Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Cannot ping ipv6 tunnel endpoint on Cisco 3845  (Read 2015 times)

CoherentLogic

  • Newbie
  • *
  • Posts: 2
    • View Profile
Cannot ping ipv6 tunnel endpoint on Cisco 3845
« on: August 05, 2015, 08:02:41 PM »

I cannot ping the ipv6 tunnel endpoint from my Cisco 3845 router, however, I can ping the IPv4 tunnel endpoint.

 Here is the tunnel status:


rt-core-01#sh int tun0

Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Description: Hurricane Electric IPv6 Tunnel Broker
  MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 216.223.234.228 (Dialer0), destination 66.220.18.42
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with Dialer0
          Set of tunnels with source Dialer0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport IPv6/IP
  Tunnel TTL 255
  Tunnel transport MTU 1480 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output 00:11:33, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     36 packets output, 3600 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out


Here is the interface configuration:


interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:C:793::2/64
 ipv6 enable
 tunnel source Dialer0
 tunnel mode ipv6ip
 tunnel destination 66.220.18.42
!


I have also tried setting the tunnel source to the IP address of Dialer0 (which is on an HWIC-1ADSL).
I have ipv6 unicast-routing enabled, and the following route:


ipv6 route ::/0 Tunnel0


The owner and network engineer of the ISP providing the Dialer0 service have assured me repeatedly
that protocol 41 is not being blocked at all.

I noticed that packets are being output but not input on Tunnel0

IOS version is:

Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(4)M7, RELEASE SOFTWARE (fc2)

Any ideas?

Thanks in advance!
Logged

CoherentLogic

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Cannot ping ipv6 tunnel endpoint on Cisco 3845
« Reply #1 on: August 18, 2015, 12:57:22 PM »

Is there anything I can post from my config that would help? Any ideas?

Thanks much,
Logged

jerryk

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Cannot ping ipv6 tunnel endpoint on Cisco 3845
« Reply #2 on: June 16, 2016, 12:18:09 PM »

Wondering if you ever resolved your issue here.

I have an identical issue, except on 2621xm hardware.

Symptoms are also almost identical.
Logged

Elkosupertech

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Cannot ping ipv6 tunnel endpoint on Cisco 3845
« Reply #3 on: August 12, 2016, 08:10:43 PM »

I am also have this issue with a Cisco 3825 using this IOS:
Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)

