01-29-2018 12:23 AM - edited 03-12-2019 04:57 AM
Hello,
I setup simple lab environment in GNS3 and found interesting problem. Used setup from https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1080079(Configuration Examples for IPsec Virtual Tunnel Interface). So in this simple setup, tunnel interface is UP, from the router I can ping everything, but from the server on left and right side I can't ping tunnel endpoint or LAN IP of the other router. I have no idea why, it's totally not logical, servers are using LAN IP as default gateway.
So workstation PC1 can ping tunnel IP on R1 but can't ping tunnel IP on R2. Both ends have proper routes otherwise I wouldn't be able to ping "lan" interface from the router on the other side of the tunnel.
01-29-2018 02:02 AM
Hello Damir,
Does R2 have a route to the network PC1 is on in its routing table?
01-29-2018 02:52 AM
01-29-2018 03:01 AM
Can you provide the configuration please?
Are you using a dynamic routing protcol?
01-29-2018 03:32 AM
R1:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 0.0.0.0 ! ! crypto ipsec transform-set T1 esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address 10.0.51.203 255.255.255.0 ip ospf mtu-ignore load-interval 30 tunnel source 10.0.149.203 tunnel mode ipsec ipv4 tunnel destination 10.0.149.217 tunnel protection ipsec profile P1 ! interface FastEthernet0/0 ip address 10.0.35.203 255.255.255.0 duplex full interface Ethernet2/0 ip address 10.0.149.203 255.255.255.0 duplex full ! ip route 10.0.36.0 255.255.255.0 Tunnel0
R2
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Cisco12345 address 0.0.0.0 ! ! crypto ipsec transform-set T1 esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile P1 set transform-set T1 ! interface Tunnel0 ip address 10.0.51.217 255.255.255.0 ip ospf mtu-ignore tunnel source 10.0.149.217 tunnel mode ipsec ipv4 tunnel destination 10.0.149.203 tunnel protection ipsec profile P1 ! interface FastEthernet0/0 ip address 10.0.36.217 255.255.255.0 duplex full interface Ethernet2/0 ip address 10.0.149.217 255.255.255.0 duplex full ! ip route 10.0.35.0 255.255.255.0 Tunnel0
PC1 config:
NAME IP/MASK GATEWAY MAC LPORT RHOST:PORT PC1 10.0.35.21/24 10.0.35.203 00:50:79:66:68:00 10018 127.0.0.1:10019 fe80::250:79ff:fe66:6800/64 PC1> ping 10.0.51.217 10.0.51.217 icmp_seq=1 timeout 10.0.51.217 icmp_seq=2 timeout 10.0.51.217 icmp_seq=3 timeout 10.0.51.217 icmp_seq=4 timeout 10.0.51.217 icmp_seq=5 timeout PC1> trace 10.0.51.217 trace to 10.0.51.217, 8 hops max, press Ctrl+C to stop 1 10.0.35.203 4.500 ms 9.395 ms 9.508 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * *
R1 debug ICMP and Debug IP
*Jan 27 20:21:10.245: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB *Jan 27 20:21:10.245: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0 *Jan 27 20:21:10.249: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB *Jan 27 20:21:10.249: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending *Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet *Jan 27 20:21:10.253: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Jan 27 20:21:10.253: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB *Jan 27 20:21:10.253: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0 *Jan 27 20:21:10.253: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB *Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending *Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet *Jan 27 20:21:10.257: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Jan 27 20:21:10.265: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB *Jan 27 20:21:10.265: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0 *Jan 27 20:21:10.265: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB *Jan 27 20:21:10.265: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending *Jan 27 20:21:10.265: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet *Jan 27 20:21:10.265: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
01-29-2018 03:42 AM
So, PC1 on 10.0.35.21/24 with a DG of R1 on 10.0.35.203 is pinging 10.0.51.217
R1 only has a static route of "ip route 10.0.36.0 255.255.255.0 Tunnel0" you'd need to route
10.0.51.0/24 through the Tunnel0. As this is a GNS3 lab, you'd be better off running a routing protocol and advertising all networks.
01-29-2018 07:22 AM
10.51.0.0/24 is Tunnel network directly connected to both R1 and R2 so they should both know where is it. When packet from VPC1 comes to R1, R1 knows where is it and should just route packet to int Tunnel0. R2 has a returning route so I don't really know what's the problem.
01-29-2018 09:30 AM
Yes, you are right, I overlooked the fact 10.0.51.0/24 is the tunnel subnet.
I tweaked my lab running CSR1000v routers to match your setup, repeating the same test the PC can ping the other routers' IP addresses. So your configuration looks ok.
Is the PC you using a Windows VM? it doesn't look it from the output you previously provided.
01-29-2018 09:41 AM
02-02-2020 07:03 PM
06-05-2020 11:09 PM
I had the same issue with EVE-NG and GNS3 labs: PCs on both ends could not ping each other, neither neighbor router's gw interface. The solution for me was disabling no ip route-cache on local router's interface. In your case you should disable it on FastEthernet0/0 . It seems that packet should be routed by CPU(process switching) not by CEF. Believe it must help you.
I did not have a chance to test VTIs on real equipment yet. Hope one day I will post results of the lab on real hardware.
07-25-2023 11:03 PM
Ayaz your solution was helpful. Thanks alot
07-27-2023 08:12 AM - edited 07-27-2023 08:17 AM
big thanks bro for ur sharing,, i am stuck for almost 1day about this, LOL...
i was many check configuration between router but no problem,, after add config no ip route-cache between network end to end can reach
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide