cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

914
Views
0
Helpful
5
Replies
maxnpj
Beginner

OMP route Resolved but not Installed

How does an OMP route get Resolved but not Chosen or Installed? In the below output you can see that this OMP route is:

"C,I,R" from peer 1.1.1.2 - 10.254.1.1 - public-internet,

but there is another route from the same peer that is only Resolved:
1.1.1.2 - 10.254.1.1 - private1

 

VEDGE01# sh omp routes 10.11.12.0/22
Code:

PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 10.11.12.0/22 1.1.1.2 543386 1003 R installed 10.254.1.2 public-internet ipsec -
                          1.1.1.2 543387 1003 Inv,U installed 10.254.1.2 lte ipsec -
                          1.1.1.2 543388 1003 R installed 10.254.1.2 private1 ipsec -
                          1.1.1.2 553272 1003 C,I,R installed 10.254.1.1 public-internet ipsec -
                          1.1.1.2 553273 1003 Inv,U installed 10.254.1.1 lte ipsec -
                          1.1.1.2 553274 1003 R installed 10.254.1.1 private1 ipsec -
                          1.1.1.3 503624 1003 R installed 10.254.1.2 public-internet ipsec -
                          1.1.1.3 503625 1003 Inv,U installed 10.254.1.2 lte ipsec -
                          1.1.1.3 503626 1003 R installed 10.254.1.2 private1 ipsec -
                          1.1.1.3 522889 1003 C,RR installed 10.254.1.1 public-internet ipsec -
                          1.1.1.3 522890 1003 Inv,U installed 10.254.1.1 lte ipsec -
                          1.1.1.3 522891 1003 R installed 10.254.1.1 private1 ipsec -

 

There are BFD sessions over both of those transports between these two devices. I feel like I should know why this is happening. What would prevent this route from being Installed and then Chosen?

5 REPLIES 5
Kanan Huseynli
Participant

Hi,

please give

sh ip route vpn 1

show omp routes 10.11.12.0/22 detail

show run omp

outputs.

 

If ECM limit is 1 in the last output ,the reason is that. But if not, then show omp routes detail should show the reason.

 

HTH,

sh ip route vpn 1: (I filtered on the one prefix to shorten the output)

VEDGE01# sh ip route vpn 1 10.11.12.0/22

                                 PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN       PREFIX          PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
1        10.11.12.0/22      omp            - - - - 10.254.1.1                           public-internet ipsec F,S

 

 

****************************************************

****************************************************

show run omp

VEDGE01# sh run omp
omp
no shutdown
send-path-limit 8
ecmp-limit 8
graceful-restart
timers
holdtime 5
exit
advertise bgp
advertise connected
advertise static


****************************************************

****************************************************

 

show omp routes 10.11.12.0/22 detail (There's a ton of output here...Although I did remove the "Inv,U" status sections). A few things I see here:

1. I can see the "C,I,R" route is path-id "553272"

2. The route I'm interested in is path-id "553274"

3. I can see that path-id "553274" loses to "522889" because of "tloc-preference" 

4. I included (below this output) "sh omp tlocs detail". 

 

VEDGE01# show omp routes 10.11.12.0/22 detail

---------------------------------------------------
omp route entries for vpn 1 route 10.11.12.0/22
---------------------------------------------------
RECEIVED FROM:
peer 1.1.1.2
path-id 543386
label 1003
status R
loss-reason tloc-preference
lost-to-peer 1.1.1.3
lost-to-path-id 522891
Attributes:
originator 10.254.1.2
type installed
tloc 10.254.1.2, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.2
path-id 543388
label 1003
status R
loss-reason tloc-id
lost-to-peer 1.1.1.2
lost-to-path-id 543386
Attributes:
originator 10.254.1.2
type installed
tloc 10.254.1.2, private1, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.2
path-id 553272
label 1003
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.254.1.1
type installed
tloc 10.254.1.1, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.2
path-id 553274
label 1003
status R
loss-reason tloc-preference
lost-to-peer 1.1.1.3
lost-to-path-id 522889
Attributes:
originator 10.254.1.1
type installed
tloc 10.254.1.1, private1, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
path-id 503624
label 1003
status R
loss-reason peer-id
lost-to-peer 1.1.1.2
lost-to-path-id 543388
Attributes:
originator 10.254.1.2
type installed
tloc 10.254.1.2, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
path-id 503626
label 1003
status R
loss-reason tloc-id
lost-to-peer 1.1.1.3
lost-to-path-id 503624
Attributes:
originator 10.254.1.2
type installed
tloc 10.254.1.2, private1, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
path-id 522889
label 1003
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
originator 10.254.1.1
type installed
tloc 10.254.1.1, public-internet, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
path-id 522891
label 1003
status R
loss-reason peer-id
lost-to-peer 1.1.1.2
lost-to-path-id 553274
Attributes:
originator 10.254.1.1
type installed
tloc 10.254.1.1, private1, ipsec
ultimate-tloc not set
domain-id not set
overlay-id 1
site-id 1010002
preference not set
tag 10011
origin-proto iBGP
origin-metric 0
as-path not set
unknown-attr-len not set


