Solved: c881 PBR NAT

Ruslan Kopenkin · ‎09-11-2018

Hello,

Got a task to NAT some traffic through remote c881. IPsec between devices works fine.

sh run 
Building configuration... 

  
Current configuration : 5824 bytes 
! 
! Last configuration change at 17:22:39 UTC Thu Sep 6 2018 by admin 
! 
version 15.6 
no service pad 
service timestamps debug datetime msec 
service timestamps log datetime msec 
service password-encryption 
! 
hostname XXX 
! 
boot-start-marker 
boot system flash:c800-universalk9-mz.SPA.156-3.M3.bin 
boot-end-marker 
! 
! 
! 
aaa new-model 
! 
! 
aaa authentication login default local 
! 
! 
! 
! 
! 
aaa session-id common 
clock timezone UTC 5 0 
! 
! 
! 
! 
! 
! 
! 
no ip source-route 
! 
! 
! 
! 
! 
! 
! 
! 
! 
! 


! 
ip dhcp excluded-address 192.168.6.1 192.168.6.10 
!          
ip dhcp pool XXX 
 network 192.168.6.0 255.255.255.0 
 default-router 192.168.6.1 
 dns-server 192.168.5.6 192.168.5.7 193.232.88.17 194.84.23.125 
 domain-name XXX 
! 
ip dhcp pool XXX-iptel 
 network 10.10.2.0 255.255.255.0 
 default-router 10.10.2.1 
 domain-name XXX-IPTEL 
 option 66 ascii 10.10.12.2 
! 
ip dhcp pool hp1214 
 host 192.168.6.11 255.255.255.0 
 client-identifier 0144.1ea1.302e.fa 
 client-name hp1214 
! 
! 
! 
no ip bootp server 
ip domain name otst.local 
ip inspect name INSPECT-OUT dns 
ip inspect name INSPECT-OUT icmp router-traffic 
ip inspect name INSPECT-OUT ntp 
ip inspect name INSPECT-OUT tcp router-traffic 
ip inspect name INSPECT-OUT udp router-traffic 
ip inspect name INSPECT-OUT http 
ip inspect name INSPECT-OUT https 
ip inspect name INSPECT-OUT ftp 
ip cef 
no ipv6 cef 
! 
! 
! 
! 
! 
multilink bundle-name authenticated 
! 
! 
! 
! 
! 
! 
! 
cts logging verbose 
license udi pid C881-K9 sn 
license accept end user agreement 
license boot module c800 level advipservices 
! 
!          
username admin privilege 15 secret 5 
! 
redundancy 
! 
! 
! 
! 
! 
! 
! 
crypto isakmp policy 5 
 encr aes 256 
 authentication pre-share 
 group 14 
 lifetime 1000 
! 
crypto isakmp policy 10 
 encr aes 256 
 authentication pre-share 
 group 2 
crypto isakmp key XXX address YYY 
! 
! 
crypto ipsec transform-set cryptoset-YYY esp-aes 256 esp-sha-hmac 
 mode tunnel 
! 
! 
! 
crypto map ipsec-YYY 10 ipsec-isakmp 
 set peer YYY 
 set transform-set cryptoset-YYY 
 match address crlist-YYY 
! 
! 
! 
! 
! 
! 
interface Loopback0 
 ip address 1.1.1.1 255.255.255.0 
 ip nat inside 
 ip virtual-reassembly in 
! 
interface FastEthernet0 
 no ip address 
 shutdown 
! 
interface FastEthernet1 
 no ip address 
 shutdown 
! 
interface FastEthernet2 
 description << IPT-WAN >> 
 switchport mode trunk 
 no ip address 
! 
interface FastEthernet3 
 description << LAN >> 
 switchport mode trunk 
 no ip address 
! 
interface FastEthernet4 
 description << WAN >> 
 ip address XXX 255.255.255.252 
 ip access-group FIRAWALL in 
 no ip redirects 
 no ip proxy-arp 
 ip nat outside 
 ip inspect INSPECT-OUT out 
 ip virtual-reassembly in 
 ip verify unicast reverse-path 
 ip policy route-map iptnat 
 duplex auto 
 speed auto 
 no cdp enable 
 crypto map ipsec-eka 
! 
interface Vlan1 
 description <<< LAN >>> 
 ip address 192.168.6.1 255.255.255.0 
 ip nat inside 
 ip virtual-reassembly in 
! 
interface Vlan2 
 description << IPT LAN >> 
 ip address 10.10.2.1 255.255.255.0 
 ip virtual-reassembly in 
! 
interface Vlan532 
 description << IPT-WAN >> 
 ip address 172.16.59.21 255.255.255.252 
 ip nat outside 
 ip virtual-reassembly in 
! 
ip forward-protocol nd 
no ip http server 
no ip http secure-server 
! 
! 
ip dns server 
ip nat inside source list NAT interface FastEthernet4 overload 
ip nat inside source list iptnat interface Vlan532 overload 
ip route 0.0.0.0 0.0.0.0 XXX 
ip ssh time-out 60 
ip ssh authentication-retries 2 
ip ssh version 2 
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr 
! 
ip access-list extended FIREWALL 
 permit tcp any any eq 22 
 permit esp host YYY host XXX 
 permit udp host YYY host XXX eq isakmp 

