VTI endpoints can't be pinged by LAN clients

Damir Reic · ‎01-29-2018

Hello,

I setup simple lab environment in GNS3 and found interesting problem. Used setup from https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1080079(Configuration Examples for IPsec Virtual Tunnel Interface). So in this simple setup, tunnel interface is UP, from the router I can ping everything, but from the server on left and right side I can't ping tunnel endpoint or LAN IP of the other router. I have no idea why, it's totally not logical, servers are using LAN IP as default gateway.

So workstation PC1 can ping tunnel IP on R1 but can't ping tunnel IP on R2. Both ends have proper routes otherwise I wouldn't be able to ping "lan" interface from the router on the other side of the tunnel.

Rob Ingram · ‎01-29-2018

Hello Damir,

Does R2 have a route to the network PC1 is on in its routing table?

Damir Reic · ‎01-29-2018

Yes it does. I can ping LAN interface (def gw of pc1) of R1 from R2.

Rob Ingram · ‎01-29-2018

Can you provide the configuration please?

Are you using a dynamic routing protcol?

Damir Reic · ‎01-29-2018

R1:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Cisco12345 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile P1
set transform-set T1

interface Tunnel0
 ip address 10.0.51.203 255.255.255.0
 ip ospf mtu-ignore
 load-interval 30
 tunnel source 10.0.149.203
 tunnel mode ipsec ipv4
 tunnel destination 10.0.149.217
 tunnel protection ipsec profile P1
!
interface FastEthernet0/0
 ip address 10.0.35.203 255.255.255.0
duplex full
interface Ethernet2/0
 ip address 10.0.149.203 255.255.255.0
 duplex full
!
ip route 10.0.36.0 255.255.255.0 Tunnel0

R2

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Cisco12345 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile P1
 set transform-set T1
!
interface Tunnel0
 ip address 10.0.51.217 255.255.255.0
 ip ospf mtu-ignore
 tunnel source 10.0.149.217
 tunnel mode ipsec ipv4
 tunnel destination 10.0.149.203
 tunnel protection ipsec profile P1
!
interface FastEthernet0/0
 ip address 10.0.36.217 255.255.255.0
 duplex full

interface Ethernet2/0
 ip address 10.0.149.217 255.255.255.0
 duplex full
!
ip route 10.0.35.0 255.255.255.0 Tunnel0

PC1 config:

NAME   IP/MASK              GATEWAY           MAC                LPORT  RHOST:PORT
PC1    10.0.35.21/24        10.0.35.203       00:50:79:66:68:00  10018  127.0.0.1:10019
       fe80::250:79ff:fe66:6800/64

PC1> ping  10.0.51.217
10.0.51.217 icmp_seq=1 timeout
10.0.51.217 icmp_seq=2 timeout
10.0.51.217 icmp_seq=3 timeout
10.0.51.217 icmp_seq=4 timeout
10.0.51.217 icmp_seq=5 timeout

PC1> trace  10.0.51.217
trace to 10.0.51.217, 8 hops max, press Ctrl+C to stop
 1   10.0.35.203   4.500 ms  9.395 ms  9.508 ms
 2     *  *  *
 3     *  *  *
 4     *  *  *
 5     *  *  *
 6     *  *  *
 7     *  *  *
 8     *  *  *

R1 debug ICMP and Debug IP

*Jan 27 20:21:10.245: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB
*Jan 27 20:21:10.245: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0
*Jan 27 20:21:10.249: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB
*Jan 27 20:21:10.249: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending
*Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet
*Jan 27 20:21:10.253: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jan 27 20:21:10.253: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB
*Jan 27 20:21:10.253: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0
*Jan 27 20:21:10.253: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB
*Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending
*Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet
*Jan 27 20:21:10.257: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet  consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jan 27 20:21:10.265: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB
*Jan 27 20:21:10.265: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0
*Jan 27 20:21:10.265: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB
*Jan 27 20:21:10.265: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending
*Jan 27 20:21:10.265: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet
*Jan 27 20:21:10.265: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Rob Ingram · ‎01-29-2018

So, PC1 on 10.0.35.21/24 with a DG of R1 on 10.0.35.203 is pinging 10.0.51.217

R1 only has a static route of "ip route 10.0.36.0 255.255.255.0 Tunnel0" you'd need to route
10.0.51.0/24 through the Tunnel0. As this is a GNS3 lab, you'd be better off running a routing protocol and advertising all networks.

Damir Reic · ‎01-29-2018

10.51.0.0/24 is Tunnel network directly connected to both R1 and R2 so they should both know where is it. When packet from VPC1 comes to R1, R1 knows where is it and should just route packet to int Tunnel0. R2 has a returning route so I don't really know what's the problem.

Rob Ingram · ‎01-29-2018

Yes, you are right, I overlooked the fact 10.0.51.0/24 is the tunnel subnet.

I tweaked my lab running CSR1000v routers to match your setup, repeating the same test the PC can ping the other routers' IP addresses. So your configuration looks ok.

Is the PC you using a Windows VM? it doesn't look it from the output you previously provided.

Damir Reic · ‎01-29-2018

It's what's available in GNS3 😊. It was either that or my host, I can try replacing the PC with another router and see what happens. But now you see why I am confused and frustrated :D

zeeshanregus · ‎02-02-2020

Hello All,

was there any outcome/resolution for this query? I'm stuck on same situation.
Please let me know if there was a resolution.
thanks.

Ayaz Baghirov · ‎06-05-2020

I had the same issue with EVE-NG and GNS3 labs: PCs on both ends could not ping each other, neither neighbor router's gw interface. The solution for me was disabling no ip route-cache on local router's interface. In your case you should disable it on FastEthernet0/0 . It seems that packet should be routed by CPU(process switching) not by CEF. Believe it must help you.

I did not have a chance to test VTIs on real equipment yet. Hope one day I will post results of the lab on real hardware.

oluwaseun Fatusin · ‎07-25-2023

Ayaz your solution was helpful. Thanks alot

friantdody · ‎07-27-2023

big thanks bro for ur sharing,, i am stuck for almost 1day about this, LOL...

i was many check configuration between router but no problem,, after add config no ip route-cache between network end to end can reach