cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2311
Views
0
Helpful
4
Replies

{SOLVED} VRF problem. Ping reply works but no data flow.

rmlestraden
Level 1
Level 1

Hello there,

I have been breaking my head over the past few day's and I cant get this to work. Perhaps I am making a mistake in the config but I cant see what is wrong with it.

The problem is that I can ping the host's in the other network. And if i do a port scan form subnet 1 to subnet 2 I get open ports. For example if I open the webbrowser and go from 10.0.2.x to 10.0.1.x than I get only port status open. But no page. If I want to telnet from router to router I get no telnet session only status open.

I can ping from router to router but thats it. I cant get active services active :/

Current configuration : 5575 bytes

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname HD1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

logging console critical

!

no aaa new-model

!

memory-size iomem 10

clock timezone GMT 1 0

clock summer-time GMT date

!

!

no ip source-route

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip vrf data

rd 65535:1

!

ip vrf voice

rd 65535:2

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 10.0.1.1 10.0.1.49

!

ip dhcp pool DATA

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 213.144.235.254

option 43 hex 3a02.0005.ff

!

ip dhcp pool VOICE

network 10.0.1.0 255.255.255.0

default-router 10.0.1.1

dns-server 213.144.235.1

option 66 ip 10.0.1.2

!

!

no ip bootp server

no ip domain lookup

ip domain name net.lan

ip name-server 213.144.235.1

ip name-server 213.144.235.2

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-K9 sn

!

!

archive

log config

  hidekeys

username admin privilege 15 secret 5 pass

!

!

!

!

!

controller VDSL 0

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

!

!

!

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description Internet_DATA_PVC1

pvc 0/33

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0.2 point-to-point

description VOICE_PVC2

pvc 0/34

  vbr-rt 200 200

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface FastEthernet0

ip vrf forwarding voice

no ip address

!

interface FastEthernet1

ip vrf forwarding voice

no ip address

!

interface FastEthernet2

description Ethernet poort 3

switchport access vlan 2

no ip address

!

interface FastEthernet3

description Ethernet poort 4

switchport access vlan 2

no ip address

!

interface Vlan2

description Internet_DATA_VLAN

ip vrf forwarding data

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan1

description VOICE_VLAN

ip vrf forwarding voice

ip address 10.0.1.1 255.255.255.0

ip tcp adjust-mss 1452

!

interface Dialer1

ip vrf forwarding data

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

interface Dialer2

ip vrf forwarding voice

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns view vrf data default

no ip nat service sip udp port 5060

ip nat inside source list 101 interface Dialer1 vrf data overload

ip route vrf data 0.0.0.0 0.0.0.0 Dialer1

ip route vrf voice 0.0.0.0 0.0.0.0 Dialer2

!

logging trap debugging

access-list 23 permit 10.0.1.0 0.0.0.255

access-list 23 permit 10.0.2.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit 83.232.161.0 0.0.0.255

access-list 23 permit 82.94.79.0 0.0.0.255

access-list 23 permit 84.246.25.0 0.0.0.255

access-list 23 permit 172.31.255.0 0.0.0.255

access-list 23 permit 213.144.0.0 0.0.255.255

access-list 23 permit 92.65.31.32 0.0.0.7

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 103 permit ip 10.0.1.0 0.0.0.255 any

access-list 103 permit ip 10.0.2.0 0.0.0.255 any

access-list 103 permit tcp 10.0.2.0 0.0.0.255 any

access-list 103 permit tcp 10.0.1.0 0.0.0.255 any

access-list 103 permit udp 10.0.2.0 0.0.0.255 any

access-list 103 permit udp 10.0.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

!

control-plane

^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet

!

!

end

Config 2

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Current configuration : 5772 bytes

!

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname STR

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

logging console critical

!

no aaa new-model

!

memory-size iomem 10

clock timezone GMT 1 0

clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59

!

!

no ip source-route

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip vrf data

rd 65535:1

route-target export 65535:1

route-target import 65535:1

!

ip vrf voice

rd 65535:2

route-target export 65535:2

route-target import 65535:2

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.49

ip dhcp excluded-address 10.0.2.1 10.0.2.49

!

ip dhcp pool DATA

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 213.144.235.254

option 43 hex 3a02.0005.ff

!

ip dhcp pool VOICE

network 10.0.2.0 255.255.255.0

default-router 10.0.2.1

dns-server 213.144.235.1

option 66 ip 10.0.1.2

!

!

no ip bootp server

no ip domain lookup

ip domain name net.lan

ip name-server 213.144.235.1

ip name-server 213.144.235.2

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-K9 sn

!

!

archive

log config

  hidekeys

username user privilege 15 secret 5 pass

!

!

!

!

!

controller VDSL 0

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

!

!

!

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description internet_DATA_PVC1

pvc 0/33

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0.2 point-to-point

description VOICE_PVC2

pvc 0/34

  vbr-rt 200 200

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface FastEthernet0

description Ethernet poort 3

ip vrf forwarding voice

no ip address

!

interface FastEthernet1

ip vrf forwarding voice

no ip address

!

interface FastEthernet2

description Ethernet poort 3

switchport access vlan 2

no ip address

!

interface FastEthernet3

description Ethernet poort 4

switchport access vlan 2

no ip address

!

interface Vlan2

description internet_DATA_VLAN

ip vrf forwarding data

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan1

description VOICE_VLAN

ip vrf forwarding voice

ip address 10.0.2.1 255.255.255.0

ip tcp adjust-mss 1452

!

interface Dialer1

ip vrf forwarding data

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

interface Dialer2

ip vrf forwarding voice

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication pap callin

ppp pap sent-username user password 7 pass

no cdp enable

!

ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns view vrf data default

no ip nat service sip udp port 5060

ip nat inside source list 101 interface Dialer1 vrf data overload

ip route vrf data 0.0.0.0 0.0.0.0 Dialer1

ip route vrf voice 0.0.0.0 0.0.0.0 Dialer2

!

logging trap debugging

access-list 23 permit 10.0.2.0 0.0.0.255

access-list 23 permit 10.0.1.0 0.0.0.255

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 permit 83.232.161.0 0.0.0.255

access-list 23 permit 82.94.79.0 0.0.0.255

access-list 23 permit 84.246.25.0 0.0.0.255

access-list 23 permit 172.31.255.0 0.0.0.255

access-list 23 permit 213.144.0.0 0.0.255.255

access-list 23 permit 92.65.31.32 0.0.0.7

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 permit ip 10.0.2.0 0.0.0.255 any

access-list 103 permit ip 10.0.1.0 0.0.0.255 any

access-list 103 permit tcp 10.0.2.0 0.0.0.255 any

access-list 103 permit tcp 10.0.1.0 0.0.0.255 any

access-list 103 permit udp 10.0.2.0 0.0.0.255 any

access-list 103 permit udp 10.0.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

no cdp run

!

!

control-plane

!

!

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet

!

!

end

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Ronald,

What you're describing is most likely a problem with MTU (if ping works and TCP connect port scan returns opens ports) or some very odd problem with forwarding.

BTW - this section of forums if for crypto VPNs not MPLS and such ;-)

M.

Thanks for your quik reply Marcin.

Oops wrong section of the forum. Sorry for that. Perhaps that one of the mods can move this post than

Hmmmm... MTU size could indeed be an issue. But than again. The voice VRF is running over an IPVPN that is provided by the provider. I have been in contact with the provider a few times now and all they say is that there IPVPN is correct. They also took time to look at the configs for both routers and they also say that its correct. Oke. But where could this issue be hidden.

I will get back on this asap.

Thanks again.

rmlestraden
Level 1
Level 1

This post may be locked since it is in the wrong section of the forum.

I have started a new one @

https://supportforums.cisco.com/thread/2167844

The problem has been resolved. It was the line provider that made a mistake bij giving the wrong line speed at the second pvc.

After they made the correct changes the connection was made between the 2 routers over the IPVPN

Router config Check

Router firmware Check

First pvc Check

Second pvc but now check

Ipvpn and data flow check

Connection has ben made check