*************************************

*************************************

VEDGE01# show omp tlocs detail
---------------------------------------------------
tloc entries for 10.254.1.1
public-internet
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 1.1.1.2
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 548
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 120.31.162.82
public-port 12366
private-ip 10.254.35.8
private-port 12366
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 200
tag not set
stale not set
weight 1
version 3
gen-id 0x80000007
carrier default
restrict 1
groups [ 0 ]
border not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 548
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 120.31.162.82
public-port 12366
private-ip 10.254.35.8
private-port 12366
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 200
tag not set
stale not set
weight 1
version 3
gen-id 0x80000007
carrier default
restrict 1
groups [ 0 ]
border not set
unknown-attr-len not set

---------------------------------------------------
tloc entries for 10.254.1.1
private1
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 1.1.1.2
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 532
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 10.99.14.106
public-port 12366
private-ip 10.99.14.106
private-port 12366
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 100
tag not set
stale not set
weight 1
version 3
gen-id 0x80000007
carrier default
restrict 1
groups [ 500 ]
border not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 532
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 10.99.14.106
public-port 12366
private-ip 10.99.14.106
private-port 12366
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 100
tag not set
stale not set
weight 1
version 3
gen-id 0x80000007
carrier default
restrict 1
groups [ 500 ]
border not set
unknown-attr-len not set

---------------------------------------------------
tloc entries for 10.254.1.2
public-internet
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 1.1.1.2
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 264
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 120.31.162.81
public-port 12346
private-ip 10.254.35.11
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 50
tag not set
stale not set
weight 1
version 3
gen-id 0x80000005
carrier default
restrict 1
groups [ 0 ]
border not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 264
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 120.31.162.81
public-port 12346
private-ip 10.254.35.11
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 50
tag not set
stale not set
weight 1
version 3
gen-id 0x80000005
carrier default
restrict 1
groups [ 0 ]
border not set
unknown-attr-len not set

---------------------------------------------------
tloc entries for 10.254.1.2
private1
ipsec
---------------------------------------------------
RECEIVED FROM:
peer 1.1.1.2
status C,I,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 263
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 10.99.14.107
public-port 12346
private-ip 10.99.14.107
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 50
tag not set
stale not set
weight 1
version 3
gen-id 0x80000005
carrier default
restrict 1
groups [ 500 ]
border not set
unknown-attr-len not set


RECEIVED FROM:
peer 1.1.1.3
status C,R
loss-reason not set
lost-to-peer not set
lost-to-path-id not set
Attributes:
attribute-type installed
encap-key not set
encap-proto 0
encap-spi 263
encap-auth sha1-hmac,ah-sha1-hmac
encap-encrypt aes256
public-ip 10.99.14.107
public-port 12346
private-ip 10.99.14.107
private-port 12346
public-ip ::
public-port 0
private-ip ::
private-port 0
bfd-status up
domain-id not set
site-id 1010002
overlay-id not set
preference 50
tag not set
stale not set
weight 1
version 3
gen-id 0x80000005
carrier default
restrict 1
groups [ 500 ]
border not set
unknown-attr-len not set

 

Hi,

 

The router with system IP 10.254.1.1 has 2 TLOCS:

 

tloc entries for 10.254.1.1
public-internet
ipsec

preference 200

 

tloc entries for 10.254.1.1
private1
ipsec

preference 100

 

Both TLOCs are advertised to both vSmarts.

Each OMP route that your router advertises can be reached over each TLOC.

But, because 1 TLOC has a higher preference (configured at the tunnel-interface level), it will always be preffered in both directions:

- router 10.254.1.1 sends traffic from higher pref TLOC (public-internet) to any spoke (landing on any TLOC that spoke may have - if restrict is not used)

- any spoke (from any source TLOC - if restrict is not used) sends traffic to router 10.254.1.1 on the higher pref TLOC (public-internet)

 

Best regards,

Octavian

Kanan Huseynli
Participant

Hi,

 

OK, now it is clear.

 

What Octavian wrote is correct and let me explain with additional explanations.

 

Let's return the first output.

 

VEDGE01# sh omp routes 10.11.12.0/22
Code:

PATH ATTRIBUTE
VPN PREFIX FROM PEER ID LABEL STATUS TYPE TLOC IP COLOR ENCAP PREFERENCE
--------------------------------------------------------------------------------------------------------------------------------------
1 10.11.12.0/22 1.1.1.2 543386 1003 R installed 10.254.1.2 public-internet ipsec -
                          1.1.1.2 543387 1003 Inv,U installed 10.254.1.2 lte ipsec -
                          1.1.1.2 543388 1003 R installed 10.254.1.2 private1 ipsec -
                          1.1.1.2 553272 1003 C,I,R installed 10.254.1.1 public-internet ipsec -
                          1.1.1.2 553273 1003 Inv,U installed 10.254.1.1 lte ipsec -
                          1.1.1.2 553274 1003 R installed 10.254.1.1 private1 ipsec -
                          1.1.1.3 503624 1003 R installed 10.254.1.2 public-internet ipsec -
                          1.1.1.3 503625 1003 Inv,U installed 10.254.1.2 lte ipsec -
                          1.1.1.3 503626 1003 R installed 10.254.1.2 private1 ipsec -
                          1.1.1.3 522889 1003 C,R installed 10.254.1.1 public-internet ipsec -
                          1.1.1.3 522890 1003 Inv,U installed 10.254.1.1 lte ipsec -
                          1.1.1.3 522891 1003 R installed 10.254.1.1 private1 ipsec -

 

Router receives route info from 2 vsmarts (1.1.1.2 and 1.3). vSmarts advertises that you can reach 10.11.12.0/22 subnet via 2 routers (10.251.1.1 and 1.2) through 3 tlocs (private1,public-internet,lte).

First note that router always installs information from vsmart with lower system ip (other vsmart info which is copy is simple not installed). So, none of route received from the 2nd vsmart will be installed (will not have "I" flag).

 

Let's remove the 2nd vsmart info for simplicity and we have:

 

1 10.11.12.0/22 1.1.1.2 543386 1003 R installed 10.254.1.2 public-internet ipsec -
                          1.1.1.2 543387 1003 Inv,U installed 10.254.1.2 lte ipsec -
                          1.1.1.2 543388 1003 R installed 10.254.1.2 private1 ipsec -
                          1.1.1.2 553272 1003 C,I,R installed 10.254.1.1 public-internet ipsec -
                          1.1.1.2 553273 1003 Inv,U installed 10.254.1.1 lte ipsec -
                          1.1.1.2 553274 1003 R installed 10.254.1.1 private1 ipsec -

 

Most probably you don't have tunnel (and bfd over it) via lte. So, both routes via remote "lte" TLOC are invalid. Let's remove them too.

 

1 10.11.12.0/22 1.1.1.2 543386 1003 R installed 10.254.1.2 public-internet ipsec -
                          1.1.1.2 543388 1003 R installed 10.254.1.2 private1 ipsec -
                          1.1.1.2 553272 1003 C,I,R installed 10.254.1.1 public-internet ipsec -
                          1.1.1.2 553274 1003 R installed 10.254.1.1 private1 ipsec -

 

Now, based on "show omp tlocs" we see that:

 

1.1.1.1 public-internet has preference 200

1.1.1.1 private1 has preference 100

1.1.1.2 public-internet has preference 50

1.1.1.2 private1 has preference 50

 

Hence, only 553272 is R-resolved (TLOC is UP), C-chosen (by OMP bestpath) and I-installed (written in RIB/FIB).

 

Regards,

 

Kanan;

 

THANK YOU for that detailed explanation.....that was very helpful the way you broke it down and removed the non-essential entries. 

 

Again, thank you,....that really helps.