Solved: forwarded packets not going out virtual interface

katrin1701 · ‎04-13-2023

I don't understand why my data isn't forwarded to the Virtual-Acess 3.

But only forwarding doesn't seem to work, data sent from the local Cisco out the VI3 interface is working.

My setup is the following:

ISR4451

interfaces used:

GE0/0/1 10.0.138.5/24

Vi3 PPPoE VPDN Interface 10.130.1.67

I can ping 10.130.1.67 from the Cisco, but not when it's being forwarded from e.g. 10.0.138.1

Packet seem to go out vi3, but they don't.

What else could I check?

debug ip packet detail

Apr 13 2023 11:24:22: FIBipv4-packet-proc: route packet from GigabitEthernet0/0/1 src 10.0.138.1 dst 10.130.1.67
Apr 13 2023 11:24:22: FIBfwd-proc: Default:10.130.1.67/32 process level forwarding
Apr 13 2023 11:24:22: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0)
Apr 13 2023 11:24:22: FIBfwd-proc: try path 0 (of 1) v4-ah-10.130.1.67-Vi3 first short ext 0(-1)
Apr 13 2023 11:24:22: FIBfwd-proc: v4-ah-10.130.1.67-Vi3 valid
Apr 13 2023 11:24:22: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Virtual-Access3 nh 10.130.1.67 deag 0 chg_if 0 via fib 0 path type attached host
Apr 13 2023 11:24:22: FIBfwd-proc: packet routed to Virtual-Access3 10.130.1.67(0)
Apr 13 2023 11:24:22: FIBipv4-packet-proc: packet routing succeeded
Apr 13 2023 11:24:22: IP: tableid=0, s=10.0.138.1 (GigabitEthernet0/0/1), d=10.130.1.67 (Virtual-Access3) nexthop=10.130.1.67, routed via FIB

The Interface has outgoing access-list 130, but that access-list doesn't get any hits, not even "any any log".

show ip interface  vi3
Virtual-Access3 is up, line protocol is up
Interface is unnumbered. Using address of Loopback1 (10.130.0.4)
Broadcast address is 255.255.255.255
Peer address is 10.130.1.67
MTU is 1300 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is 130
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
BGP Policy Mapping is disabled
Input features: Virtual Fragment Reassembly, NAT Outside, iEdge, MCI Check
Output features: iEdge, Post-routing NAT Outside
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled

MHM Cisco World · ‎04-17-2023

In Cisco 1000 Series Integrated Series Routers, although L2TPv2 sessions comes up without appxk9, you need the appxk9 license for the traffic to go through the sessions. You also need the appxk9 license to apply the QoS policies to the L2TPv2 sessions.

I read this in some cisco doc. can you confirm that you use appxk9

View solution in original post

Flavio Miranda · ‎04-13-2023

Hi

If you seek help, you need to provide more information. I dont see nothing wrong in what you show but you just provide a few information.

Share a simple diagram of your network, explain better what you are trying to accomplish, describe the others elements involved and show devices configuration.

With that information, the chance of someone here help you increase a lot.

MHM Cisco World · ‎04-13-2023

can you share the config ?

katrin1701 · ‎04-13-2023

VPDN using L2TP
The Cisco is the LNS
Client is connected as 10.130.1.67 on Virtual-Access 3


PPPoE Client (10.130.1.67)------------- VPDN/L2TP----------- ---- GE0/0/0 Tunnelendpoint (Virtual Access 3 10.130.1.67) ISR4451 GE0/0/1(10.0.138.5/24)------------- --------------------10.0.138.1/24

Packets can go from 10.130.1.67 to 10.0.138.1, but not the other way.

I added


ip tcp header-compression
to the Virtual Template
because I couldn't ping to 10.130.1.67 at all
Since then I can ping 10.130.1.67 but only from the ISR4451, not from the network 10.0.138.1

But now I get


test virtual-Template 1 subinterface
Subinterfaces cannot be created using Virtual-Template1
Interface specific commands:
ip tcp header-compression



version 17.3
!...
boot-start-marker
boot system flash bootflash:isr4400-universalk9.17.03.05.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!...
!
aaa new-model
!
!
aaa group server radius VPDN
server name xxxx
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local none
aaa authorization commands 15 default if-authenticated
aaa authorization network VPDN group radius
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
!
!
aaa session-id common
clock timezone UTC 1 0
clock summer-time CETS recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!...
!
!
subscriber templating
multilink bundle-name authenticated
vpdn enable
vpdn multihop
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
no vpdn history failure cause normal
vpdn history failure table-size 50
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname xxxx
dsl-line-info-forwarding
lcp renegotiation always
l2tp tunnel password 7 xxxxx
!
!...
!
!
!...
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!...
!
redundancy
mode none
!
!
no cdp run
!
!
interface Loopback1
ip address 10.130.0.4 255.255.255.255
!
interface Loopback2
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/0/0
description L2tp
ip address x.x.x.x 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.0.138.5 255.255.255.0
no ip proxy-arp
ip nat inside
negotiation auto
!
!...
!
interface Virtual-Template1
mtu 1300
ip unnumbered Loopback1
ip nat outside
ip tcp header-compression
no logging event link-status
peer match aaa-pools
no peer default ip address
ppp mtu adaptive
ppp authentication pap callin
ppp authorization VPDN
ip virtual-reassembly
!
!...
!
no ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/1
ip nat inside source list NAT interface Loopback1 overload
ip nat inside source list RADIUSLOKAL interface GigabitEthernet0/0/2 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.0.0.0 255.128.0.0 10.0.138.1
!
!...
!
ip access-list extended 130
10 permit icmp any any
!...
760 deny ip any any log
!
!...
!
radius-server retry method reorder
!
...
!
ntp server 192.53.103.104
ntp server 192.53.103.108
!
!
end

MHM Cisco World · ‎04-13-2023

Remove

 ip nat outside

from virtual template and add it under loopback1

katrin1701 · ‎04-13-2023

I've tried that, but no success.

katrin1701 · ‎04-17-2023

I've found out the following:

show ip cef internal

doesn't show the physical interface

10.130.1.67/32, epoch 2, flags [att, cnn], RIB[C], refcnt 6, per-destination sharing
sources: RIB
feature space:
Broker: linked, distributed at 4th priority
ifnums:
Virtual-Access2.1(18)
path list 7F7C2444C600, 3 locks, per-destination, flags 0x49 [shble, rif, hwcn]
path 7F7C244186E0, share 1/1, type attached host, for IPv4
attached to Virtual-Access2.1, IP adj out of Virtual-Access2.1 7F7C2444E290
output chain:
IP adj out of Virtual-Access2.1 7F7C2444E290

Router with older software show the following:

output chain: IP midchain out of Virtual-Access2.1 03A8EC60 IP adj out of GigabitEthernet0/2, addr 62.x.x.x 02B3DD00

MHM Cisco World · ‎04-17-2023

If that correct then you can disable CEF under the Virtual and check the ping.

katrin1701 · ‎04-17-2023

If I try to disable on the Virtual Template:


(config-if)#no ip cef
% Incomplete command.
I could only use
#no ip cef accounting non-recursive
Which I assume is not the same.

If I disable on the platform it gives me:
(config)#no ip cef ?
accounting Enable CEF accounting
distributed Distributed Cisco Express Forwarding
load-sharing Load sharing
optimize Optimizations
table Set CEF forwarding table characteristics
traffic-statistics Enable collection of traffic statistics

I tried


(config)#no ip cef distributed
%Cannot disable CEF on this platform

MHM Cisco World · ‎04-17-2023

In Cisco 1000 Series Integrated Series Routers, although L2TPv2 sessions comes up without appxk9, you need the appxk9 license for the traffic to go through the sessions. You also need the appxk9 license to apply the QoS policies to the L2TPv2 sessions.

I read this in some cisco doc. can you confirm that you use appxk9

katrin1701 · ‎04-17-2023

Seems we don't use appxk9.

If that's needed it would explain things.

I'll check things.

MHM Cisco World · ‎04-17-2023

You are welcome

katrin1701 · ‎04-17-2023

It worked!!!

I activated the appxk9 license and suddenly everything is fine.

Thank you so much for your help

MHM Cisco World · ‎04-17-2023

You are so so welcome