From my remote 877 DMVPN router I can ping my inside & outside 2801 DMVPN router without loss of a packet. Whenever I ping the inside of the PIX or beyond (the Internet) I get sporadic responses with Pings (some hits, some misses). There is a route on the PIX pointing at my 877's network via the
2801 (hence some ICMP packet hits) so I am sure the routing is OK. One caveat, if I set the size of the ping e.g 64 bytes, 1000 bytes 1400 bytes etc the response if 100% successful, if I set the size of the ping packet to the Cisco default 100 bytes it give me the hit / miss response.
On my DMVPN interface's I have tcp mss-adjust 1360 and MTU size of 1400 configured.
2) HSRP
A colleague has configured 2 x 3825 routers with an IP address on their Gig
0/0 ports with a 10.x.x.x /24 address. Under the same interface he has a standby IP address 62.x.x.x. His Gig ports connect to a switch and ultimately a Telco router that he runs eBGP with. He said that this allows him to provide resiliency to the Telco router.
I thought that the standby address had to be on the same subnet as the IP address coded under the port. He said the above works because the config provides resilience at layer 2 and not to get this confused with layer 3.
Anyone seen this before or have I go the wrong end of the stick.
Thanks for your help. I have entered answers below.
A- It does, I see the Pings come into the PIX and the replies going back towards the 877. Interesting I did a debug ip icmp on the 2801 DMVPN router and it didn't produce any results - but some must pings must be getting through as I get !..!. on the 877. This differs each time I send the Ping.
If I ping from the PIX to the 877 I get 100% response. I am suspecting that I have either a fragmentation problem or the encryption / decryption process isn't doing what it should.
The PIX and 2800 are connected via a L2 switch (2950) I'll see what this throws up.
Can't believe I missed that one. Thanks for the link.
(c) 1986-2006 by Cisco Systems, Inc. Compiled Thu 23-Feb-06 04:00 by ccai
ROM: System Bootstrap, Version 12.3(8r)YI2, RELEASE SOFTWARE
R02 uptime is 2 days, 4 hours, 9 minutes System returned to ROM by reload System restarted at 17:24:35 UTC Fri Jul 14 2006 System image file is "flash:c870-advipservicesk9-mz.124-6.T.bin" Last reload reason: Reload Command
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
formatting link
If you require further assistance please contact us by sending email to snipped-for-privacy@cisco.com.
Cisco 877 (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory. Processor board ID FHK100121SL MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R02 ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret XXXXXXXXXXXXX ! aaa new-model ! ! ! aaa session-id common ! resource policy ! ip cef ! ! ! ! no ip domain lookup ip domain name XYZ.co.uk ! ! ! username XXXXXXXXXXXXXX password XXXXXXXXXXXXXXXXXXXXX ! ! ! crypto isakmp policy 1 authentication pre-share group 2 crypto isakmp key XXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 65 15 ! ! crypto ipsec transform-set mGRE esp-3des esp-md5-hmac mode transport ! crypto ipsec profile mGRE set transform-set mGRE ! ! ! ! ! interface Tunnel1 description Secondary link bandwidth 256 ip address 172.16.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication XXXXXXX ip nhrp map multicast 10.X.X.X ip nhrp map 172.16.0.1 10.X.X.X ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 172.16.0.1 ip tcp adjust-mss 1360 delay 1000 tunnel source Dialer0 tunnel mode gre multipoint tunnel key XXXXXXXX tunnel protection ipsec profile mGRE ! interface Loopback0 ip address 172.31.236.2 255.255.255.255 ! interface ATM0 no ip address no atm ilmi-keepalive pvc 0/38 tx-ring-limit 3 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 duplex full speed 100 no cdp enable ! interface FastEthernet1 duplex full speed 100 no cdp enable ! interface FastEthernet2 duplex full speed 100 no cdp enable ! interface FastEthernet3 duplex full speed 100 no cdp enable ! interface Vlan1 ip address 10.10.2.202 255.255.0.0 ip access-group deny_rip in no ip redirects standby 100 ip 10.10.2.200 standby 100 preempt ! interface Dialer0 ip address negotiated ip access-group outside in encapsulation ppp dialer pool 1 ppp chap hostname XXXXXXXXXXXXXXXXXX ppp chap password 7 XXXXXXXXXXXXXX ! router eigrp 10 network 10.10.0.0 0.0.255.255 network 172.16.0.0 0.0.0.255 distribute-list 2 out Vlan1 no auto-summary ! router rip version 2 no validate-update-source passive-interface Vlan1 network 10.0.0.0 network 172.31.0.0 distribute-list 1 out no auto-summary ! ip route 192.168.120.0 255.255.255.0 10.10.2.254 ip route 192.168.128.0 255.255.255.0 10.10.2.254 ip route 192.168.129.0 255.255.255.0 10.10.2.254 ! ! no ip http server no ip http secure-server ! ip access-list extended deny_rip deny udp host 10.10.2.254 any eq rip permit eigrp any any permit ip any any ip access-list extended outside permit udp 10.250.0.0 0.0.255.255 any eq isakmp permit esp 10.250.0.0 0.0.255.255 any permit gre 10.250.0.0 0.0.255.255 any permit udp 10.250.0.0 0.0.255.255 any eq rip permit ip 10.250.0.0 0.0.255.255 10.10.0.0 0.0.255.255 permit ip 10.250.0.0 0.0.255.255 host 10.250.X.X (WAN IP) permit ip 10.150.1.0 0.0.0.255 10.10.0.0 0.0.255.255 permit icmp any any unreachable permit icmp any any time-exceeded permit icmp any any echo-reply deny ip any any log ! access-list 1 permit 172.31.236.2 access-list 1 permit 10.250.0.0 0.0.255.255 access-list 2 deny 172.16.0.0 0.0.0.255 access-list 2 permit any no cdp run ! ! ! ! control-plane ! banner motd ^CCCCCCC Unauthorised Access Is Strictly Prohibited
This system is to be used for authorised business purposes only.
All activity on this system is monitored for security violations.
Unauthorised access or activity is a violation of law.
^C ! line con 0 exec-timeout 120 0 logging synchronous no modem enable transport preferred ssh stopbits 1 line aux 0 transport preferred ssh line vty 0 4 access-class 10 in (NB removed from above config) exec-timeout 60 0 transport input telnet ssh ! scheduler max-task-time 5000 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
You will not get and output from debug ip icmp on the 2800 when the traffic is not destined to the 2800 ( ie no forus packets).
You can try using the router alert IP option in the extended ping option whcih forces each router to examine the packet. In this case the debug may display the icmp packets
We managed to resolve it. It was CEF on the DMVPN router (2801). I followed the Pings to the PIX and back. I put an access-list on the outside of the
2801 (between the 2801 & PIX) trapping ICMP to / from a host address behind the remote 877.
I noticed that the access-list count on the 2800 was increasing even though lots of the pings were timing out on the remote 877. This seemed to suggest that the problem was on the 2801. I took CEF off and the pings started flying through.
Answers to your question as follows:
Yes it did. I asked the end user to send various size ping packets and he saw lots of drops with various size packets.
Thanks for your help again with this and taking the time out to respond.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.