Solved: Nexus 7k - configuration of int tunnel failed

Holger Ray · ‎01-24-2014

I cannot configure a tunnel interface on a Nexus 7k

feature tunnel was enabled

config:

clu# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

clu(config)# feature tunnel

clu(config)# interface tunnel 0

clu(config-if)# tunnel source loopback1 clusaug(config-if)# tunnel destination 171.48.25.21 clusaug(config-if)# ip address 171.57.252.53/31 clusaug(config-if)# no shutdown

clu#

clu# sh interface tunnel 0 Tunnel0 is down (Hardware prog failed)

Admin State: up

Internet address is 171.57.252.53/31

MTU 1476 bytes, BW 9 Kbit

Tunnel protocol/transport GRE/IP

Tunnel source 171.57.252.51 (loopback1), destination 171.48.25.21

Transport protocol is in VRF "default"

Rx

0 packets input, 1 minute input rate 0 packets/sec

Tx

0 packets output, 1 minute output rate 0 packets/sec

Last clearing of "show interface" counters never

clu# sh logging last 2

2014 Jan 22 14:00:03 clu %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by su on 109.1.19.

125@pts/2

2014 Jan 22 14:01:10 clu last message repeated 1 time

Cannot find any hints to "Hardware prog failed"

Amit Singh · ‎01-29-2014

Hi Holger,

Please attach using the insert image option on the reply window. It should be on the top next to bullet and numbering option. If you want, send me an email at amisin@gmail.com.

Cheers,

-amit singh

View solution in original post

Amit Singh · ‎01-24-2014

Holger,

How does the config looks like on your boxes? Are you using a lot of ACL's?

Could you paste the output of "Show system internal access-list resource utilization" ?

Do you have some tunnel debugs as well?

Cheers,

-amit singh

Holger Ray · ‎01-27-2014

Hi,

there are only a few (8) ACL's configured.

Output from Show system internal access-list resource utilization:

slot 2

=======

INSTANCE 0x0

-------------

ACL Hardware Resource Utilization (Mod 2)

--------------------------------------------

Used Free Percent

Utilization

-----------------------------------------------------

Tcam 0, Bank 0 1 16383 0.01

Tcam 0, Bank 1 2 16382 0.01

Tcam 1, Bank 0 154 16230 0.94

Tcam 1, Bank 1 201 16183 1.23

LOU 2 102 1.92

Both LOU Operands 0

Single LOU Operands 2

LOU L4 src port: 1

LOU L4 dst port: 1

LOU L3 packet len: 0

LOU IP tos: 0

LOU IP dscp: 0

LOU ip precedence: 0

LOU ip TTL: 0

TCP Flags 1 15 6.25

Protocol CAM 4 3 57.14

Mac Etype/Proto CAM 0 14 0.00

Non L4op labels, Tcam 0 0 6143 0.00

Non L4op labels, Tcam 1 4 6139 0.06

L4 op labels, Tcam 0 0 2047 0.00

L4 op labels, Tcam 1 2 2045 0.09

Ingress Dest info table 1 511 0.19

Egress Dest info table 0 512 0.00

slot 4

=======

INSTANCE 0x0

-------------

ACL Hardware Resource Utilization (Mod 4)

--------------------------------------------

Used Free Percent

Utilization

-----------------------------------------------------

Tcam 0, Bank 0 1 16383 0.01

Tcam 0, Bank 1 2 16382 0.01

Tcam 1, Bank 0 321 16063 1.96

Tcam 1, Bank 1 201 16183 1.23

LOU 3 101 2.88

Both LOU Operands 1

Single LOU Operands 2

LOU L4 src port: 1

LOU L4 dst port: 1

LOU L3 packet len: 0

LOU IP tos: 0

LOU IP dscp: 0

LOU ip precedence: 0

LOU ip TTL: 0

TCP Flags 1 15 6.25

Protocol CAM 7 0 100.00

Mac Etype/Proto CAM 0 14 0.00

Non L4op labels, Tcam 0 0 6143 0.00

Non L4op labels, Tcam 1 2 6141 0.03

L4 op labels, Tcam 0 0 2047 0.00

L4 op labels, Tcam 1 3 2044 0.14

Ingress Dest info table 1 511 0.19

Egress Dest info table 0 512 0.00

slot 5

=======

NOT Supported in SUP ACLQOS

slot 6

=======

NOT Supported in SUP ACLQOS

slot 7

=======

INSTANCE 0x0

-------------

ACL Hardware Resource Utilization (Mod 7)

