cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
0
Helpful
11
Replies

Cedge TLOC-ext problem

We have two sites, the Hub site and the Spoke site, both of which use TLOC-EXT. We found that the Spoke site Internet interface address (59.39.38.106 and 120.86.8.30) cannot be pinged from the Hub site.
, but the BFD sessions are normal

The Internet interface address of the Spoke site cannot be pinged from the hub site, but the gateway to the Internet interface address is accessible.

Hub-01#ping 59.39.38.106
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 59.39.38.106, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Hub-01#ping 59.39.38.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 59.39.38.105, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 35/35/36 ms
Hub-01#ping 120.86.8.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.86.8.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Hub-01#ping 120.86.8.29
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.86.8.29, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 41/41/42 ms

#

Spoke site TLOC-EXT configuration

ip route 0.0.0.0 0.0.0.0 2.2.18.2
ip route 0.0.0.0 0.0.0.0 59.39.38.105

#

interface GigabitEthernet0/0/0
no shutdown
arp timeout 1200
ip address 59.39.38.106 255.255.255.252
no ip redirects
ip mtu 1500
ip nat outside
load-interval 30
mtu 1500
negotiation auto

#

interface GigabitEthernet0/0/2
no shutdown
arp timeout 1200
no ip address
no ip redirects
ip mtu 1504
load-interval 30
mtu 1504
exit
interface GigabitEthernet0/0/2.1
description Transport_VPN0_TLOC_Tunnel_Interface
no shutdown
encapsulation dot1Q 1
ip address 2.2.18.1 255.255.255.252
no ip redirects
ip mtu 1500
exit
interface GigabitEthernet0/0/2.2
no shutdown
encapsulation dot1Q 2
ip address 2.2.18.5 255.255.255.252
no ip redirects
ip mtu 1500
exit

#

sdwan
interface GigabitEthernet0/0/0
tunnel-interface
encapsulation ipsec weight 1
no border
color gold
no last-resort-circuit
no low-bandwidth-link
no vbond-as-stun-server
vmanage-connection-preference 5
port-hop
carrier default
nat-refresh-interval 5
hello-interval 1000
hello-tolerance 12
no allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
no allow-service snmp
no allow-service bfd
exit
exit

#

interface GigabitEthernet0/0/2.1
tunnel-interface
encapsulation ipsec weight 1
no border
color biz-internet
no last-resort-circuit
no low-bandwidth-link
no vbond-as-stun-server
vmanage-connection-preference 5
port-hop
carrier default
nat-refresh-interval 5
hello-interval 1000
hello-tolerance 12
no allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
interface GigabitEthernet0/0/2.2
tloc-extension GigabitEthernet0/0/0
exit

#

 

 

1.pngSpoke-01.png

Spoke-02.png

11 Replies 11

Hi,

try to do with egress&next-hop:

ping [spoke] egress [interface] next-hop [NH_IP]

Also, can you share show run | sec nat and show run | inc ip route from hub (nat from spoke too)?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

When we ping the Spoke-02 Internet interface address from the Hub site, show ip nat translations | in 58.217.186.252 on Spoke-02 has no output, but we show ip nat translations | in 58.217.186.252 on Spoke-01. as follows:

Spoke-01#show ip nat translations | in 58.217.186.252
icmp 59.39.38.106:22834 120.86.8.30:22834 58.217.186.252:22834 58.217.186.252:22834

We view the Spoke-02 routing table as follows

Spoke-02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected

Gateway of last resort is 120.86.8.29 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 120.86.8.29
                    [1/0] via 2.2.18.5

 

It can be seen from the NAT entry that the packet goes out from Spoke-01 instead of directly from the Internet interface of Spoke-02. Why is this? The Spoke-02 routing table also has two default routes for load routes.

ECMP is happening. You should indicate egress interface, not only source-interface (source just changes source IP in IP packet, it does not have impact on routing. Routing is decided per RT using ECMP in most SD-WAN cases).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Do you mean to let me bring the outbound interface when pinging the Spoke site from the Hub site? I tried but still can't ping.

Hub-01#ping 59.39.38.106 source gigabitEthernet 0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 59.39.38.106, timeout is 2 seconds:
Packet sent with a source address of 192.168.201.22
.....
Success rate is 0 percent (0/5)

Hub-01#ping 59.39.38.106 source gigabitEthernet 0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 59.39.38.106, timeout is 2 seconds:
Packet sent with a source address of 192.168.201.22

Firstly ,I dont see highlighted IP in diagram.

Secondly, use below command: ping [spoke_IP] egress [interface] next-hop [NH_IP]

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Hub-01#ping 59.39.38.106 egress gigabitEthernet 0/0/0 next-hop 192.168.201.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 59.39.38.106, timeout is 2 seconds:
Packet sent with a source address of 192.168.201.22
.....
Success rate is 0 percent (0/5)
Hub-01#ping 120.86.8.30 egress gigabitEthernet 0/0/0 next-hop 192.168.201.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 120.86.8.30, timeout is 2 seconds:
Packet sent with a source address of 192.168.201.22
.....
Success rate is 0 percent (0/5)

The output shows that ping fails.

I still didnt get where is "192.168.201.22 ". Is it IP of G0/0/0 in hub?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

The address of the Hub site is as follows

Hub-01#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 192.168.201.22 YES other up up
GigabitEthernet0/0/1 unassigned YES other up up
GigabitEthernet0/0/1.1 2.2.20.1 YES other up up
GigabitEthernet0/0/1.2 2.2.20.5 YES other up up
GigabitEthernet0/0/2 10.1.31.41 YES other up up
GigabitEthernet0/0/3 unassigned YES other up up
GigabitEthernet0/0/3.2 172.25.129.62 YES other up up
Gi0/0/3.42 192.168.4.198 YES other up up
GigabitEthernet0/1/0 unassigned YES other down down
GigabitEthernet0/1/1 unassigned YES other down down
GigabitEthernet0 unassigned YES other administratively down down
Sdwan-system-intf 10.1.222.10 YES unset up up
Loopback65528 192.168.1.1 YES other up up
NVI0 unassigned YES unset up up
Tunnel0 192.168.201.22 YES TFTP up up
Tunnel1001 2.2.20.1 YES TFTP up up

 

There is an Internet firewall in front of the Hub site, 192.168.201.22 -->NAT -->123.127.25.234

Are you sure that firewall allows ICMP traffic?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Sure.Because we can ping other Spoke nodes from the Hub node.

Both Hub and Spoke sites adopt TLOC-Ext networking mode, and NAT is enabled on the Internet interface G0/0/0, ip nat outside.

 

Review Cisco Networking for a $25 gift card