Print

[dtic]

My settings and my test in the attachments. Cannot ping the tunnel0 server(peer) ipv6 address. I'm using a Cisco ASR

FASTA-ASR#ping 2001:***:**:B2::1 source 2001:***:**:B2::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:***:**:B2::1, timeout is 2 seconds:
Packet sent with a source address of 2001:***:**:B2::2
.....
Success rate is 0 percent (0/5)

What am I doing wrong?

[cholzhauer]

Why'd you upload a screenshot of the IP addresses if you blacked them out?

Did you enable IPv6 routing on the router?  I don't remember the exact command, but I remember seeing multiple posts on the forums that mention it.

[dtic]

Because I wasn't sure if that's allowed, anyways the ipv6 unicast-routing is configured.

Router#show run | inc ipv6 unicast-routing
ipv6 unicast-routing

Router#ping 2001:470:10:B2::1 source 2001:470:10:B2::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:10:B2::1, timeout is 2 seconds:
Packet sent with a source address of 2001:470:10:B2::2
.....
Success rate is 0 percent (0/5)

[cholzhauer]

I didn't think the routing statement would matter because you're not doing any sort of routing, but you never know.

Taking a stab...is your ISP blocking protocol 41?

[dtic]

How could I test that?

[cholzhauer]

The easiest way is to ask them, although they will probably be confused

You could also do a packet capture, but that takes more work.  Can you post your config with the addresses visible?  If you don’t want to, send it in a message instead

[dtic]

!
!
ipv6 unicast-routing
!
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:10:B2::2/64
 ipv6 enable
 ipv6 mtu 1480
 tunnel source 200.87.162.225
 tunnel mode ipv6ip
 tunnel destination 216.66.70.2
!
interface GigabitEthernet0/0/0
 description WAN
 ip address 200.87.162.225 255.255.255.248 secondary
 ip address 191.184.27.78 255.255.255.252
 ip nat outside
 negotiation auto
!
!

ipv6 route ::/0 Tunnel0
!


The ISP says it is not filtering any protocol

I have ping(ed) from HE looking glass and I get packets matched by a test access-list

FASTA-ASR#show access-lists 100
Extended IP access list 100
    10 permit 41 any any log (252 matches)

[cholzhauer]

I don't see anything glaring with your config, but I don't have enough experience building a tunnel on a Cisco router to say for sure.  My only other suggestion is to check your MTU.  Hopefully someone else sees what I missed.

[dtic]

Have tried using another Tunnel Broker and it works like a charm. However, I need BGP(6).

I've also sent an email to he.net but no one replied.

Can anybody help?

[broquea]

BGP tunnels are manually approved. They are not configured until approved.
Your ticket to request one was opened 44 hours ago by our system.
No replies from you to that ticket.
If you are emailing our ticket system, you should be getting back an autoresponder for any new ticket you created.
If not, your emails aren't making it to our system.

[dtic]

Sorry I don't understand the procedure: to ping the peer I should have approved the BGP tunnel?
is that why I cannot ping the peer?

I have received this confirmation on February 25th:

Your message ("Problem: I cannot ping peer for tunnel broker") has been assigned the tracking ID [HE#4045337].
One of our engineers will reply to your email within 24 hours.

Please include the string '[HE#4045337]' in the subject of any future email about
this case.  You may do that by simply replying to this message.

Please be aware that our system currently rejects binary attachments.  If you
are submitting a traceroute or ping output please generate it in text and
followup to this email.

Thank You.
Hurricane Electric Support
http://www.he.net/faq
http://www.he.net/info

Thanks for answering,

[broquea]

HE needs to approve the BGP tunnel after a vetting process. Sorry your other ticket didn't get responded to yet.