09-26-2003 05:08 AM - edited 02-21-2020 12:47 PM
I have a pair subnets connected via an IPSec/GRE transport mode tunnel. Yesterday I turned on CEF using the "ip cef" command. The moment I did this the hosts on the two subnets stopped talking to each other. The routers themselves looked fine. They could ping each others private LAN and tunnel addresses with no problem. I removed the "ip cef" command and rebooted and still nothing. Then I compared the current config with a saved copy. I noticed that before I issued the "ip cef" command all interfaces had "no ip route-cache" configured. I re-added this command to all interfaces and everything was back to normal. Three questions:
1) Why did "ip cef" remove this command?
2) Why is "no ip route-cache" needed for my setup to work?
3) Is there a way to use "ip cef" without breaking my network?
Thanks,
Diego
09-28-2003 08:15 PM
1. "no ip route-cache" on the interface says you want to process switch all the traffic. Turning on "ip cef" says you want to CEF switch everything, so that interface command is removed. This is IOS version dependent, it doesn't happen in every version AFAIK.
2. Again, IOS version dependent. There's tons of bugs with CEF/fast switching and IPSec or GRE/IPSec. 12.0 was especially susceptible, but generally later 12.1 and 12.2 works fine, although again there are specific versions which do have the problem.
3. Upgrade to a code version that does not have a switching/GRE/IPSec bug. What code version are you running currently? I'd upgrade to the latest mainline version that fits in your flash/memory and you should be fine to then run CEF with GRE/IPSec.
09-29-2003 02:05 AM
12.3 still has the odd bug, this one caught us out for a little while.
bug id CSCec26653
despite saying it's 2600's we found this on 1700, 800, 3600 range of routers and up to version 12.3.3 of IOS.
Rhodri
09-29-2003 04:27 AM
That bug will definitely affect one of the two routers that I am dealing with now so I guess an IOS upgrade won't fix all my problems. The main reason I need CEF is to do QoS classifying of traffic. The NAT and crypto stuff is on the serial interface. Assuming I can turn on CEF but somehow disable it on the serial interface will I be able to classify traffic coming in on the ethernet interface?
Thanks,
Diego
10-08-2003 06:39 AM
I just helped a customer with this recently. He is running 12.2(8)T on a 3640 with IPSec/GRE/cef/QoS pre-classify.
It seems to be working for him.
05-25-2004 01:03 PM
Does the 1700 support QOS pre-classify ? Some Cisco docs refer to this feature only available in 2600, 3600 and the 7200.. The software advisor dont list 1700 routers with this feature.
06-01-2004 06:31 PM
Hello Diego.. Did you have outbound access-groups applied? I'm working on a similar problem that was fixed when I added an element for 'gre' in the ACL applied to the interface. I'm now trying to determine if this behavior is by design or a bug....
Thanks.
Mike B.
06-02-2004 04:19 AM
Its been a while but what I think fixed it was an IOS upgrade to 12.3. I don't remember having to modify any ACLs. I would say "bug".
Diego
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide