SixXS::Sunset 2017-06-06

Cisco: Tunnel Interface flapping
[de] Carmen Sandiego on Monday, 18 September 2006 22:28:52
Hello, I'm running a sixxs tunnel for a long period of time. Now I encountered my tunnel interface is flapping:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
This can happen multiple times per minute and sometimes the tunnel stays down for almost a minute. I'm using a Cisco 836 with IOS 12.4.8a. As I set up the tunnel I didn't encounter this behaviour. Numerous configuration changes (aka VPN and such) as well as IOS upgrades make it impossible to determine a point in time or when the tunnel started flapping. Just don't ask. ;-) To see if the flapping is something on the broker end, I set up a second tunnel with a Cisco 2514, IOS 12.3.20 to Sixxs as well as a direct IPv6 tunnel between the two Cisco routers. The 2514 Tunnels both stay up. The Tunnels on the 836 flap simultaneously. So I suspict a local configuration problem on the 836. Debugging tunnels isn't very helpful:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down 2d06h: CEF-Tunnel Tunnel1 physical idb changed to Dialer1 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up 2d06h: CEF-Tunnel Tunnel0 physical idb changed to Dialer1 2d06h: Tunnel1: IPv6/IP encapsulated 217.28.104.64->217.28.96.12 (linktype=79, len=84) %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up 2d06h: Tunnel1: IPv6/IP encapsulated 217.28.104.64->217.28.96.12 (linktype=79, len=84) 2d06h: Tunnel0: IPv6/IP encapsulated 217.28.104.64->212.224.0.188 (linktype=79, len=84)
217.28.104.64: Endpoint Cisco 836 217.28.96.12: Endpoint Cisco 2514 212.224.0.188: Sixxs Tunnelbroker Config Excerpts:
interface Tunnel0 description IPv6 bandwidth 448 no ip address ipv6 address 2001:6F8:900:5B0::2/64 ipv6 enable ipv6 traffic-filter input in ipv6 traffic-filter output out ipv6 mtu 1280 tunnel source Dialer1 tunnel destination 212.224.0.188 tunnel mode ipv6ip
Note: ipv6 traffic filter is not configured on tunnel1 and it's flapping, too. Bandwidth also doesn't change anything.
interface Dialer1 description Internet mtu 1456 bandwidth 448 ip address negotiated ip access-group 115 in ip access-group 116 out encapsulation ppp ip route-cache flow ip tcp adjust-mss 1416 dialer pool 1 dialer idle-timeout 0 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username foo password 0 bar ppp timeout authentication 60 crypto map vpnmap service-policy output voice-policy
Note: Removing access-lists didn't change anything. Internet connection is stable, no packet loss. I'm stuck since I don't know how to further diagnose this problem. Any Cisco Tunnel guru here for aid? Thanks for reading so far. :wq! PoC
Cisco: Tunnel Interface flapping
[de] Carmen Sandiego on Tuesday, 19 September 2006 12:28:49
Addition: Disabling keepalives of the tunnel interfaces on the Cisco 836 lowers the rate of tunnel flaps considerably to about once each 5 minutes. :wq! PoC
Cisco: Tunnel Interface flapping
[nl] Shadow Hawkins on Monday, 09 October 2006 17:04:50
Hi, I'm not a guru but i can say that this config with IOS 12.4.10 on a c3640 is working very well. I didn't tried ipv6 inspect yet since this config is working for a couple of years now. Also.. please don't forget that when ipv6 is enabled on the router that (e.g. telnet, ssh) access to it is also enabled. hope this helps a bit ! version 12.4 ! ! ipv6 unicast-routing no ipv6 source-route ipv6 cef ! ! interface Tunnel60 description "Tunnel interface to nlede01.sixxs.net for IPv6" no ip address load-interval 30 ipv6 address 2001:x:y:z::b/64 ipv6 enable ipv6 traffic-filter TU60-INBOUND in ipv6 traffic-filter TU60-OUTBOUND out no ipv6 redirects tunnel source FastEthernet2/0.666 tunnel destination 193.109.122.244 tunnel mode ipv6ip tunnel path-mtu-discovery ! ! interface FastEthernet2/0.666 description "Interface to the bad internet world, vlan 666" bandwidth 10240 encapsulation dot1Q 666 ip address dhcp client-id FastEthernet2/0 hostname router ip access-group FA2/0.666-INBOUND in ! ! ip access-list extended FA2/0.666-INBOUND remark "List for inbound traffic on FA2/0.666 (Internet)" remark "Permit only the real important ICMP messages" permit icmp any host 84.245.x.y echo-reply log permit icmp any host 84.245.x.y unreachable log permit icmp any host 84.245.x.y packet-too-big log permit icmp any host 84.245.x.y time-exceeded log permit icmp any host 84.245.x.y traceroute log permit icmp any host 84.245.x.y administratively-prohibited log remark "IPv6 tunnels" remark "Permit IPv6 tunnel traffic from *.sixxs.net" permit 41 host 213.197.27.252 host 84.245.x.y permit 41 host 212.19.192.219 host 84.245.x.y permit 41 host 193.109.122.244 host 84.245.x.y permit 41 host 195.143.155.2 host 84.245.x.y remark "Permit ICMP echo for *.sixxs.net (POP's)" permit icmp host 213.197.27.252 host 84.245.x.y echo log permit icmp host 212.19.192.219 host 84.245.x.y echo log permit icmp host 193.109.122.244 host 84.245.x.y echo log permit icmp host 195.143.155.2 host 84.245.x.y echo log remark "Deny and log the rest of the bogus on the interface" deny ip any any log ! ! ipv6 route 2000::/3 Tunnel60 2001:x:y:z::a ! ! ipv6 access-list TU60-INBOUND remark "List for inbound traffic on Tu60 (Internet IPv6)" permit icmp any host 2001:x:y:z::b echo-request log-input remark "Unsecure subnet" permit ipv6 any 2001:x:y:k::/64 remark "Services in the DMZ" permit icmp any host 2001:x:y:l::226 echo-request log-input permit tcp any gt 1023 host 2001:x:y:l::c eq 22 permit tcp any gt 1023 host 2001:x:y:l::c eq smtp permit udp any eq domain host 2001:x:y:l::c eq domain permit udp any gt 1023 host 2001:x:y:l::c eq domain evaluate TU60-REFLEXIVE deny ipv6 any any log-input ! ipv6 access-list TU60-OUTBOUND remark "List for outbound traffic on Tu60 (Internet IPv6)" permit icmp host 2001:x:y:z::b any echo-reply log-input permit ipv6 any any log-input reflect TU60-REFLEXIVE deny ipv6 any any log-input ! ipv6 access-list VTY0-15-PERMIT-IPv6-LOGIN deny ipv6 any any log ! ! line vty 0 15 access-class VTY0-15-PERMIT-LOGIN in ipv6 access-class VTY0-15-PERMIT-IPv6-LOGIN in !

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker