07-04-2006 09:16 PM - edited 03-03-2019 01:14 PM
I am using one VRF for two tunnels which is configured on the same router.
Both the tunnels are using same interface as source address. While i do vrf ping for wan ip,getting !.!.!.! type of results.Can anyone confirm that,as i am using same source and same VRF.. if i try to ping other end wan whether my packet is going on both tunnel and getting reply only from one.. this wot i guess. In genral,if we config two static routes with equal cost, we use to get this type of results. As i am running BGP between CE & PE i can't isolate this issue. Please give your suggestions.. Thanks , Manick
07-04-2006 10:41 PM
Hi, regualar interval drops in ping attempts are often due to anti DOS configurations on devices, I see this quite often, it varies in the drops sometime the pattern will be !....!....!....!, other times it will be as you are seeing. Do you manage the CE and PE routers or are they being managed by your service provider?? Also, is the device that you are trying to ping a router or is it a server??
I would investigate what security configurations are on the device you are trying to ping.
Cheers
Rob
07-04-2006 11:06 PM
Hi Rob, Thanks for your reply
We are managing the both PE & CE. We are trying to ping CE end WAN ip from PE end. We have configured only access list under tunnel interfaces. So no need to check the security part.We are using Tunnels for WAN.
Regards,
Manick
07-05-2006 01:36 AM
Hi Manick,
just a stupid question: ping vrf, isn't it?
Regards
Andrea
07-05-2006 01:55 AM
Hi Ariela
The command is : " ping vrf
Regards,
Manick
07-05-2006 02:37 AM
Ok, Manick, sorry for useless question.
In my opinion, this is a routing issue, and not a security issue (even if the Rob post could be helpful).
Reassuming:
you have 2 GRE tunnels with same source IP (but different exit, is it?), same metric, same mtu ... and 2 static routes with equal cost, or 2 eBGP sessions?
Could you send us more infos, and a conf if you please?
Thanks
Andrea
07-05-2006 05:04 AM
I agree with Andrea that the symptoms described so far sound more like a routing issue than a security anti-DOS issue. Seeing details from the router config would be very helpful.
I have seen a number of time where a router had two routes for the same destination over two tunnels, but only one tunnel was actually working and transporting responses. So it might be worth while verifying whether both tunnels are actually carrying data successfully.
HTH
Rick
07-05-2006 05:29 AM
there is load balancing going on - there must be for a 50% swing each time absolutely defintootly load balancing. If its not then Rob can eat his hat ;-)
07-05-2006 07:03 PM
Hello all,
Thanks for your feedback
In my case the GRE destination are diffrent not same destination. The connectivity is 7507-6500-4700. I have configured GRE between 7507-4700,and one more bet same 7500 and diffrent 4700.I am running ISL in 6506. Whether this ISL will add more header when the traffic flow between GRE's as source and destination are fastethernet/ethernet which connected to 6500.
switch.The protocol used between 7507(PE) and 4700 ( Boundary router)is BGP.
Regards,
Manick
07-06-2006 02:56 AM
Manick
I have frequently configured two (and sometimes more) GRE tunnels using the same source address for the tunnel with different destination address (though I have not so much experience with vrf) and they work just fine.
I still believe that the symptoms suggest that it is an issue with routing logic - probably with two paths appearing for the destination but only one of them really works. It would be helpful if you would post some additional information. Would you post the output of show ip route
HTH
Rick
07-06-2006 08:46 AM
Hi,
I thought "!.!.!.!" was telling you that the echos were being blocked by an access list at the far end ?
i.e. ICMP unreachables
Cheers
Shaun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide