Solved: Hello Greg,in order to be

gregwoodson · ‎05-05-2014

I have 2 Catalyst 6509 Switches that Im trying to bring up and MPLS VPN connection between. The loopbacks can ping each other, as well as the directly connected interfaces (the interfaces travel through 2 switches, but no routing etc in between). An OSPF neighbor relationship DOES come up, and the routing tables appear normal. However, the MPLS VPN does NOT come up.

After further review, I found that the routing tables are correct on either side for the loopbacks (public addresses X’d out on first 3 octets):

SWITCH A:

Bryan-26th-CAT-2#sh ip route 10.255.2.2

Routing entry for 10.255.2.2/32

Known via "ospf 23532", distance 110, metric 2, type intra area

Last update from X.X.X.70 on Vlan65, 00:10:25 ago

Routing Descriptor Blocks:

* X.X.X.70, from 10.255.2.2, 00:10:25 ago, via Vlan65

Route metric is 2, traffic share count is 1

SWITCH B:

DAL-COLO-6509-1#sh ip route 10.255.2.3

Routing entry for 10.255.2.3/32

Known via "ospf 23532", distance 110, metric 2, type intra area

Last update from X.X.X.69 on Vlan65, 02:26:50 ago

Routing Descriptor Blocks:

* X.X.X.69, from 10.255.2.3, 02:26:50 ago, via Vlan65

Route metric is 2, traffic share count is 1

This is exactly the same for the directly connected interfaces on VLAN65. (X.X.X.69 and X.X.X.70). The ARP cache also shows to be correct:

SWITCH A:

Bryan-26th-CAT-2#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet X.X.X.70 147 0009.b6a4.b800 ARPA Vlan65

Internet X.X.X.69 - 001c.b144.5800 ARPA Vlan65

SWITCH B:

DAL-COLO-6509-1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet X.X.X.70 - 0009.b6a4.b800 ARPA Vlan65

Internet X.X.X.69 141 001c.b144.5800 ARPA Vlan65

And once again, the OSPF Neighbor relationship does come up:

SWITCH A:

Bryan-26th-CAT-2# sh ip ospf neigh

Neighbor ID Pri State Dead Time Address Interface

10.255.2.2 1 FULL/BDR 00:00:30 X.X.X.70 Vlan65

SWITCH B:

DAL-COLO-6509-1#sh ip ospf neig

Neighbor ID Pri State Dead Time Address Interface

10.255.2.3 1 FULL/DR 00:00:33 X.X.X.69 Vlan65

In the Troubleshooting MPLS VPN manuals- it shows to test trace routes. All of our other connections like this the trace routes work fine. In this case though, I cannot trace route not only between the loopback interfaces, but between the DIRECTLY CONNECTED interfaces. I don’t know what this is. It should simply be a one hop trace route. I believe this is what is keeping the MPLS VPN from coming up. Any ideas? Here are the relevant OSPF configs and interface configs as well:

SWITCH A:

interface Vlan65

description Connection to DAL-COLO-6509-2

mtu 1580

ip address X.X.X.69 255.255.255.252

no ip redirects

no ip unreachables

ip pim sparse-dense-mode

ip ospf mtu-ignore

mpls label protocol ldp

mpls ip

router ospf 23532

log-adjacency-changes

redistribute connected subnets

redistribute static subnets

passive-interface default

no passive-interface Vlan65

network 10.255.2.3 0.0.0.0 area 0

network X.X.X.69 0.0.0.0 area 0

SWITCH B:

interface Vlan65

description Connection to Bryan-26th-CAT-2

mtu 1580

ip address X.X.X.70 255.255.255.252

no ip redirects

no ip unreachables

ip pim sparse-dense-mode

ip ospf mtu-ignore

mpls label protocol ldp

mpls ip

router ospf 23532

log-adjacency-changes

redistribute connected subnets

redistribute static subnets

passive-interface default

no passive-interface Vlan65

network 10.255.2.2 0.0.0.0 area 0

network X.X.X.70 0.0.0.0 area 0

Any ideas would be appreciated.

Thanks

Greg

Giuseppe Larosa · ‎05-07-2014

Hello Greg,

in order to be able to traceroute you need to enable the sending of ICMP unreachables back to the traceroute sender.

use

int vlan 65

ip unreachables

Hope to help

Giuseppe

View solution in original post

Nagendra Kumar Nainar · ‎05-05-2014

Greg,

Can you explain more about your issue?. When you say MPLS VPN is not coming up, do you mean the ping (or traffic) from CE connected to one 6509 is not traversing the MPLS cloud to otehr CE connected to remote 6509?.

Do you have VRF enabled with respective RT import/export?. Do you have MP-BGP with VPNv4 AF enabled?.

To confirm if basic MPLS is working fine, Can you check if you have LDP neighborship up and running?. Use "show mpls ldp neighbor" to see the session.

Also do a "ping mpls ipv4 <remote-loopback> <mask>" and see if it works?.

-Nagendra

gregwoodson · ‎05-06-2014

I have removed all BGP from the 6509 at this point until this issue is fixed. There is an OSPF neighbor relationship between the 2- we aren't talking about VRF's etc. This is simply now a directly connected interface over a vlan that cannot trace route to the other side. It can ping. The only devices with this VLAN are the 2 6509s. I can ping from one to the other. It's just not letting me trace route.

Giuseppe Larosa · ‎05-07-2014

Hello Greg,

in order to be able to traceroute you need to enable the sending of ICMP unreachables back to the traceroute sender.

use

int vlan 65

ip unreachables

Hope to help

Giuseppe

Traceroute issue- MPLS VPN on directly connected interfaces