--------------------------------------------

Used Free Percent

Utilization

-----------------------------------------------------

Tcam 0, Bank 0 1 16383 0.01

Tcam 0, Bank 1 2 16382 0.01

Tcam 1, Bank 0 321 16063 1.96

Tcam 1, Bank 1 201 16183 1.23

LOU 3 101 2.88

Both LOU Operands 1

Single LOU Operands 2

LOU L4 src port: 1

LOU L4 dst port: 1

LOU L3 packet len: 0

LOU IP tos: 0

LOU IP dscp: 0

LOU ip precedence: 0

LOU ip TTL: 0

TCP Flags 1 15 6.25

Protocol CAM 7 0 100.00

Mac Etype/Proto CAM 0 14 0.00

Non L4op labels, Tcam 0 0 6143 0.00

Non L4op labels, Tcam 1 2 6141 0.03

L4 op labels, Tcam 0 0 2047 0.00

L4 op labels, Tcam 1 3 2044 0.14

Ingress Dest info table 1 511 0.19

Egress Dest info table 0 512 0.00

slot 9

=======

INSTANCE 0x0

-------------

ACL Hardware Resource Utilization (Mod 9)

--------------------------------------------

Used Free Percent

Utilization

-----------------------------------------------------

Tcam 0, Bank 0 1 16383 0.01

Tcam 0, Bank 1 2 16382 0.01

Tcam 1, Bank 0 150 16234 0.92

Tcam 1, Bank 1 201 16183 1.23

LOU 2 102 1.92

Both LOU Operands 0

Single LOU Operands 2

LOU L4 src port: 1

LOU L4 dst port: 1

LOU L3 packet len: 0

LOU IP tos: 0

LOU IP dscp: 0

LOU ip precedence: 0

LOU ip TTL: 0

TCP Flags 1 15 6.25

Protocol CAM 4 3 57.14

Mac Etype/Proto CAM 0 14 0.00

Non L4op labels, Tcam 0 0 6143 0.00

Non L4op labels, Tcam 1 2 6141 0.03

L4 op labels, Tcam 0 0 2047 0.00

L4 op labels, Tcam 1 2 2045 0.09

Ingress Dest info table 1 511 0.19

Egress Dest info table 0 512 0.00

Cheers,

Holger

Amit Singh · ‎01-28-2014

Hi Holger,

Check this, we have different internal protocols and looks like its been utilized 100%

Protocol CAM 7 0 100.00

Please can you "show system internal access-list input entries "

Capture the above output in one file

And in another file

"show system internal access-list input entries detail"

An L4 protocol entry refers to an ACE that matches a specific L4 protocol
number like TCP, UDP, ICMP, OSPF, etc... The N7k (at least for M1 modules)
can match against a fixed number of user defined L4 protocols. Software
maintains a list of entries on a per module basis. These entries are shared
by all ACLs on the module between each VDC for input and output ACLs. In
other words, each module has a fixed number of indexes that is shared
between all VDCs in the system. Different modules can maintain different
indexes depending on what features are applied.

Currently there is a maximum of 7, L4 protocols that can be dynamically
allocated.

We have the following protocols

112 - VRRP
53 - SWIPE       
55 - MOBILE
77 - SUN-ND
51 - AH
88 - EIGRP
89 - OSPFIGP

 All of this has been utilized by access list and qos policies applied  

What we should do now is , review the ACL applied and remove a few entries that match the above protocol number.
Or use any other way to match the same traffic -   

For example  

IP access list VRRP          
permit 112 any 224.0.0.0/24 

IP access list PIM          
permit ahp any 224.0.0.13/32  

to: 

IP access list VRRP          
permit ip any 224.0.0.18/32 

IP access list PIM         
permit ip any 224.0.0.13/32

Hope this helps.

Cheers,

-amit singh

Holger Ray · ‎01-29-2014

Hi Amit,

I got the outputs from both commands. I wonder if you can see anything out of it. How can I add these file to this forum (it' s the first I am using it ;-)

Cheers,

Holger

Amit Singh · ‎01-29-2014

Hi Holger,

Please attach using the insert image option on the reply window. It should be on the top next to bullet and numbering option. If you want, send me an email at amisin@gmail.com.

Cheers,

-amit singh

Holger Ray · ‎02-04-2014

Hi Amit,

we changed the ACLs a bit, so "Protcol CAM" utilization is below 100 percent, but it is still impossible to configure tunnel interface. Any other ideas?

Cheers, Holger

Holger Ray · ‎02-05-2014

after sub switchover (and back) problem is solved