• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cannot ping ipv6 tunnel endpoint on Cisco 3845

Started by CoherentLogic, August 05, 2015, 08:02:41 PM

Previous topic - Next topic

CoherentLogic

I cannot ping the ipv6 tunnel endpoint from my Cisco 3845 router, however, I can ping the IPv4 tunnel endpoint.

Here is the tunnel status:


rt-core-01#sh int tun0

Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Description: Hurricane Electric IPv6 Tunnel Broker
  MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 216.223.234.228 (Dialer0), destination 66.220.18.42
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with Dialer0
          Set of tunnels with source Dialer0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport IPv6/IP
  Tunnel TTL 255
  Tunnel transport MTU 1480 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output 00:11:33, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     36 packets output, 3600 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out


Here is the interface configuration:


interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:C:793::2/64
ipv6 enable
tunnel source Dialer0
tunnel mode ipv6ip
tunnel destination 66.220.18.42
!


I have also tried setting the tunnel source to the IP address of Dialer0 (which is on an HWIC-1ADSL).
I have ipv6 unicast-routing enabled, and the following route:


ipv6 route ::/0 Tunnel0


The owner and network engineer of the ISP providing the Dialer0 service have assured me repeatedly
that protocol 41 is not being blocked at all.

I noticed that packets are being output but not input on Tunnel0

IOS version is:

Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(4)M7, RELEASE SOFTWARE (fc2)

Any ideas?

Thanks in advance!

CoherentLogic

Is there anything I can post from my config that would help? Any ideas?

Thanks much,

jerryk

Wondering if you ever resolved your issue here.

I have an identical issue, except on 2621xm hardware.

Symptoms are also almost identical.

Elkosupertech

#3
I am also have this issue with a Cisco 3825 using this IOS:
Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)

My config is as follows:

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW-Elkosupertech
!
boot-start-marker
boot system flash:/c3825-advipservicesk9-mz.150-1.M8.bin
boot-end-marker
!
logging buffered 4096
no logging console
enable secret 5 ...
enable password ...
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
!
voice-card 0
!
voice-card 1
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name cityofelko.local
ip name-server 10.1.0.10
ip name-server 10.1.0.12
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip inspect name CCP_LOW l2tp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name ipv6-1 icmp
ipv6 inspect name ipv6-1 udp
ipv6 inspect name ipv6-1 ftp
ipv6 dhcp pool DHCPV6
dns-server 2001:470:4A73:1::10
domain-name elkosupertech.local
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
no ip ftp passive
!
class-map match-any CCP-Transactional-1
match  dscp af21
match  dscp af22
match  dscp af23
class-map match-any CCP-Voice-1
match  dscp ef
class-map match-any CCP-Routing-1
match  dscp cs6
class-map match-any CCP-Signaling-1
match  dscp cs3
match  dscp af31
class-map match-any CCP-Management-1
match  dscp cs2
class-map match-all inspect
description Protocol41-cmap
match protocol ipv6
!
!
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
    priority percent 33
class CCP-Signaling-1
    bandwidth percent 5
class CCP-Routing-1
    bandwidth percent 5
class CCP-Management-1
    bandwidth percent 5
class CCP-Transactional-1
    bandwidth percent 5
class class-default
    fair-queue
     random-detect
policy-map sdm-qos-test-123
class class-default
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:39:48F::2/64
ipv6 enable
ipv6 mtu 1472
ipv6 eigrp 1
ipv6 inspect ipv6-1 out
ipv6 traffic-filter outside-in6 in
tunnel source 204.28.244.52
tunnel mode ipv6ip
tunnel destination 184.105.250.46
!
!
interface Tunnel1
no ip address
!
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip dhcp client update dns
ip address dhcp client-id GigabitEthernet0/0 hostname GW-Elkosupertech
ip access-group 117 in
ip nat outside
ip inspect CCP_LOW in
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
ipv6 traffic-filter ipv6-1 in
no mop enabled
!
service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
!
interface GigabitEthernet0/1.1
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 1 native
ip address 10.1.0.252 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect CCP_LOW in
ip virtual-reassembly
!
interface GigabitEthernet0/1.2
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 50
ip address 10.2.0.252 255.255.255.0
ip access-group 109 in
ip helper-address 10.1.0.10
ip nat inside
ip inspect CCP_LOW in
ip virtual-reassembly
!
interface GigabitEthernet0/1.3
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 100
ip address 10.0.0.252 255.255.255.0
ip access-group 110 in
ip helper-address 10.1.0.10
ip nat inside
ip inspect CCP_LOW in
ip virtual-reassembly
ipv6 address 2001:470:4172:1::1/64
ipv6 enable
ipv6 mtu 1472
!
interface GigabitEthernet0/1.4
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 101
ip address 10.8.0.252 255.255.255.0
ip access-group 111 in
ip nat inside
ip inspect CCP_LOW in
ip virtual-reassembly
!
interface GigabitEthernet0/1.5
description $ETH-LAN$$FW_DMZ$
encapsulation dot1Q 200
ip address 10.200.0.252 255.255.255.0
ip access-group 114 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
!
interface GigabitEthernet0/1.6
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 80
ip address 10.5.0.1 255.255.255.128
ip access-group 112 in
ip helper-address 10.1.0.10
ip nat inside
ip inspect CCP_LOW in
ip virtual-reassembly
!
interface GigabitEthernet0/1.7
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 81
ip address 10.5.0.129 255.255.255.128
ip access-group 113 in
ip helper-address 10.1.0.10
ip nat inside
ip inspect CCP_LOW in
ip virtual-reassembly
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
ip forward-protocol nd
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 1000
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool rise-broadband 204.28.244.1 204.28.244.254 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.200.0.12 8008 interface GigabitEthernet0/0 8008
ip nat inside source static udp 10.200.0.12 8888 interface GigabitEthernet0/0 8888
ip nat inside source static tcp 10.200.0.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 10.200.0.20 25565 interface GigabitEthernet0/0 25565
ip nat inside source static tcp 10.200.0.12 8888 interface GigabitEthernet0/0 8888
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ipv6 access-list outside-in6
permit tcp any any established
permit tcp any host 2001:470:66:758::2 eq 22
permit icmp any 2001:470:4A73::/48
!
ipv6 access-list ipv6-1
permit ipv6 any any
!
control-plane
!
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/0/2
!
voice-port 1/0/3
!
voice-port 1/0/4
!
voice-port 1/0/5
!
voice-port 1/0/6
!
voice-port 1/0/7
!
voice-port 1/0/14
!
voice-port 1/0/15
!
voice-port 1/0/16
!
voice-port 1/0/17
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password ...
transport input telnet
!
scheduler allocate 20000 1000
end


Any assistance would be appreciated or maybe comparing notes with a config that works.  Thanks.

Elkosupertech

 ;D I GOT IT!  I ended up asking HE for help and fought this thing but I finally can report that my IPv6 tunnel is now operational. 

It seems that I had to allow protocol 41 on the outside interface.  If you look at my configuration above you will see that GigabitEthernet0/0 (being my outside) is attached to an access-list of 117.

I had to add protocol 41 to that access list and lo and behold it started working:
access-list 117 permit 41 any any

Good luck!