Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
196
Views
0
Helpful
8
Replies

VRF ping Problems

josebash
Level 1
Level 1

‎06-14-2024 01:16 PM - edited ‎06-14-2024 01:18 PM

 

Hello,

I need some help. I'm not sure what's going on with the  VRF.

No sure if this is a bug on the ASR1001.

I have a simple setup: One Fortigate connected to an ASR1001 with an ethernet cable, then a remote Fortigate connected over site to site VPN to the ASR1001.

on ASR1 Colo I have vrf

VRF_500, and VRF_1025, and others, but I have a problem with VRF_1025.

VRF_500: 172.16.250.0/24

VRF_1025: 10.10.25.0/24

I can ping from VRF_500 to office Networks and from office networks back to R1 Colo:

10.200.45.0/24 and 172.16.45.0/24 

I can ping from Fortigate Colo to => Fortigate Office

I can not ping from R1 colo VRF_1025 to Office Network: 10.200.45.0/24 and 172.16.45.0/24

     Foritage Colo   <=>  Cisco ASR100 <=> Fortigate Office

 

R1-colo#ping vrf VRF_1025 10.200.45.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.45.10, timeout is 2 seconds:
....

R1-colo#ping vrf VRF_500 10.200.45.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.45.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/15/19 ms
LA1-BR-RTR-01#

 


R1 colo:

router ospf 1025 vrf VRF _1025
router-id 10.10.25.254
capability vrf-lite
redistribute connected subnets
passive-interface default
network 10.10.25.0 0.0.0.255 area 0
network 10.199.45.0 0.0.0.255 area 0
default-information originate

 

 

router ospf 500 vrf VRF_500
router-id 172.16.250.254
capability vrf-lite
redistribute connected subnets
passive-interface default
network 172.16.250.0 0.0.0.255 area 1

router bgp 65001
bgp router-id 10.10.24.254
bgp log-neighbor-changes

address-family ipv4 vrf VRF_1025
network 10.2.1.0 mask 255.255.255.248
network 10.10.25.0 mask 255.255.255.0
network 10.199.45.0 mask 255.255.255.0
network 10.200.45.0 mask 255.255.255.0
redistribute ospf 1025 route-map OSPF-TO-BGP-VRF-CUST-1025
neighbor 10.2.1.2 remote-as 65001
neighbor 10.2.1.2 activate
exit-address-family

address-family ipv4 vrf VRF_CUST_500
network 172.16.250.0 mask 255.255.255.0
exit-address-family

ip route vrf VRF_1025 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 199.180.*.113
ip route vrf VRF_1025 10.198.45.1 255.255.255.255 10.199.45.254
ip route vrf VRF_1025 10.198.45.2 255.255.255.255 10.199.45.254
ip route vrf VRF_1025 10.200.45.0 255.255.255.0 Tunnel1025
ip route vrf VRF_1025 10.212.134.0 255.255.255.0 Tunnel1025
ip route vrf VRF_1025 10.212.135.0 255.255.255.0 10.199.45.254
ip route vrf VRF_1025 10.212.136.0 255.255.255.0 10.200.110.254
ip route vrf VRF_1025 172.16.45.0 255.255.255.0 Tunnel1025

ip route vrf VRF_500 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 199.180.*.113
ip route vrf VRF_500 10.200.45.0 255.255.255.0 Tunnel1025
ip route vrf VRF_500 10.212.134.0 255.255.255.0 Tunnel1025
ip route vrf VRF_500  10.212.135.0 255.255.255.0 10.199.45.254
ip route vrf VRF_500  10.212.136.0 255.255.255.0 10.200.110.254
ip route vrf VRF_500 172.16.45.0 255.255.255.0 Tunnel1025

 

 

I have attached a small topology for more info.

 

any help will be appreciated.

thanks.

 

Labels:
Preview file
158 KB
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎06-14-2024 11:20 PM

May be i was not clear, where is this VRF Interface configuration located, can you post show ip route VRF all output ?

is this VRF 500 and VRF 1025  Interface in Router1?

Do you see the routes in VRF 1025 routing table ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

josebash
Level 1
Level 1
In response to balaji.bandi

‎06-15-2024 01:42 AM - edited ‎06-15-2024 10:47 PM

Hey, thanks for getting back to me.

 

 

is this VRF 500 and VRF 1025  Interface in Router1?

Yes, they are on Router1

Do you see the routes in VRF 1025 routing table ?

I see the routes on both VRFs, they are almost identical. 

R1-Colo#sh ip route vrf VRF_1025

Routing Table: VRF_1025
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 199.180.152.113 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 199.180.152.113, GigabitEthernet0/0/0
10.0.0.0/8 is variably subnetted, 27 subnets, 4 masks
B 10.1.2.0/30 is directly connected (VRF_CUST_10), 1d01h, Tunnel102
L 10.1.2.1/32 is directly connected, Tunnel102
L 10.1.2.2/32 is directly connected, Tunnel102
B 10.1.2.4/30 is directly connected (VRF_CUST_10), 1d01h, Loopback10
L 10.1.2.5/32 is directly connected, Loopback10
B 10.1.30.0/24
is directly connected (VRF_CUST_30), 1d01h, Port-channel2.30
L 10.1.30.254/32 is directly connected, Port-channel2.30
C 10.2.1.0/29 is directly connected, Tunnel1025
L 10.2.1.1/32 is directly connected, Tunnel1025
B 10.4.2.0/30 is directly connected (VRF_CUST_30), 1d01h, Tunnel30
L 10.4.2.1/32 is directly connected, Tunnel30
B 10.10.24.0/24
is directly connected (VRF_CUST_10), 1d01h, Port-channel2.10
L 10.10.24.254/32 is directly connected, Port-channel2.10
C 10.10.25.0/24 is directly connected, Port-channel2.1025
L 10.10.25.254/32 is directly connected, Port-channel2.1025
B 10.30.30.0/24 is directly connected (VRF_CUST_30), 1d01h, Loopback30
L 10.30.30.1/32 is directly connected, Loopback30
S 10.198.45.1/32 [1/0] via 10.199.45.254
S 10.198.45.2/32 [1/0] via 10.199.45.254
C 10.199.45.0/24 is directly connected, Port-channel2.45
L 10.199.45.253/32 is directly connected, Port-channel2.45
S 10.200.45.0/24 is directly connected, Tunnel1025
B 10.200.110.0/24
is directly connected (VRF_CUST_30), 1d01h, Port-channel2.110
L 10.200.110.253/32 is directly connected, Port-channel2.110
S 10.212.134.0/24 is directly connected, Tunnel1025
S 10.212.135.0/24 [1/0] via 10.199.45.254
S 10.212.136.0/24 [1/0] via 10.200.110.254
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.45.0/24 is directly connected, Tunnel1025
B 172.16.250.0/24
is directly connected (VRF_500), 1d01h, Port-channel2.500
L 172.16.250.254/32 is directly connected, Port-channel2.500

 

 

 


R1-colo#sh ip route vrf VRF_500

Routing Table: VRF_500
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 199.180.152.113 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 199.180.152.113, GigabitEthernet0/0/0
10.0.0.0/8 is variably subnetted, 17 subnets, 4 masks
B 10.1.2.0/30 is directly connected (VRF_CUST_10), 1d01h, Tunnel102
L 10.1.2.1/32 is directly connected, Tunnel102
L 10.1.2.2/32 is directly connected, Tunnel102
B 10.1.2.4/30 is directly connected (VRF_CUST_10), 1d01h, Loopback10
L 10.1.2.5/32 is directly connected, Loopback10
B 10.2.1.0/29 is directly connected (VRF_1025), 1d01h, Tunnel1025
L 10.2.1.1/32 is directly connected, Tunnel1025
L 10.2.1.2/32 is directly connected, Tunnel1025
B 10.10.24.0/24
is directly connected (VRF_CUST_10), 1d01h, Port-channel2.10
L 10.10.24.254/32 is directly connected, Port-channel2.10
B 10.10.25.0/24
is directly connected (VRF_1025), 1d01h, Port-channel2.1025
L 10.10.25.254/32 is directly connected, Port-channel2.1025
B 10.199.45.0/24
is directly connected (VRF_1025), 1d01h, Port-channel2.45
L 10.199.45.253/32 is directly connected, Port-channel2.45
S 10.200.45.0/24 is directly connected, Tunnel1025
S 10.212.134.0/24 is directly connected, Tunnel1025
S 10.212.135.0/24 [1/0] via 10.199.45.254
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.45.0/24 is directly connected, Tunnel1025
C 172.16.250.0/24 is directly connected, Port-channel2.500
L 172.16.250.254/32 is directly connected, Port-channel2.500

0 Helpful

MHM Cisco World
VIP
VIP
In response to josebash

‎06-15-2024 02:20 AM

Can We simply try point by point solve this issue 
Colo have one vrf or two ?
Office have one vrf or two ?

MHM

0 Helpful

josebash
Level 1
Level 1
In response to MHM Cisco World

‎06-15-2024 02:50 AM

 

Colo have 2 vrfs and office (ipsec tunnel) has no VRFs.

Can't explain why vrf_500 can ping remote office 10.200.45.10 and vrf_1025 which is the VRF in the tunnel1015 can't

interface Tunnel1025
descriptiontest
ip vrf forwarding VRF_1025
ip address 10.2.1.1 255.255.255.248
ip mtu 1430
ip tcp adjust-mss 1250
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1025 area 0
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 76.80.*.10
tunnel path-mtu-discovery
tunnel protection ipsec profile TEST-PROFILE
!

both ends tunnel is up.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to josebash

‎06-15-2024 03:03 AM

Screenshot (746).png

this topology to simply the issue 
please write OK or NOT OK beside each below notes with correction 
1-there are two VRF in ASR 
2- the interface f1/1and f0/0 port is config in global not in any VRF
3- there is SVTI in VRF1024 between Colo and ASR 

MHM

0 Helpful

josebash
Level 1
Level 1
In response to MHM Cisco World

‎06-15-2024 10:55 PM - edited ‎06-15-2024 11:18 PM

1-there are two VRF in ASR 

              Yes, vrf_1025 and vrf_500
2- the interface f1/1and f0/0 port is config in global not in any VRF

       interface f0/0 is directly connected to Fortigate. I don't have a problem pinging from Fortigate to 10.200.45.0/24 and 172.16.45.0/24

     interface f/10 is a tunnel to the remote office. only vrf_500 can ping through the tunnel to remote office 10.200.45.0/24 and 172.16.45.0/24

    vrf_1025 can't
3- there is SVTI in VRF1025 between Colo and ASR 

               Yes, there is, remember only vrf_500 can ping through the tunnel, but vrf_1025 can't. Even in the tunnel I'm forwarding the vrf_1025.

interface Tunnel1025
description toOffice
ip vrf forwarding VRF_1025
ip address 10.2.1.1 255.255.255.248
ip mtu 1430
ip tcp adjust-mss 1250
ip ospf network point-to-point
ip ospf mtu-ignore
ip ospf 1025 area 0
ip ospf cost 1000
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 76.80.*.10
tunnel path-mtu-discovery
tunnel protection ipsec profile FLA-PROFILE


That's the thing I don't get it. Why vrv_500 can ping through the tunnel but vrf_1025 can't.

one thing I forgot to mention is that vrf_1025 is on area 0, and vrf_500 on area 1

0 Helpful

josebash
Level 1
Level 1
In response to MHM Cisco World

‎06-15-2024 10:49 PM

Can We simply try point by point solve this issue 
Colo have one vrf or two ?

     two, vrf_1025, and vrf_500. vrf_500 is fine, can ping 10.200.45.10 but I can't ping from vrf_1025
Office have one vrf or two ?

     office has not VRFs

0 Helpful

MHM Cisco World
VIP
VIP

‎06-16-2024 01:02 PM

sorry I am not full get how you config the link between Colo and ASR 
ASR have two VRF and Colo must also have two vrf or you use vrf leaking in ASR 
as I see in your bgp config and I assume it for colo there are two address family 
but you always share one vrf tunnel 
you need two tunnels one for each vrf 
and you need bgp to config with neighbor both not only one 
also dont forget add tunnel key in both vrf tunnels 

R1#show run
R1#show running-config
Building configuration...

Current configuration : 1721 bytes
!
! Last configuration change at 22:54:31 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 1:1
!
ip vrf red
rd 11:11
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip vrf forwarding blue
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 5
!
interface Tunnel10
ip vrf forwarding red
ip address 15.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel key 15
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf blue
neighbor 5.0.0.2 remote-as 100
neighbor 5.0.0.2 activate
exit-address-family
!
address-family ipv4 vrf red
neighbor 15.0.0.2 remote-as 100
neighbor 15.0.0.2 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end


R2#show run
R2#show running-config
Building configuration...

Current configuration : 2010 bytes
!
! Last configuration change at 22:54:36 UTC Sun Jun 16 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf blue
rd 22:22
!
ip vrf red
rd 2:2
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip vrf forwarding red
ip address 2.2.2.2 255.255.255.255
!
interface Loopback10
ip vrf forwarding blue
ip address 22.22.22.22 255.255.255.255
!
interface Tunnel0
ip vrf forwarding blue
ip address 5.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 5
!
interface Tunnel10
ip vrf forwarding red
ip address 15.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel key 15
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router bgp 100
bgp log-neighbor-changes
!
address-family ipv4 vrf blue
network 2.2.2.2 mask 255.255.255.255
network 22.22.22.22 mask 255.255.255.255
neighbor 5.0.0.1 remote-as 100
neighbor 5.0.0.1 activate
exit-address-family
!
address-family ipv4 vrf red
network 2.2.2.2 mask 255.255.255.255
neighbor 15.0.0.1 remote-as 100
neighbor 15.0.0.1 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

Screenshot (747).png

0 Helpful
Customers Also Viewed These Support Documents