06-14-2024 01:16 PM - edited 06-14-2024 01:18 PM
Hello,
I need some help. I'm not sure what's going on with the VRF.
No sure if this is a bug on the ASR1001.
I have a simple setup: One Fortigate connected to an ASR1001 with an ethernet cable, then a remote Fortigate connected over site to site VPN to the ASR1001.
on ASR1 Colo I have vrf
VRF_500, and VRF_1025, and others, but I have a problem with VRF_1025.
VRF_500: 172.16.250.0/24
VRF_1025: 10.10.25.0/24
I can ping from VRF_500 to office Networks and from office networks back to R1 Colo:
10.200.45.0/24 and 172.16.45.0/24
I can ping from Fortigate Colo to => Fortigate Office
I can not ping from R1 colo VRF_1025 to Office Network: 10.200.45.0/24 and 172.16.45.0/24
Foritage Colo <=> Cisco ASR100 <=> Fortigate Office
R1-colo#ping vrf VRF_1025 10.200.45.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.45.10, timeout is 2 seconds:
....
R1-colo#ping vrf VRF_500 10.200.45.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.45.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/15/19 ms
LA1-BR-RTR-01#
R1 colo:
router ospf 1025 vrf VRF _1025
router-id 10.10.25.254
capability vrf-lite
redistribute connected subnets
passive-interface default
network 10.10.25.0 0.0.0.255 area 0
network 10.199.45.0 0.0.0.255 area 0
default-information originate
router ospf 500 vrf VRF_500
router-id 172.16.250.254
capability vrf-lite
redistribute connected subnets
passive-interface default
network 172.16.250.0 0.0.0.255 area 1
router bgp 65001
bgp router-id 10.10.24.254
bgp log-neighbor-changes
address-family ipv4 vrf VRF_1025
network 10.2.1.0 mask 255.255.255.248
network 10.10.25.0 mask 255.255.255.0
network 10.199.45.0 mask 255.255.255.0
network 10.200.45.0 mask 255.255.255.0
redistribute ospf 1025 route-map OSPF-TO-BGP-VRF-CUST-1025
neighbor 10.2.1.2 remote-as 65001
neighbor 10.2.1.2 activate
exit-address-family
address-family ipv4 vrf VRF_CUST_500
network 172.16.250.0 mask 255.255.255.0
exit-address-family
ip route vrf VRF_1025 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 199.180.*.113
ip route vrf VRF_1025 10.198.45.1 255.255.255.255 10.199.45.254
ip route vrf VRF_1025 10.198.45.2 255.255.255.255 10.199.45.254
ip route vrf VRF_1025 10.200.45.0 255.255.255.0 Tunnel1025
ip route vrf VRF_1025 10.212.134.0 255.255.255.0 Tunnel1025
ip route vrf VRF_1025 10.212.135.0 255.255.255.0 10.199.45.254
ip route vrf VRF_1025 10.212.136.0 255.255.255.0 10.200.110.254
ip route vrf VRF_1025 172.16.45.0 255.255.255.0 Tunnel1025
ip route vrf VRF_500 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 199.180.*.113
ip route vrf VRF_500 10.200.45.0 255.255.255.0 Tunnel1025
ip route vrf VRF_500 10.212.134.0 255.255.255.0 Tunnel1025
ip route vrf VRF_500 10.212.135.0 255.255.255.0 10.199.45.254
ip route vrf VRF_500 10.212.136.0 255.255.255.0 10.200.110.254
ip route vrf VRF_500 172.16.45.0 255.255.255.0 Tunnel1025
I have attached a small topology for more info.
any help will be appreciated.
thanks.
Solved! Go to Solution.
06-16-2024 01:02 PM
sorry I am not full get how you config the link between Colo and ASR
ASR have two VRF and Colo must also have two vrf or you use vrf leaking in ASR
as I see in your bgp config and I assume it for colo there are two address family
but you always share one vrf tunnel
you need two tunnels one for each vrf
and you need bgp to config with neighbor both not only one
also dont forget add tunnel key in both vrf tunnels
R1#show run
R1#show running-config
Building configuration...
Current configuration : 1721 bytes
!
! Last configuration change at 22:54:31 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 1:1
!
ip vrf red
rd 11:11
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip vrf forwarding blue
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 5
!
interface Tunnel10
ip vrf forwarding red
ip address 15.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 15
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf blue
neighbor 5.0.0.2 remote-as 100
neighbor 5.0.0.2 activate
exit-address-family
!
address-family ipv4 vrf red
neighbor 15.0.0.2 remote-as 100
neighbor 15.0.0.2 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R2#show run
R2#show running-config
Building configuration...
Current configuration : 2010 bytes
!
