• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

HE.NET Tunnel Issues On Cisco 2851 (Protocol 41 NOT Blocked (Inbound atleast))

Started by zodiack, December 11, 2011, 08:26:21 AM

Previous topic - Next topic

zodiack


Hello and good day to all of you!

I'm at the end of my rope with this and I'm turning to you, the community collective for help!

The Problem:
-------------


The Tunnel0 interface comes up/up and I can see Protocol 41 traffic (via a logging access-list) hitting my router (from the Internet) but it looks like my return (outbound) traffic is failing because I can't successfully IPv6 ping myself from the outside world (with no filters/access-lists applied).

NOTE: All IPv4 connectivity is working 100% with no issues; I can ping the TB server and it/they can ping me.

The Topology:
--------------


Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

LAN <----> Gi0/1 [CISCO 2851] Gi0/0 <-------> Motorola SB5100 Modem <-------------> Internet

The Cisco Configuration:
-----------------------


ipv6 unicast-routing
ipv6 cef
ipv6 route ::/0 Tunnel0


core-r1#sh ip int bri | inc Tunnel
Tunnel0                    unassigned      YES unset  up                    up

core-r1#

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address <tunnel-routed-64-block>::2/64
ipv6 enable
tunnel source <my.external.ipv4.address>
tunnel mode ipv6ip
tunnel destination 209.51.161.14
end

interface GigabitEthernet0/0
description WAN Gateway
ip address dhcp
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no cdp enable
end


core-r1#sh ip access 100
Extended IP access list 100
    10 permit 41 any any log
    20 permit ip any any

core-r1#

The Results:
------------


When I try to ping my <tunnel-routed-64-block>::2/64 from the HE.NET Looking Glass, I see five (5) "Timed Out" ping attempts on the web interface.

HOWEVER... if I do:

core-r1#sh ip access 100 | inc permit 41
     10 permit 41 any any log (5 matches)
core-r1#


I see the 5 ping probes from the HE.NET Looking Glass reach my router!

But when I do:

core-r1#ping <tunnel-routed-64-block>::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <tunnel-routed-64-block>::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

core-r1#

Here's the IPv6 Routing Table:

S   ::/0 [1/0]
     via Tunnel0, directly connected
C   <tunnel-routed-64-block>::/64 [0/0]
     via Tunnel0, directly connected
L   <tunnel-routed-64-block>::2/128 [0/0]
     via Tunnel0, receive


The Conclusion:
---------------


Am I crazy? 
Is Protocol 41 allowed INBOUND from my ISP (Rogers) but then blocked OUTBOUND?
Am I overlooking something in my configuration?

Many thanks would be showered upon the scholar who can figure this one out!

Thanks in advance,

  - zodi


SomeJoe7777

I have a virtually identical configuration on a Cisco 2811 and I'm not running into any issues.  However, I am running 15.0, not 15.1.

Instead of

tunnel source <external.IPv4.address>

try

tunnel source g0/0


zodiack

Hey SomeJoe7777,

Thanks for the reply!

I've tried to re-configure the tunnel using the interface as the tunnel source instead of the ip address but it exhibits the same behavior:

core-r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
core-r1(config)#int tun0
core-r1(config-if)#shut
core-r1(config-if)#no tunnel source
core-r1(config-if)#tunnel source gi0/0
core-r1(config-if)#no shut
core-r1(config-if)#
^Z
core-r1#

core-r1#clear ip access-l counters

<ping tun0 IPv6 address from lg.he.net>

core-r1#sh ip access 100 | inc permit 41
   280 permit 41 any any log (5 matches)

core-r1#

If I turn on "debug ipv6 icmp" and take a look at my logs, I have 5 entries identical to this:

Dec 17 20:36:15.539 EST: ICMPv6: Received echo request, Src=2001:470:0:1EF::2, Dst=2001:470:X:X::2
Dec 17 20:36:15.539 EST: ICMPv6: Sent echo reply, Src=2001:470:X:X::2, Dst=2001:470:0:1EF::2


I've tried it wide open with no access-list and still no luck.  It's almost like an asynchronous routing issue, traffic from outside/HE.NET gets too me, but traffic from me never gets to the outside/HE.NET.  The default IPv6 route is there, my router knows to send it out (in IPv4) via the tunnel destination

I've talked to my ISP and they swear up and down that they don't filter anything (like protocol 41) anywhere in their network.

I'm not sure what else do to at this point, perhaps a new ISP for for a month for "testing purposes" ;)

Thanks again,

Cheers,

 - zodi


rwg

Quote from: zodiack on December 11, 2011, 08:26:21 AM
core-r1#ping <tunnel-routed-64-block>::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <tunnel-routed-64-block>::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


Are you sure that you're using the correct address on the Tunnel0 interface?  Put another way, if you do a reverse lookup on the IPv6 address you're assigning to the Tunnel0 interface, do you get a hostname back that looks like "username-N-pt.tunnel.tservN.cityN.ipv6.he.net"?