ip access-list extended NAT 
 deny   ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 
 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255 
 deny   ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255 
 deny   ip 10.10.2.0 0.0.0.255 10.10.12.0 0.0.0.255 
 deny   ip 10.10.2.0 0.0.0.255 10.0.0.0 0.0.0.255 
 deny   ip 172.16.59.20 0.0.0.3 10.10.12.0 0.0.0.255 
 permit ip 192.168.6.0 0.0.0.255 any 
ip access-list extended crlist-YYY 
 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 
 permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255 
 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255 
 permit ip 10.10.2.0 0.0.0.255 10.10.12.0 0.0.0.255 
 permit ip 10.10.2.0 0.0.0.255 10.0.0.0 0.0.0.255 
 permit ip 172.16.59.20 0.0.0.3 10.10.12.0 0.0.0.255 
ip access-list extended iptnat 
 permit ip 10.10.12.0 0.0.0.255 172.16.59.20 0.0.0.3 
! 
ipv6 ioam timestamp 
! 
route-map iptnat permit 10 
 match ip address iptnat 
 set int loopback 0 
! 
! 
access-list 101 permit icmp 172.16.59.20 0.0.0.3 10.10.12.0 0.0.0.255 
access-list 101 permit icmp 10.10.12.0 0.0.0.255 172.16.59.20 0.0.0.3 
! 
! 
! 
control-plane 
! 
!          
! 
mgcp behavior rsip-range tgcp-only 
mgcp behavior comedia-role none 
mgcp behavior comedia-check-media-src disable 
mgcp behavior comedia-sdp-force disable 
! 
mgcp profile default 
! 
! 
! 
! 
! 
! 
 vstack 
! 
line con 0 
 no modem enable 
line aux 0 
line vty 0 4 
 privilege level 15 
 password 7 
 transport input telnet ssh 
 escape-character 3 
line vty 5 15 
 transport input none 
 escape-character 3 
! 
scheduler allocate 20000 1000 
ntp update-calendar 
! 
end

Expect here: traffic matching access-list iptnat routed to Loopback0 with nat inside and went througth Vlan532 with nat outside. But debug ip pac 101 shows routing accordig global table

*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Stateful Inspection On Cypher Text(9), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, IPSec input classification(55), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, uRPF(60), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Common Flow Table Post VPN(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Stateful Inspection On Clear Text(77), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Policy Routing(103), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, output feature, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.724: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, output feature, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.728: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.728: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, output feature, Firewall (NAT)(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.728: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, output feature, Firewall (inspect)(56), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.728: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, output feature, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE 
*Sep  6 12:56:53.728: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), g=172.16.59.22, len 100, forward 
*Sep  6 12:56:53.728: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Vlan532), len 100, sending full packet

Tried to set up next-hop with no luck.

Thanks for any help

Georg Pauwen · ‎09-11-2018

Hello,

check if the bug below applies.

NAT PBR is not working with set ip next hop when CEF enabled
CSCtw57637
Description
Symptom:

On Cisco 880/890 Series router, IP CEF with PBR "set ip next-hop" will not work.

Conditions:

Router-800(config-route-map)#do sh route
route-map RM-Nat-on-a-stick, permit, sequence 50
Match clauses:
ip address (access-lists): PBR-Nat-on-a-stick
Set clauses:
ip next-hop 172.16.12.2 <=== this IP address is not configured on any devices, rather it falls under the same subnet as the Loopback ip address of the NAT-on-a-stick router
Nexthop tracking current: 0.0.0.0
172.16.12.2, fib_nh:0,oce:0,status:0

Workaround:
Instead of apply set ip next-hop 172.16.12.2 in the route-map, apply:
set ip next-hop recursive 172.16.12.0 (network address) in the route-map

View solution in original post

Georg Pauwen · ‎09-11-2018

Hello,

you haven't applied the route map too any interface as far as I can see ?

interface X

ip policy route-map iptnat

Ruslan Kopenkin · ‎09-11-2018

Did it on Fa4, where the ipsec traffic comes

Georg Pauwen · ‎09-11-2018

Fa4 is the WAN interface. Your traffic is sourced locally. You need to apply the route map to a local interface (Vlan 2, where the source network is attached)...

Ruslan Kopenkin · ‎09-11-2018

Just for better understanding interesting traffic is 10.10.12.1 -> 172.16.59.22

Output L3 interface for it is Vlan532. with address 172.16.59.21

Tried to apply the route-map on it. No luck.

About the traffic source int - you can see in debug that it is Fa4.

For addition all my c7200 devices work with this config. There is something unknown for me only in this device.

Georg Pauwen · ‎09-11-2018

I am not sure I understand fully what your network looks like, but 10.10.12.0 is an external network, that gets translated first and then policy routed (that is the NAT order of operation...

Can you draw out your network ?

Ruslan Kopenkin · ‎09-11-2018

Please look at the scheme

The task is to reach 172.16.59.22 from 10.10.12.1 translated to 172.16.59.21

Georg Pauwen · ‎09-11-2018

Hello,

check if the bug below applies.

NAT PBR is not working with set ip next hop when CEF enabled
CSCtw57637
Description
Symptom:

On Cisco 880/890 Series router, IP CEF with PBR "set ip next-hop" will not work.

Conditions:

Router-800(config-route-map)#do sh route
route-map RM-Nat-on-a-stick, permit, sequence 50
Match clauses:
ip address (access-lists): PBR-Nat-on-a-stick
Set clauses:
ip next-hop 172.16.12.2 <=== this IP address is not configured on any devices, rather it falls under the same subnet as the Loopback ip address of the NAT-on-a-stick router
Nexthop tracking current: 0.0.0.0
172.16.12.2, fib_nh:0,oce:0,status:0

Workaround:
Instead of apply set ip next-hop 172.16.12.2 in the route-map, apply:
set ip next-hop recursive 172.16.12.0 (network address) in the route-map

Ruslan Kopenkin · ‎09-11-2018

I don't understand why, but only subnet can be set as recursive hexthop.

Aaaand that worked like a charm!

route-map iptnat permit 10
 match ip address iptnat
 set ip next-hop recursive 1.1.1.0

*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Stateful Inspection On Cypher Text(9), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, IPSec input classification(55), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, uRPF(60), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Common Flow Table Post VPN(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, Stateful Inspection On Clear Text(77), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.390: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22, len 100, input feature, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, input feature, Policy Routing(103), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, input feature, MCI Check(109), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, output feature, NAT Inside(8), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, output feature, Common Flow Table(29), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, output feature, Stateful Inspection(30), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, output feature, Firewall (NAT)(50), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, output feature, Firewall (inspect)(56), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, output feature, NAT ALG proxy(63), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), g=1.1.1.0, len 100, forward
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (FastEthernet4), d=172.16.59.22 (Loopback0), len 100, sending full packet
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (Loopback0), d=172.16.59.22, len 100, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (Loopback0), d=172.16.59.22, len 100, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (Loopback0), d=172.16.59.22, len 100, input feature, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (Loopback0), d=172.16.59.22, len 100, input feature, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=10.10.12.1 (Loopback0), d=172.16.59.22, len 100, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, output feature, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, output feature, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, output feature, Firewall (NAT)(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, output feature, Firewall (inspect)(56), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, output feature, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), g=172.16.59.22, len 100, forward
*Sep 11 20:09:01.394: IP: s=172.16.59.21 (Loopback0), d=172.16.59.22 (Vlan532), len 100, sending full packet

Georg, thanks a lot for solution!

Georg Pauwen · ‎09-12-2018

Hello,

you were right, it was platform (800) specific. Not sure why the subnet is required, I guess that's why they call it a bug...I tested your config in GNS3 and it works just fine.

Either way, glad that you got it resolved !

paul driver · ‎09-11-2018

.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul