cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11590
Views
0
Helpful
19
Replies

Neighbour discovery issues on sub-interface

scbenoit
Level 1
Level 1

Good day

We have a 7201 running IOS 12.4(4) with 2 ISPs connected, IPv4 conenctivity is working as is IPv4 BGP.  To this router we've added IPv6 and have been able to establish a neighbour relationship as well as a IPv6 BGP session with one of the ISPs

On the router

- the internal interface use sub-interfaces and has IPv4 and IPv6 addresses bound to the same sub-interface, Gi0/2.50

- the external interface (Gi0/3) uses sub-interfaces as well, and both ISPs are on the same physical i/f but different sub-interfaces.

- Gi0/3.252 sub-interface is for ISP A and has IPv4 bound to it

- Gi0/3.752 sub-interface is for ISP A and has IPv6 bound to it

- Gi0/3.552 sub-interface is for ISP B and has both IPv6 and IPv4 bound to it

The connection to ISP A works fine for both IPv4 and IPv6.  In IPv6 we can see the neighbour, ping it, setup BGP session and route IPv6 traffic

The connection to ISP B works fine for IPv4 but fails under IPv6.

If I watch the IPv6 neighbor table with repetitive "sho ipv6 nei" commands I see neighbour status change from PROBE, to DELAY, to INCMP, to not being in the table.

IPv6 Address                              Age Link-layer Addr State Interface
FE80::226:51FF:FECA:A4D3                    0 0026.51ca.a4d3  REACH Gi0/3.752
2001:550:2:8::2:1                           0 001d.e511.6000  DELAY Gi0/3.552              <------ sample entry in table
2607:FD78:302:1::1                          0 0026.51ca.a4d3  REACH Gi0/3.752
FE80::250:56FF:FE80:3506                    0 0050.5680.3506  STALE Gi0/2.50
2620:DD::250:56FF:FE80:3506                 0 0050.5680.3506  REACH Gi0/2.50

While observing this I noted that the Gi0/3.552 sub interface never appears to have a link local adders.  The staus then changes to PROBE, then INCMP, and then does not appear in the table.

The atatched IPv6 debug snippet refelcts this behaviour.

Any thoughts on why this is happening and how to correct?  Shouldn't I see an local address in the neighbour table for the Gi0/3.552 sub-interface ?

Thanks

Steve

19 Replies 19

cadet alain
VIP Alumni
VIP Alumni

Hi,

Can you post :

-sh run | s bgp

--sh ipv int g0/3.552

-sh bgp ipv6 unicast summary

-sh ip bgp ipv6 unicast neigh

Regards.

Alain.

Don't forget to rate helpful posts.

As suggested, please see the output from the various sho comamnds below


BA-B227-RO01#sho run | sec bgp
router bgp 19764
bgp log-neighbor-changes
neighbor 2001:550:2:8::2:1 remote-as 174
neighbor 2607:FD78:302:1::1 remote-as 26677
neighbor 38.107.139.89 remote-as 174
neighbor 38.107.139.89 description Cogent's A Peer to BA router
neighbor 38.107.139.89 password 7 xxxxxxxxxxxxxxxxxx
neighbor 66.97.23.205 remote-as 26677
neighbor 66.97.23.205 description ORION - Advanced R&E Peer
neighbor 66.97.23.205 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
neighbor 66.209.49.13 remote-as 30147
neighbor 66.209.49.13 description ***Atria_Networks***
neighbor 66.209.49.13 password 7 xxxxxxxxxxxxxxxxxxxxxx
neighbor 66.209.49.13 timers 20 60
maximum-paths 6
!
address-family ipv4
redistribute static
no neighbor 2001:550:2:8::2:1 activate
no neighbor 2607:FD78:302:1::1 activate
neighbor 38.107.139.89 activate
neighbor 38.107.139.89 route-map COGENT-out out
neighbor 66.97.23.205 activate
neighbor 66.97.23.205 send-community
neighbor 66.97.23.205 prefix-list GC_Routes_out out
neighbor 66.97.23.205 route-map ORION-OUT out
neighbor 66.209.49.13 activate
neighbor 66.209.49.13 default-originate
neighbor 66.209.49.13 advertisement-interval 20
neighbor 66.209.49.13 prefix-list GC_Routes_out out
neighbor 66.209.49.13 route-map ATRIA-OUT out
maximum-paths 6
no auto-summary
no synchronization
network 192.139.153.16 mask 255.255.255.240
network 198.73.133.0
network 198.73.134.0
network 199.212.2.0
aggregate-address 192.139.153.0 255.255.255.0 summary-only
exit-address-family
!
address-family ipv6
neighbor 2001:550:2:8::2:1 activate
neighbor 2001:550:2:8::2:1 prefix-list GC_IPv6_routes_out out
neighbor 2607:FD78:302:1::1 activate
neighbor 2607:FD78:302:1::1 prefix-list GC_IPv6_routes_out out
network 2620:DD::/48
exit-address-family
!
address-family nsap
maximum-paths 6
no synchronization
exit-address-family
snmp-server enable traps bgp
BA-B227-RO01#