If you're using the "routed /64" that appears on your tunnel details page, that's not gonna fly.  Use the "client IPv6 address" instead.

SomeJoe7777

Indeed, rwg is correct.  HE.Net gives you 2 /64 blocks, one is used as the point-to-point address for the tunnel itself (referred to on the tunnel details page as the "Server IPv6 Address" and the "Client IPv6 Address").  The other is your block to be used on your LAN (referred to on the tunnel details page as the "Routed /64").

The correct configuration is:


interface Tunnel1001
description My Tunnel (Hurricane Electric)
no ip address
ip virtual-reassembly max-reassemblies 64
ipv6 address 2001:470:xxxx:xxxx::2/64              (This is the "Client IPv6 Address")
ipv6 enable
ipv6 virtual-reassembly
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination xxx.xxx.xxx.xxx                 (This is the "Server IPv4 Address")

interface GigabitEthernet0/0
description My WAN
ip address xxx.xxx.xxx.xxx                         (This is the "Client IPv4 Address")

interface GigabitEthernet0/1
description My LAN
ip address xxx.xxx.xxx.xxx                         (This is your internal IPv4 address for your LAN)
ipv6 address 2001:470:xxxx:xxxx::1/64              (This is the "Routed /64 Address", host :1)

ipv6 route ::/0 Tunnel1001                          (Send all IPv6 traffic through the tunnel)


Note that I've left out some configuration items, like NAT for IPv4, access lists, CBAC/Firewall, and IPS.

zodiack


Hey guys, thanks for the replies and Happy New Year!

I've confirmed that the "Client IPv6 Address" is what I'm using on my Tunnel0 interface and I'm pinging the "Server IPv6 Address". 

I didn't bother setting up the Routed /64 on my LAN until I could get the tunnel point-to-point up! :)

core-r1#clear logging
Clear logging buffer [confirm]y


core-r1#debug ipv6 icmp
  ICMP Packet debugging is on


core-r1#ping ipv6 2001:470:X:X::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:X:X::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

core-r1#

Jan  1 14:19:16.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:18.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:20.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:22.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1
Jan  1 14:19:24.466 EST: ICMPv6: Sent echo request, Src=2001:470:X:X::2, Dst=2001:470:X:X::1


core-r1#sh run int tun0
Building configuration...

Current configuration : 231 bytes
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:X:X::2/64                                (Client IPv6 Address)
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination 209.51.161.14                                (Server IPv4 Address)
end


core-r1#

<relevant config>

ipv6 unicast-routing
ipv6 cef

interface GigabitEthernet0/0
description WAN Gateway
ip address dhcp                                                       (Client IPv4 Address)
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no cdp enable

ipv6 route ::/0 Tunnel0



Thanks guys!

Cheers,

  - zodi


nickbeee


My working config uses the ipv4 address of the interface rather than the interface name (shouldn't make any difference. I'm using RFC1918 address as it's behind a nat (which passes protocol 41).

This is on a 1711 router with 12.4 advipservices IOS.


!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:DB8:1F00:2F00::2/64
ipv6 enable
ipv6 traffic-filter IPV6_OUTSIDE_F0 in
ipv6 inspect V6-INSPECT out
tunnel source 192.0.2.1
tunnel destination 216.66.80.26
tunnel mode ipv6ip
end

It looks like a protocol 41 issue.
Quote
I've talked to my ISP and they swear up and down that they don't filter anything (like protocol 41) anywhere in their network.
No, ISPs never filter or traffic shape - unless you can prove otherwise  :-\
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

antillie

The working config on my 3745 running 12.4(25d) Adv. Enterprise is pretty much the same as yours:


ipv6 unicast-routing
no ipv6 source-route
ipv6 cef

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F0E:6CA::2/64
ipv6 enable
ipv6 traffic-filter Block-IPv6-SSH in
no ipv6 redirects
ipv6 verify unicast reverse-path
tunnel source 70.114.48.211
tunnel destination 216.218.224.42
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:470:B98A:1::/64 eui-64
ipv6 mtu 1480
ipv6 nd prefix 2001:470:B98A:1::/64
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_alpha

ip nat inside source list 2000 interface FastEthernet0/1 overload

access-list 2000 deny ip 192.168.100.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 2000 deny ip 192.168.200.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 2000 deny ip 10.1.1.0 0.0.0.3 192.168.250.0 0.0.0.255
access-list 2000 deny ip 172.30.1.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 2000 permit ip any any

ipv6 route ::/0 2001:470:1F0E:6CA::1
ipv6 route 2001:470:B98A::/48 FastEthernet0/0 FE80::21F:9EFF:FE45:2422
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0

ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any


I did notice that I am using the actual IPv6 address of HE's side of the tunnel as my next hop in my default route. Which shouldn't really matter but who knows.