• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cisco tunnel up - ping is not working

Started by Kronos, October 03, 2010, 09:30:49 AM

Previous topic - Next topic

Kronos

For the last three days I am trying to setup IPv6 tunnel link to HE using Cisco router 1812. I have setup tunnel and other configuration options according to HE recommendation for Cisco IOS. Problem is that I can not ping  any "outside" IPv6 address  or ping my internal addresses from IPv6 internet. Router configured with ipv4 ZBF firewall allowing icmp and protocol 41.



I can ping HE ipv4 end-point.

My config:

ipv6 unicast-routing
ipv6 cef 
!         

!         
class-map type inspect match-any Protocol41-cmap
match access-group name protocol41

class-map type inspect match-all ICMP-cmap
match access-group name ICMP



class-map type inspect match-all SSHaccess-cmap
match access-group name SSHaccess
class-map type inspect match-all IPSEC-cmap
match access-group name ISAKMP_IPSEC
!
!

policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
  inspect
class type inspect ICMP-cmap
  inspect
class type inspect IPSEC-cmap
  pass
class type inspect Protocol41-cmap
  pass log
class class-default
  drop


!
zone security WAN
description WAN FE0

zone-pair security Outside2Router source WAN destination self
service-policy type inspect Outside2Router-pmap
zone-pair security Self2outside source self destination WAN
service-policy type inspect Outside2Router-pmap


!
interface Loopback11
no ip address
ipv6 address 2001:470:26xx:15B::10/64
!

!
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip mtu 1400
ipv6 address 2001:470:2xx5:15B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source xxx.xx.xxx.184
tunnel mode ipv6ip
tunnel destination xxx.66.80.98

!
interface FastEthernet0
description WAN interface
ip address xxx.xx.xxx.184 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
!


ip route 216.66.80.98 255.255.255.255 xxx.xx.0.1
ipv6 route ::/0 tunnel1


ip access-list extended protocol41
permit 41 any any
]



#sh ipv6 interface tunnel 1
Tunnel1 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::59D4:FCB8
  No Virtual link-local address(es):
  Description: Hurricane Electric IPv6 Tunnel Broker
  Global unicast address(es):
    2001:470:2xx5:15B::2, subnet is 2001:470:2xx5:15B::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FFD4:FCB8
  MTU is 1300 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  Output features: CCE Classification Zone based Firewall
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  Hosts use stateless autoconfig for addresses



When I try to ping IPv6 address following messages is displayed:
%FW-6-PASS_PKT: (target:class)-(Self2outside:Protocol41-cmap) Passing Unknown-l4 pkt xxx.xx.xxx.184:0 => 216.66.80.98:0 with ip ident 0  .....


What would be the best way to troubleshoot why router can not connect to HE endpoint?

cholzhauer

Which version of IOS are you running?

I can't follow your IP scheme because you've X'd out things I need to see.  If you don't want to post anything, send it to me in a message, but honestly, X'ing out your IP's doesn't help "protect" you much.

Kronos

#2
IOS is Adv. IP Services v. 15.1.2T1.

Here is the config with all correct IP's.

ipv6 unicast-routing
ipv6 cef  
!        

!        
class-map type inspect match-any Protocol41-cmap
match access-group name protocol41

class-map type inspect match-all ICMP-cmap
match access-group name ICMP



class-map type inspect match-all SSHaccess-cmap
match access-group name SSHaccess
class-map type inspect match-all IPSEC-cmap
match access-group name ISAKMP_IPSEC
!
!

policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
 inspect
class type inspect ICMP-cmap
 inspect
class type inspect IPSEC-cmap
 pass
class type inspect Protocol41-cmap
 pass log
class class-default
 drop


!
zone security WAN
description WAN FE0

zone-pair security Outside2Router source WAN destination self
service-policy type inspect Outside2Router-pmap
zone-pair security Self2outside source self destination WAN
service-policy type inspect Outside2Router-pmap


!
interface Loopback11
no ip address
ipv6 address 2001:470:26:15b::10/64
!

!
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:25:15b::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination 216.66.80.98

!
interface FastEthernet0
description WAN interface
ip address 89.212.252.184 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
!


ip route 216.66.80.98 255.255.255.255 xxx.xx.0.1
ipv6 route ::/0 tunnel1


ip access-list extended protocol41
permit 41 any any


Debug tunnel and icmp messages (From HE to router):

%FW-6-PASS_PKT: (target:class)-(Outside2Router:Protocol41-cmap) Passing Unknown-l4 pkt 216.66.80.98:0 => 89.212.252.184:0 with ip ident 0 

Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=100 ttl=245 tos=0x0) ok, oce_rc=0x0
Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=100 ttl=245 tos=0x0) ok, oce_rc=0x0

Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=100 ttl=245 tos=0x0) ok, oce_rc=0x0
Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=100 ttl=245 tos=0x0) ok, oce_rc=0x0


Debug tunnel (from router to HE):

Tunnel1: IPv6/IP encapsulated 89.212.252.184->216.66.80.98 (linktype=79, len=120)
Tunnel1 count tx, adding 20 encap bytes
ICMPv6: Sent echo request, Src=2001:470:25:15B::2, Dst=2001:470:25:15B::1
Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=120 ttl=245 tos=0x0) ok, oce_rc=0x0.
Tunnel1: IPv6/IP encapsulated 89.212.252.184->216.66.80.98 (linktype=79, len=120)
Tunnel1 count tx, adding 20 encap bytes
ICMPv6: Sent echo request, Src=2001:470:25:15B::2, Dst=2001:470:25:15B::1
Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=120 ttl=245 tos=0x0) ok, oce_rc=0x0.
Tunnel1: IPv6/IP encapsulated 89.212.252.184->216.66.80.98 (linktype=79, len=120)
Tunnel1 count tx, adding 20 encap bytes
ICMPv6: Sent echo request, Src=2001:470:25:15B::2, Dst=2001:470:25:15B::1
Tunnel1: IPv6/IP to classify 216.66.80.98->89.212.252.184 (tbl=0,"default" len=120 ttl=245 tos=0x0) ok,



Thank you in advance :)

broquea

#3
I can ping both your side of the tunnel, and your loopback interface address:

~$ ping6 2001:470:25:15b::2
PING 2001:470:25:15b::2(2001:470:25:15b::2) 56 data bytes
64 bytes from 2001:470:25:15b::2: icmp_seq=1 ttl=53 time=189 ms
64 bytes from 2001:470:25:15b::2: icmp_seq=2 ttl=53 time=189 ms
64 bytes from 2001:470:25:15b::2: icmp_seq=3 ttl=53 time=189 ms
^C
--- 2001:470:25:15b::2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 189.636/189.692/189.791/0.507 ms


~$ ping6 2001:470:26:15b::10
PING 2001:470:26:15b::10(2001:470:26:15b::10) 56 data bytes
64 bytes from 2001:470:26:15b::10: icmp_seq=1 ttl=53 time=189 ms
64 bytes from 2001:470:26:15b::10: icmp_seq=2 ttl=53 time=189 ms
64 bytes from 2001:470:26:15b::10: icmp_seq=3 ttl=53 time=189 ms
^C
--- 2001:470:26:15b::10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 189.579/189.656/189.723/0.360 ms


I forgot, is Cisco case-sens. when specifying routes to interfaces? I ask since it is set to "tunnel1" and the interface is Tunnel1 (I know that Cisco stores IPv6 addersses with UPPERCASE in the config, and using lowercase with incl on sh run won't give you a result you'd expect).

smcarter

I am having similar problems with a similiar setup on a similiar code: 15.1(1)XB2.  Were you able to figure out the problem?

Thanks,

Steven.