missing?

Thanks!



Title: Re: Router source ipv6 ping to tunnel peer address fails - 2811/IOS 15.11(4)
Post by: cholzhauer on January 07, 2015, 05:02:39 AM

ipv6 unicast routing
Title: Re: Router source ipv6 ping to tunnel peer address fails - 2811/IOS 15.11(4)
Post by: jammin on January 07, 2015, 08:14:09 PM
I wish "ipv6 unicast-routing" was missing but it not.

I can see the tunnels subnet 2001:470:1F10:D93::/64 and the default route ::/0 are directly correctly connected to the tunnel and I have connectivity from hosts on my LAN interface to 2001:470:1f10:d93::2/64 (my side of the tunnel) - The router just will not output any packets across the tunnel :-(

I can't find any problems documenting issues with the 15.x train on CCO but if there are no other ideas I will try downgrading to 124-24.T7 on post back later this week.

Thanks for you reply!

c2800-1#show ipv6 route
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery, l - LISP
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [1/0]
     via Tunnel0, directly connected
C   2001:470:1F10:D93::/64 [0/0]
     via Tunnel0, directly connected
L   2001:470:1F10:D93::2/128 [0/0]
     via Tunnel0, receive
C   2001:470:C4B8::/48 [0/0]
     via GigabitEthernet0/1, directly connected
L   2001:470:C4B8::1/128 [0/0]
     via GigabitEthernet0/1, receive
L   FF00::/8 [0/0]
     via Null0, receive
c2800-1#

Title: Re: Router source ipv6 ping to tunnel peer address fails - 2811/IOS 15.11(4)
Post by: broquea on January 07, 2015, 09:05:20 PM
what is "ipv6 virtual-reassembly in". I've never put that on a cisco tunnel interface.
Title: Re: Router source ipv6 ping to tunnel peer address fails - 2811/IOS 15.11(4)
Post by: jammin on January 08, 2015, 08:40:10 PM
I removed "ipv6 virtual-reassembly in" for the tunnel interface.

I did have a NAT configured when I first tried to bring the tunnel up and removed that when I ran into any issue.  I obviously stared right at it and didn't notice it.  Good catch.

ip virtual-reassembly gets added automatically when you configure NAT on an interface.  This appears to be introduced in 12.3(8)

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_virt_frag_reassm.pdf

"Virtual fragmentation reassembly (VFR) enables the Cisco IOS Firewall to create the appropriate
dynamic ACLs, thereby, protecting the network from various fragmentation attacks. "

"VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall
and NAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an
interface, VFR is automatically enabled on that interface."

Current Tunnel0 config:

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F10:D93::2/64
ipv6 enable
tunnel source 162.230.214.65
tunnel mode ipv6ip
tunnel destination 184.105.253.14
end

Removing it from the interface did NOT fix my issue.  I can still not pass any traffic across the tunnel.

It looks like downgrading may be my next best option to test.  I have never had an issue like this bringing up a tunnel to HE from a Cisco device.

Thank you for your reply.