BA-B227-RO01#sho ipv6 int gi0/3.552
GigabitEthernet0/3.552 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::227:DFF:FE9A:A917
  No Virtual link-local address(es):
  Description: "Cogent Internet service"
  Global unicast address(es):
    2001:550:2:8::2:2, subnet is 2001:550:2:8::2:0/112
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF02:2
    FF02::1:FF9A:A917
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 0 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium
  Hosts use stateless autoconfig for addresses.
BA-B227-RO01#

BA-B227-RO01#sho bgp ipv6 uni sum
BGP router identifier 38.103.65.233, local AS number 19764
BGP table version is 101437, main routing table version 101437
5304 network entries using 790296 bytes of memory
5304 path entries using 403104 bytes of memory
66900/3881 BGP path/bestpath attribute entries using 8295600 bytes of memory
58695 BGP AS-PATH entries using 1590222 bytes of memory
186 BGP community entries using 5752 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 11084974 total bytes of memory
BGP activity 8971318/8617212 prefixes, 12341444/11976395 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2001:550:2:8::2:1
                4   174       0       0        0    0    0 never    Active
2607:FD78:302:1::1
                4 26677   98859   11064   101437    0    0 1w0d         5303
BA-B227-RO01#

BA-B227-RO01#sho ip bgp ipv6 unicast nei
BGP neighbor is 2001:550:2:8::2:1,  remote AS 174, external link
  BGP version 4, remote router ID 0.0.0.0
  BGP state = Active
  Last read 1w0d, last write 1w0d, hold time is 180, keepalive interval is 60 seconds
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  0          0
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             0          0
    Route Refresh:          0          0
    Total:                  0          0
  Default minimum time between advertisement runs is 30 seconds

For address family: IPv6 Unicast
  BGP table version 101454, neighbor version 0/0
Output queue size : 0
  Index 1, Offset 0, Mask 0x2
  1 update-group member
  Outgoing update prefix filter list is GC_IPv6_routes_out
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               1          0
    Prefixes Total:                 0          0
    Implicit Withdraw:              0          0
    Explicit Withdraw:              0          0
    Used as bestpath:             n/a          0
    Used as multipath:            n/a          0

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    Total:                                0          0
  Number of NLRIs in the update sent: max 0, min 0

  Connections established 0; dropped 0
  Last reset never
  No active TCP connection

BGP neighbor is 2607:FD78:302:1::1,  remote AS 26677, external link
  BGP version 4, remote router ID 66.97.18.19
  BGP state = Established, up for 1w0d
  Last read 00:00:10, last write 00:00:00, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(old & new)
    Address family IPv6 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                1      98866
    Keepalives:         11064         11
    Route Refresh:          0          0
    Total:              11066      98878
  Default minimum time between advertisement runs is 30 seconds

For address family: IPv6 Unicast
  BGP table version 101454, neighbor version 101451/0
Output queue size : 0
  Index 1, Offset 0, Mask 0x2
  1 update-group member
  Outgoing update prefix filter list is GC_IPv6_routes_out
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               1       5301 (Consumes 402876 bytes)
    Prefixes Total:                 1     109971
    Implicit Withdraw:              0      97857
    Explicit Withdraw:              0       6813
    Used as bestpath:             n/a       5301
    Used as multipath:            n/a          0

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    prefix-list                       94493          0
    Suppressed duplicate:                 0      15332
    AS_PATH loop:                       n/a          1
    Bestpath from this peer:           5270        n/a
    Total:                            99763      15333
  Number of NLRIs in the update sent: max 1, min 1

  Connections established 1; dropped 0
  Last reset never
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Local host: 2607:FD78:302:1::2, Local port: 32189
Foreign host: 2607:FD78:302:1::1, Foreign port: 179
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x5949ADC24):
Timer          Starts    Wakeups            Next
Retrans         11066          1             0x0
TimeWait            0          0             0x0
AckHold         22948      17433             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0
Linger              0          0             0x0

iss: 2274602483  snduna: 2274812833  sndnxt: 2274812833     sndwnd:  31856
irs: 3457516074  rcvnxt: 3467046155  rcvwnd:      15202  delrcvwnd:   1182

SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 1668 ms, ACK hold: 200 ms
Status Flags: active open
Option Flags: nagle
IP Precedence value : 6

Datagrams (max data segment is 1440 bytes):
Rcvd: 34705 (out of order: 0), with data: 23595, total data bytes: 9530080
Sent: 34487 (retransmit: 1, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 34487, total data bytes: 1589837

BA-B227-RO01#

Please caution on publishing parts of configs containing type 7 passwords.

These lines are easily decryptable

As a piece of advice, please edit your post and remove this info

scbenoit
Level 1
Level 1

Hello

In looking at the output of the sho ipv6 interface commands, is the issue that both of the sub-interfaces generated the same link-local address since they are on the same physical link ?

BA-B227-RO01#sho ipv6 nei
IPv6 Address                              Age Link-layer Addr State Interface
FE80::226:51FF:FECA:A4D3                    0 0026.51ca.a4d3  REACH Gi0/3.752
2001:550:2:8::2:1                           0 001d.e511.6000  PROBE Gi0/3.552
2607:FD78:302:1::1                          0 0026.51ca.a4d3  REACH Gi0/3.752
FE80::250:56FF:FE80:3506                    0 0050.5680.3506  DELAY Gi0/2.50
2620:DD::250:56FF:FE80:3506                 0 0050.5680.3506  REACH Gi0/2.50

BA-B227-RO01#sho ipv6 int gi0/3.552
GigabitEthernet0/3.552 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::227:DFF:FE9A:A917
  No Virtual link-local address(es):


BA-B227-RO01#sho ipv6 int gi0/3.752
GigabitEthernet0/3.752 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::227:DFF:FE9A:A917
  No Virtual link-local address(es):

I never see a link local address in the neighbour table for the gi0/3.552 sub-i/f, only the gi0/3.752 sub-i/f

Is there a way to bind a virtual link local address to the i/f - or is it simply a regualr assignemnt with an fe80 address ?

what woudl happen if I bound an IPv6 address to the physical link, woudl I then possiby loose the assignemnt and operation on the gi0/3.752 since there woudl noe bw 3 i/fs trying to use same link-local address ?

thanks

steve

cadet alain
VIP Alumni
VIP Alumni

can you  clear bgp peering with ISP B and then debug bgp ipv6 and post output

Regards.

Alain.

Don't forget to rate helpful posts.

I've attached a larger about as a file, see atatched but the line of interest is this one I believe

Apr 14 14:39:27.508: BGP: 2001:550:2:8::2:1 open failed: Connection timed out; remote host not responding, open active delayed 32928ms (35000ms max, 28% jitter)

which I believe points back to the lack of IPv6 conenctivity to that site.  I should mention that I can not ping the 2001:55:2:8::2:1 address on the other end which led me to the IPv6 neighbour issue.  IPv4 is operatinal and fine on this same link and vlan.

in the previous debug'ing I can see the remote end and my end trying to establish ipv6 neighbour relationship but it never completes.  It simply cycles from not being in the neighbour table, to status PROBE, DELAY or INCMP

thanks

steve

I tried forcing the link-local address with these two commands to see if that made a differnce

I tried this one first - ipv6 address fe80::227:dff:fe8a:a917 link-local
then I tried this one - ipv6 address fe80::227:dff:fe11:1111 link-local

in both cases the interface also had these two lines

ipv6 address 2001:550:2:8::2:2/112
ipv6 enable

after disabe and enable ipv6 on the interface the out of sho int was

BA-B227-RO01#sho ipv6 int brief
FastEthernet0/0            [up/up]
GigabitEthernet0/0         [administratively down/down]
GigabitEthernet0/1         [administratively down/down]
GigabitEthernet0/2         [up/up]
GigabitEthernet0/2.1       [administratively down/down]
GigabitEthernet0/2.50      [up/up]
    FE80::227:DFF:FE9A:A919
    2620:DD::1:0:0:1
GigabitEthernet0/3         [up/up]
GigabitEthernet0/3.252     [up/up]
    unassigned
GigabitEthernet0/3.552     [up/up]
    FE80::227:DFF:FE11:1111
    2001:550:2:8::2:2
GigabitEthernet0/3.752     [up/up]
    FE80::227:DFF:FE9A:A917
    2607:FD78:302:1::2
FastEthernet1/0            [administratively down/down]
BA-B227-RO01#

and the sho ipv6 nei comamnd still shows no neibour relationship with the remote end

BA-B227-RO01#
BA-B227-RO01#sho ipv6 nei
IPv6 Address                              Age Link-layer Addr State Interface
FE80::226:51FF:FECA:A4D3                    0 0026.51ca.a4d3  DELAY Gi0/3.752
2001:550:2:8::2:1                           0 001d.e511.6000  DELAY Gi0/3.552
2607:FD78:302:1::1                          0 0026.51ca.a4d3  REACH Gi0/3.752
FE80::250:56FF:FE80:3506                    0 0050.5680.3506  REACH Gi0/2.50
2620:DD::250:56FF:FE80:3506                 0 0050.5680.3506  DELAY Gi0/2.50

BA-B227-RO01#

attached is debug ipv6 nd output

I don't think  this is a link-local problem because you can put the same link-local address on different interfaces and if you had a duplicate address problem then DAD would have detected it and put interface in a DUP state which is not the case here.

Gonna think your problem over and if I've got a solution I'll let you know.

Regards.

Alain.

Don't forget to rate helpful posts.

Alain - thanks for giving this some thought - I've been scratching my head on this.

I'll update the link as we make progress on it

Steve

Cound this be a firewall issue?

It has all of the trappings of a unidirectional link.  Can you ping the router at ISP B?

Apr 14 15:21:03.476: ICMPv6-ND: Received NS for 2001:550:2:8::2:2 on GigabitEthernet0/3.552 from 2001:550:2:8::2:1

Apr 14 15:21:03.476: ICMPv6-ND: DELETE -> INCMP: 2001:550:2:8::2:1

Apr 14 15:21:03.476: ICMPv6-ND: INCMP -> STALE: 2001:550:2:8::2:1

Apr 14 15:21:03.476: ICMPv6-ND: Sending NA for 2001:550:2:8::2:2 on GigabitEthernet0/3.552

Apr 14 15:21:03.476: ICMPv6-ND: STALE -> DELAY: 2001:550:2:8::2:1

Apr 14 15:21:07.996: ICMPv6-ND: REACH -> STALE: FE80::250:56FF:FE80:3506

Apr 14 15:21:08.476: ICMPv6-ND: DELAY -> PROBE: 2001:550:2:8::2:1

Apr 14 15:21:08.476: ICMPv6-ND: Sending NS for 2001:550:2:8::2:1 on GigabitEthernet0/3.552

Apr 14 15:21:09.476: ICMPv6-ND: Sending NS for 2001:550:2:8::2:1 on GigabitEthernet0/3.552

Apr 14 15:21:10.476: ICMPv6-ND: Sending NS for 2001:550:2:8::2:1 on GigabitEthernet0/3.552

We receive an NS and send an NA, but when we send out own NS, we never get an NA reply?  How can that be?

So, 2001:550:2:8::2:1 never goes into the reachable state....

Hello Phillip

Thanks for the ideas.  No I cannot ping the IPS B interface over IPv6, same link and sub-interface with IPv4 pings fine.  PING was my first attempt, and when it didn't ping I went to see if it had formed a neighbor relationship on the link, and it hadn't.

Yes, it does look like a unidirectional link, or FW issuse but there in no FW or ACLs in place on the link between the 2 sites.  ISP B is on a vlan/subinterface on my end, carried by a RAN to a demarc, and broken out onto a switch accessport to connect to ISP B's physical interface.  I{v4 traffic to ISP B on the same sub-interface is fine.

Steve

Is it possible that you can add another device (any IPv6 device!) on to that VLAN and see if you can sucessfully ping?  This will help to identify if the problem is on your side of the ISPs side.

Have you contacted the ISP?  Maybe they have a configuration issue?

Phillip - I like that idea of putting an additional device on line in the path.  I'm going to ask the

RAN/carrier to put a device on the vlan mid way and see which, if either end they can see.

thanks for the idea

steve

Yes, the excess amount of IP addresses makes such tests very easy compared to IPv4!!

I thought a little more and wondered if the ISP might have an access list blocking ICMPv6 packets.  A bad habit form the IPv4 days was to add a "deny any any" at the end of every IP access list "just in case" even though there was an implict deny at the end of every list.

At the end of an IPv6 access list, there is a more complex "implicit" ending

  • permit icmp any any nd-na
  • permit icmp any any nd-ns
  • deny ipv6 any any

If the ISP added an explicit "deny IPv6 any any" on their access lists, they actually BREAK IPv6 neighbor discovery, since the implicit exceptions for ICMPv6 neighbor discovery would be overridden.

Earl Carter wrote a nice blog on the topic at

http://blogs.cisco.com/security/securing-ipv6/

Ask them to inspect their access lists, and either remove any explicit deny at the end (if they have it) or be sure to add in the ICMP ND exceptions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: