I have a Cisco 7606 router acting as my border gateway for a campus network. Downstream from the router is a Palo Alto NGFW and then a core distribution, L3 switch for my campus.
Most physical ports on my router are configured as switchports assigned to a VLAN and VLAN Interfaces act as gateways for those VLANs. Today I configured ip verify unicast source reachable-via rx on the VLAN interface 252 with IP X.X.252.193, connected to the PA Firewall. The Firewall NATs my internal IP to X.X.252.243 and X.X.252.249 (relative to internal requirements). Immediately upon committing the uRPF config, my network came down. I removed uRPF 4 minutes later, and everything stayed down (even though the interfaces still displayed up/up).
I have one external Gigabit WAN interface divided into two sub-interfaces via dot1x encap, each as a separate route to "different" BGP neighbors. After hours of troubleshooting and finding nothing that should be causing a problem - one of the paths started passing traffic in and out of my internal network. However, the other (far more trafficked) path - the one set as the default route, was still not communicating.
I removed the uRPF configuration, bounced all involved interfaces, and even deleted and re-created the culprit sub-interface acting as the default route. Still nothing. At my wit's end, with contributed troubleshooting from neighboring ISP support, I eventually just reloaded the router and after a reboot, all connectivity was restored.
Has anyone ever encountered anything like this?
-The router has a known route to the NAT'd source IP, which is the same VLAN interface the IP would come in to, yet it still everything came down. Why?
-Even after removing the config from the single interface, residual effects were felt, in failing to forward traffic out the default route's WAN interface.
-I found nothing in viewable configs that would cause this, and especially, changed nothing that would cause this (that I didn't immediately revert).