My config is as follows:
Code: [Select]
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW-Elkosupertech
!
boot-start-marker
boot system flash:/c3825-advipservicesk9-mz.150-1.M8.bin
boot-end-marker
!
logging buffered 4096
no logging console
enable secret 5 ...
enable password ...
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
!
voice-card 0
!
voice-card 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name cityofelko.local
ip name-server 10.1.0.10
ip name-server 10.1.0.12
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip inspect name CCP_LOW l2tp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name ipv6-1 icmp
ipv6 inspect name ipv6-1 udp
ipv6 inspect name ipv6-1 ftp
ipv6 dhcp pool DHCPV6
 dns-server 2001:470:4A73:1::10
 domain-name elkosupertech.local
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
no ip ftp passive
!
class-map match-any CCP-Transactional-1
 match  dscp af21
 match  dscp af22
 match  dscp af23
class-map match-any CCP-Voice-1
 match  dscp ef
class-map match-any CCP-Routing-1
 match  dscp cs6
class-map match-any CCP-Signaling-1
 match  dscp cs3
 match  dscp af31
class-map match-any CCP-Management-1
 match  dscp cs2
class-map match-all inspect
 description Protocol41-cmap
 match protocol ipv6
!
!
policy-map CCP-QoS-Policy-1
 class CCP-Voice-1
    priority percent 33
 class CCP-Signaling-1
    bandwidth percent 5
 class CCP-Routing-1
    bandwidth percent 5
 class CCP-Management-1
    bandwidth percent 5
 class CCP-Transactional-1
    bandwidth percent 5
 class class-default
    fair-queue
     random-detect
policy-map sdm-qos-test-123
 class class-default
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:39:48F::2/64
 ipv6 enable
 ipv6 mtu 1472
 ipv6 eigrp 1
 ipv6 inspect ipv6-1 out
 ipv6 traffic-filter outside-in6 in
 tunnel source 204.28.244.52
 tunnel mode ipv6ip
 tunnel destination 184.105.250.46
 !
!
interface Tunnel1
 no ip address
 !
!
interface GigabitEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip dhcp client update dns
 ip address dhcp client-id GigabitEthernet0/0 hostname GW-Elkosupertech
 ip access-group 117 in
 ip nat outside
 ip inspect CCP_LOW in
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
 ipv6 traffic-filter ipv6-1 in
 no mop enabled
 !
 service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
 !
!
interface GigabitEthernet0/1.1
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 10.1.0.252 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
!
interface GigabitEthernet0/1.2
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 50
 ip address 10.2.0.252 255.255.255.0
 ip access-group 109 in
 ip helper-address 10.1.0.10
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
!
interface GigabitEthernet0/1.3
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 100
 ip address 10.0.0.252 255.255.255.0
 ip access-group 110 in
 ip helper-address 10.1.0.10
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
 ipv6 address 2001:470:4172:1::1/64
 ipv6 enable
 ipv6 mtu 1472
!
interface GigabitEthernet0/1.4
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 101
 ip address 10.8.0.252 255.255.255.0
 ip access-group 111 in
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
!
interface GigabitEthernet0/1.5
 description $ETH-LAN$$FW_DMZ$
 encapsulation dot1Q 200
 ip address 10.200.0.252 255.255.255.0
 ip access-group 114 in
 ip nat inside
 ip inspect dmzinspect out
 ip virtual-reassembly
!
interface GigabitEthernet0/1.6
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 80
 ip address 10.5.0.1 255.255.255.128
 ip access-group 112 in
 ip helper-address 10.1.0.10
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
!
interface GigabitEthernet0/1.7
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 81
 ip address 10.5.0.129 255.255.255.128
 ip access-group 113 in
 ip helper-address 10.1.0.10
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 !
ip forward-protocol nd
!
ip flow-top-talkers
 top 10
 sort-by bytes
 cache-timeout 1000
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool rise-broadband 204.28.244.1 204.28.244.254 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.200.0.12 8008 interface GigabitEthernet0/0 8008
ip nat inside source static udp 10.200.0.12 8888 interface GigabitEthernet0/0 8888
ip nat inside source static tcp 10.200.0.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 10.200.0.20 25565 interface GigabitEthernet0/0 25565
ip nat inside source static tcp 10.200.0.12 8888 interface GigabitEthernet0/0 8888
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ipv6 access-list outside-in6
 permit tcp any any established
 permit tcp any host 2001:470:66:758::2 eq 22
 permit icmp any 2001:470:4A73::/48
!
ipv6 access-list ipv6-1
 permit ipv6 any any
!
control-plane
 !
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/0/2
!
voice-port 1/0/3
!
voice-port 1/0/4
!
voice-port 1/0/5
!
voice-port 1/0/6
!
voice-port 1/0/7
!
voice-port 1/0/14
!
voice-port 1/0/15
!
voice-port 1/0/16
!
voice-port 1/0/17
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password ...
 transport input telnet
!
scheduler allocate 20000 1000
end

Any assistance would be appreciated or maybe comparing notes with a config that works.  Thanks.
« Last Edit: August 12, 2016, 08:35:48 PM by kcochran »
Logged

Elkosupertech

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Cannot ping ipv6 tunnel endpoint on Cisco 3845
« Reply #4 on: September 05, 2016, 09:15:09 PM »

 ;D I GOT IT!  I ended up asking HE for help and fought this thing but I finally can report that my IPv6 tunnel is now operational. 

It seems that I had to allow protocol 41 on the outside interface.  If you look at my configuration above you will see that GigabitEthernet0/0 (being my outside) is attached to an access-list of 117.

I had to add protocol 41 to that access list and lo and behold it started working:
access-list 117 permit 41 any any

Good luck!
Logged