! Last configuration change at 22:54:36 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 22:22
!
ip vrf red
rd 2:2
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip vrf forwarding red
ip address 2.2.2.2 255.255.255.255
!
interface Loopback10
ip vrf forwarding blue
ip address 22.22.22.22 255.255.255.255
!
interface Tunnel0
ip vrf forwarding blue
ip address 5.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 5
!
interface Tunnel10
ip vrf forwarding red
ip address 15.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 15
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf blue
network 2.2.2.2 mask 255.255.255.255
network 22.22.22.22 mask 255.255.255.255
neighbor 5.0.0.1 remote-as 100
neighbor 5.0.0.1 activate
exit-address-family
!
address-family ipv4 vrf red
network 2.2.2.2 mask 255.255.255.255
neighbor 15.0.0.1 remote-as 100
neighbor 15.0.0.1 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
06-14-2024 11:20 PM
May be i was not clear, where is this VRF Interface configuration located, can you post show ip route VRF all output ?
is this VRF 500 and VRF 1025 Interface in Router1?
Do you see the routes in VRF 1025 routing table ?
06-15-2024 01:42 AM - edited 06-15-2024 10:47 PM
Hey, thanks for getting back to me.
is this VRF 500 and VRF 1025 Interface in Router1?
Yes, they are on Router1
Do you see the routes in VRF 1025 routing table ?
I see the routes on both VRFs, they are almost identical.
R1-Colo#sh ip route vrf VRF_1025
Routing Table: VRF_1025
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 199.180.152.113 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 199.180.152.113, GigabitEthernet0/0/0
10.0.0.0/8 is variably subnetted, 27 subnets, 4 masks
B 10.1.2.0/30 is directly connected (VRF_CUST_10), 1d01h, Tunnel102
L 10.1.2.1/32 is directly connected, Tunnel102
L 10.1.2.2/32 is directly connected, Tunnel102
B 10.1.2.4/30 is directly connected (VRF_CUST_10), 1d01h, Loopback10
L 10.1.2.5/32 is directly connected, Loopback10
B 10.1.30.0/24
is directly connected (VRF_CUST_30), 1d01h, Port-channel2.30
L 10.1.30.254/32 is directly connected, Port-channel2.30
C 10.2.1.0/29 is directly connected, Tunnel1025
L 10.2.1.1/32 is directly connected, Tunnel1025
B 10.4.2.0/30 is directly connected (VRF_CUST_30), 1d01h, Tunnel30
L 10.4.2.1/32 is directly connected, Tunnel30
B 10.10.24.0/24
is directly connected (VRF_CUST_10), 1d01h, Port-channel2.10
L 10.10.24.254/32 is directly connected, Port-channel2.10
C 10.10.25.0/24 is directly connected, Port-channel2.1025
L 10.10.25.254/32 is directly connected, Port-channel2.1025
B 10.30.30.0/24 is directly connected (VRF_CUST_30), 1d01h, Loopback30
L 10.30.30.1/32 is directly connected, Loopback30
S 10.198.45.1/32 [1/0] via 10.199.45.254
S 10.198.45.2/32 [1/0] via 10.199.45.254
C 10.199.45.0/24 is directly connected, Port-channel2.45
L 10.199.45.253/32 is directly connected, Port-channel2.45
S 10.200.45.0/24 is directly connected, Tunnel1025
B 10.200.110.0/24
is directly connected (VRF_CUST_30), 1d01h, Port-channel2.110
L 10.200.110.253/32 is directly connected, Port-channel2.110
S 10.212.134.0/24 is directly connected, Tunnel1025
S 10.212.135.0/24 [1/0] via 10.199.45.254
S 10.212.136.0/24 [1/0] via 10.200.110.254
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.45.0/24 is directly connected, Tunnel1025
B 172.16.250.0/24
is directly connected (VRF_500), 1d01h, Port-channel2.500
L 172.16.250.254/32 is directly connected, Port-channel2.500
R1-colo#sh ip route vrf VRF_500
Routing Table: VRF_500
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 199.180.152.113 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 199.180.152.113, GigabitEthernet0/0/0
10.0.0.0/8 is variably subnetted, 17 subnets, 4 masks
B 10.1.2.0/30 is directly connected (VRF_CUST_10), 1d01h, Tunnel102
L 10.1.2.1/32 is directly connected, Tunnel102
L 10.1.2.2/32 is directly connected, Tunnel102
B 10.1.2.4/30 is directly connected (VRF_CUST_10), 1d01h, Loopback10
L 10.1.2.5/32 is directly connected, Loopback10
B 10.2.1.0/29 is directly connected (VRF_1025), 1d01h, Tunnel1025
L 10.2.1.1/32 is directly connected, Tunnel1025
L 10.2.1.2/32 is directly connected, Tunnel1025
B 10.10.24.0/24
is directly connected (VRF_CUST_10), 1d01h, Port-channel2.10
L 10.10.24.254/32 is directly connected, Port-channel2.10
B 10.10.25.0/24
is directly connected (VRF_1025), 1d01h, Port-channel2.1025
L 10.10.25.254/32 is directly connected, Port-channel2.1025
B 10.199.45.0/24
is directly connected (VRF_1025), 1d01h, Port-channel2.45
L 10.199.45.253/32 is directly connected, Port-channel2.45
S 10.200.45.0/24 is directly connected, Tunnel1025
S 10.212.134.0/24 is directly connected, Tunnel1025
S 10.212.135.0/24 [1/0] via 10.199.45.254
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.45.0/24 is directly connected, Tunnel1025
C 172.16.250.0/24 is directly connected, Port-channel2.500
L 172.16.250.254/32 is directly connected, Port-channel2.500
06-15-2024 02:20 AM
Can We simply try point by point solve this issue
Colo have one vrf or two ?
Office have one vrf or two ?
MHM
06-15-2024 02:50 AM
Colo have 2 vrfs and office (ipsec tunnel) has no VRFs.
Can't explain why vrf_500 can ping remote office 10.200.45.10 and vrf_1025 which is the VRF in the tunnel1015 can't
interface Tunnel1025
descriptiontest
ip vrf forwarding VRF_1025
ip address 10.2.1.1 255.255.255.248
ip mtu 1430
ip tcp adjust-mss 1250
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1025 area 0
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 76.80.*.10
tunnel path-mtu-discovery
tunnel protection ipsec profile TEST-PROFILE
!
both ends tunnel is up.
06-15-2024 03:03 AM
this topology to simply the issue
please write OK or NOT OK beside each below notes with correction
1-there are two VRF in ASR
2- the interface f1/1and f0/0 port is config in global not in any VRF
3- there is SVTI in VRF1024 between Colo and ASR
MHM
06-15-2024 10:55 PM - edited 06-15-2024 11:18 PM
1-there are two VRF in ASR
Yes, vrf_1025 and vrf_500
2- the interface f1/1and f0/0 port is config in global not in any VRF
interface f0/0 is directly connected to Fortigate. I don't have a problem pinging from Fortigate to 10.200.45.0/24 and 172.16.45.0/24
interface f/10 is a tunnel to the remote office. only vrf_500 can ping through the tunnel to remote office 10.200.45.0/24 and 172.16.45.0/24
vrf_1025 can't
3- there is SVTI in VRF1025 between Colo and ASR
Yes, there is, remember only vrf_500 can ping through the tunnel, but vrf_1025 can't. Even in the tunnel I'm forwarding the vrf_1025.
interface Tunnel1025
description toOffice
ip vrf forwarding VRF_1025
ip address 10.2.1.1 255.255.255.248
ip mtu 1430
ip tcp adjust-mss 1250
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1025 area 0
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 76.80.*.10
tunnel path-mtu-discovery
tunnel protection ipsec profile FLA-PROFILE
That's the thing I don't get it. Why vrv_500 can ping through the tunnel but vrf_1025 can't.
one thing I forgot to mention is that vrf_1025 is on area 0, and vrf_500 on area 1
06-15-2024 10:49 PM
Can We simply try point by point solve this issue
Colo have one vrf or two ?
two, vrf_1025, and vrf_500. vrf_500 is fine, can ping 10.200.45.10 but I can't ping from vrf_1025
Office have one vrf or two ?
office has not VRFs
06-16-2024 01:02 PM
sorry I am not full get how you config the link between Colo and ASR
ASR have two VRF and Colo must also have two vrf or you use vrf leaking in ASR
as I see in your bgp config and I assume it for colo there are two address family
but you always share one vrf tunnel
you need two tunnels one for each vrf
and you need bgp to config with neighbor both not only one
also dont forget add tunnel key in both vrf tunnels
R1#show run
R1#show running-config
Building configuration...
Current configuration : 1721 bytes
!
! Last configuration change at 22:54:31 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 1:1
!
ip vrf red
rd 11:11
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip vrf forwarding blue
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 5
!
interface Tunnel10
ip vrf forwarding red
ip address 15.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 15
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf blue
neighbor 5.0.0.2 remote-as 100
neighbor 5.0.0.2 activate
exit-address-family
!
address-family ipv4 vrf red
neighbor 15.0.0.2 remote-as 100
neighbor 15.0.0.2 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R2#show run
R2#show running-config
Building configuration...
Current configuration : 2010 bytes
!
! Last configuration change at 22:54:36 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 22:22
!
ip vrf red
rd 2:2
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip vrf forwarding red
ip address 2.2.2.2 255.255.255.255
!
interface Loopback10
ip vrf forwarding blue
ip address 22.22.22.22 255.255.255.255
!
interface Tunnel0
ip vrf forwarding blue
ip address 5.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 5
!
interface Tunnel10
ip vrf forwarding red
ip address 15.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 15
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf blue
network 2.2.2.2 mask 255.255.255.255
network 22.22.22.22 mask 255.255.255.255
neighbor 5.0.0.1 remote-as 100
neighbor 5.0.0.1 activate
exit-address-family
!
address-family ipv4 vrf red
network 2.2.2.2 mask 255.255.255.255
neighbor 15.0.0.1 remote-as 100
neighbor 15.0.0.1 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
06-21-2024 12:15 AM - edited 06-21-2024 12:38 AM
Thanks, man, that is great.
I want to reach out to Fortigate but I don't think the problem I'm facing is on fortigate.
still doesn't make sense to me why VRF_500 which is not even in the vrf routing table of the tunnel, can ping 10.200.45.0/24
VRF_1025 can't ping it, and it is in the vrf routing table of the tunnel.
This problem is just from the CLI of the Cisco router itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide