urpf eigrp multicast issue

DraganSkundric87318 · ‎04-04-2022

hi,

I've noticed interesting issue. I have two routers (test env, GNS2 7200 routers) connected with VTI tunnel configured between them. (tunnels are using unnumbered ip from underlying interfaces) I configured urpf on both sides of tunnel and eigrp routing protocol. Tunnel is up and routing is up. During some testing and debugs (debug ip cef drop rpf), I've noticed that some traffic sourced from peer ip and seen on tunnel is dropped . Using some debugs I saw that traffic from peer to 224.0.0.10 (eigrp multicast) is dropped by cef urpf functionality. Problem I was trying to investigate was eigrp flapping on my pruduction setup afer introducing urpf on unnumbered VTIs. I am just trying to reproduce it. So to summarise dilemmas

1. I guess that i t is possible that urpf dropping eigrp multicast on unnumbered VTIs can cause eigrp flaps?

2. How come that I cannot reproduce it in GNS lab :-))

3. Why is it specific for unnumbered config on tunnel and how to avoid it?

br

MHM Cisco World · ‎04-04-2022

tunnel flapping ? can you share the config for both end.

DraganSkundric87318 · ‎04-05-2022

EIGRP is flapping, tunnel is ok. I've managed to reproduce it in GNS, configs attached. If you put some IPs on tunnels EIGRP is not flapping. Will try to fix it with uRPF ACL. From EIGRP debug I can see that hellos are ok but updates not, and after 16 retries EIGRP goes down

DraganSkundric87318 · ‎04-05-2022

if I apply ACL to uRPF config EIGRP is stable

Extended IP access list 150
10 permit eigrp any host 224.0.0.10 log
20 permit eigrp any any log (21 matches)
30 deny ip any any log

ip verify unicast source reachable-via rx allow-default allow-self-ping 150

but I still see some drops in debug ip cef drop rpf

*Apr 5 14:19:46.651: CEF-Drop: Packet from 1.1.1.1 via Tunnel2 -- via-rx
*Apr 5 14:19:51.403: CEF-Drop: Packet from 1.1.1.1 via Tunnel2 -- via-rx
*Apr 5 14:19:56.223: CEF-Drop: Packet from 1.1.1.1 via Tunnel2 -- via-rx
*Apr 5 14:20:00.815: CEF-Drop: Packet from 1.1.1.1 via Tunnel2 -- via-rx
*Apr 5 14:20:05.395: CEF-Drop: Packet from 1.1.1.1 via Tunnel2 -- via-rx
*Apr 5 14:20:09.715: CEF-Drop: Packet from 1.1.1.1 via Tunnel2 -- via-rx

PEER#sh ip int tu2 | inc drop
27 verification drops
21 suppressed verification drops
0 verification drop-rate
PEER#

interesting

MHM Cisco World · ‎04-05-2022

I could not open ZIP, can you share the config of one Peer?

DraganSkundric87318 · ‎04-05-2022

------------------------------------------------------------ CORE

!

!
! Last configuration change at 11:44:49 UTC Tue Apr 5 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname CORE
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name test.test
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp key test address 1.1.1.2
crypto isakmp identity dn
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set TEST esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set TEST_VTI esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile TEST_PROFILE_V1
set transform-set TEST
!
!
!
!
!
!
!
!
!
interface Loopback10
ip address 2.2.2.1 255.255.255.255
!
interface Tunnel21
ip unnumbered GigabitEthernet1/0
ip verify unicast source reachable-via rx allow-default allow-self-ping 150
tunnel source GigabitEthernet1/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.2
tunnel path-mtu-discovery
tunnel path-mtu-discovery min-mtu 500
tunnel protection ipsec profile TEST_PROFILE_V1
!
interface FastEthernet0/0
ip address 11.11.11.1 255.255.255.0
duplex full
!
interface GigabitEthernet1/0
ip address 1.1.1.1 255.255.255.0
negotiation auto
!
!
router eigrp 1
network 1.0.0.0
network 11.0.0.0
redistribute connected
redistribute static
passive-interface GigabitEthernet1/0
passive-interface FastEthernet0/0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Loopback10
ip route 12.12.12.0 255.255.255.0 11.11.11.2
!
ip access-list standard listaSamoDef
permit 0.0.0.0
!
access-list 150 permit ip any any log
access-list 150 permit pcp any any log
access-list 150 permit nos any any log
access-list 150 permit pim any any log
access-list 150 permit ip host 1.1.1.2 any log
access-list 150 permit ahp any any log
access-list 150 permit esp any any log
access-list 150 permit gre any any log
access-list 150 permit igmp any any log
access-list 150 permit eigrp any any log
access-list 150 deny ip any any log
access-list 150 deny esp any any
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

----------------------------------------------------------------- PEER ----------------

!

!
! Last configuration change at 11:43:56 UTC Tue Apr 5 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname PEER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 40000000
logging console critical
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name test.test
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp policy 10
encr aes 256
group 5
crypto isakmp key test address 1.1.1.1
crypto isakmp identity dn
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set TEST esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set TEST_VTI esp-aes esp-sha-hmac
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile TEST_PROFILE_V1
set transform-set TEST
!
!
!
!
!
!
!
!
interface Loopback10
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel1
ip unnumbered GigabitEthernet1/0
tunnel source GigabitEthernet1/0
tunnel destination 1.1.1.9
!
interface Tunnel2
ip unnumbered GigabitEthernet1/0
ip verify unicast source reachable-via rx allow-default allow-self-ping
tunnel source GigabitEthernet1/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel path-mtu-discovery
tunnel path-mtu-discovery min-mtu 500
tunnel protection ipsec profile TEST_PROFILE_V1
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface GigabitEthernet1/0
mtu 4000
ip address 1.1.1.2 255.255.255.0
ip mtu 3800
negotiation auto
!
!
router eigrp 1
network 1.0.0.0
redistribute connected
passive-interface GigabitEthernet1/0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

MHM Cisco World · ‎04-05-2022

The config is make think BUT finally I found something interesting.
as @Georg Pauwen recursive routing issue appear when you config routing protocol and include network of both tunnel and tunnel source.

even your config is different but it lead to same issue,
you config unnumbered and you use unnumbered ip of tunnel source, here the issue

then you config EIGRP and include 1.0.0.0 which is the tunnel source and same tunnel IP...

So recursive routing happened here.
What is solution we usually use ip unnumbered IP of any loopback interface not tunnel source.

So uRPF detect this case and drop the unicast and eigrp flapping.

so the solution here config loopback and use it as unnumbered ip address and include it subnet in eigrp.

I think this solve your issue.

DraganSkundric87318 · ‎04-06-2022

well, loopback as a source could be a solution, so could be implementing specific tunnel subnet. Neither of that is acceptable as "plan A" solution. I think I'll go with ACL on uRPF configuration that explicitlly permits EIGRP. Anyhow, thanks for presenting idea.

br

MHM Cisco World · ‎04-05-2022

I do lab with rx and any and EIGRP is stable no issue, I want to see the config.
also what is interface you unnumbered is it serial or ethernet ?

DraganSkundric87318 · ‎04-05-2022

do not use any ... use strict mode. Interfa bellow tunnel is ethernet

MHM Cisco World · ‎04-05-2022

can I see config of tunnel and interface ?

Georg Pauwen · ‎04-04-2022

Hello,

make sure you are not running into the classic recursive routing issue with EIGRP. Tunnel source and destination should not be learned through EIGRP.

Can you post the configs of both routers ?

paul driver · ‎04-04-2022

Hello
What's the eigrp neighbor reset log reporting?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul