Cisco: Tunnel Interface flapping
Carmen Sandiego on Monday, 18 September 2006 22:28:52
Hello,
I'm running a sixxs tunnel for a long period of time. Now I encountered my tunnel interface is flapping:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
This can happen multiple times per minute and sometimes the tunnel stays down for almost a minute.
I'm using a Cisco 836 with IOS 12.4.8a. As I set up the tunnel I didn't encounter this behaviour. Numerous configuration changes (aka VPN and such) as well as IOS upgrades make it impossible to determine a point in time or when the tunnel started flapping. Just don't ask. ;-)
To see if the flapping is something on the broker end, I set up a second tunnel with a Cisco 2514, IOS 12.3.20 to Sixxs as well as a direct IPv6 tunnel between the two Cisco routers.
The 2514 Tunnels both stay up. The Tunnels on the 836 flap simultaneously. So I suspict a local configuration problem on the 836.
Debugging tunnels isn't very helpful:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
2d06h: CEF-Tunnel Tunnel1 physical idb changed to Dialer1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
2d06h: CEF-Tunnel Tunnel0 physical idb changed to Dialer1
2d06h: Tunnel1: IPv6/IP encapsulated 217.28.104.64->217.28.96.12 (linktype=79, len=84)
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
2d06h: Tunnel1: IPv6/IP encapsulated 217.28.104.64->217.28.96.12 (linktype=79, len=84)
2d06h: Tunnel0: IPv6/IP encapsulated 217.28.104.64->212.224.0.188 (linktype=79, len=84)
217.28.104.64: Endpoint Cisco 836
217.28.96.12: Endpoint Cisco 2514
212.224.0.188: Sixxs Tunnelbroker
Config Excerpts:
interface Tunnel0
description IPv6
bandwidth 448
no ip address
ipv6 address 2001:6F8:900:5B0::2/64
ipv6 enable
ipv6 traffic-filter input in
ipv6 traffic-filter output out
ipv6 mtu 1280
tunnel source Dialer1
tunnel destination 212.224.0.188
tunnel mode ipv6ip
Note: ipv6 traffic filter is not configured on tunnel1 and it's flapping, too. Bandwidth also doesn't change anything.
interface Dialer1
description Internet
mtu 1456
bandwidth 448
ip address negotiated
ip access-group 115 in
ip access-group 116 out
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1416
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username foo password 0 bar
ppp timeout authentication 60
crypto map vpnmap
service-policy output voice-policy
Note: Removing access-lists didn't change anything. Internet connection is stable, no packet loss.
I'm stuck since I don't know how to further diagnose this problem. Any Cisco Tunnel guru here for aid?
Thanks for reading so far.
:wq! PoC
Cisco: Tunnel Interface flapping
Carmen Sandiego on Tuesday, 19 September 2006 12:28:49
Addition: Disabling keepalives of the tunnel interfaces on the Cisco 836 lowers the rate of tunnel flaps considerably to about once each 5 minutes.
:wq! PoC
Cisco: Tunnel Interface flapping
Shadow Hawkins on Monday, 09 October 2006 17:04:50
Hi,
I'm not a guru but i can say that this config with IOS 12.4.10 on a c3640 is working very well. I didn't tried ipv6 inspect yet since this config is working for a couple of years now.
Also.. please don't forget that when ipv6 is enabled on the router that (e.g. telnet, ssh) access to it is also enabled.
hope this helps a bit
!
version 12.4
!
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef
!
!
interface Tunnel60
description "Tunnel interface to nlede01.sixxs.net for IPv6"
no ip address
load-interval 30
ipv6 address 2001:x:y:z::b/64
ipv6 enable
ipv6 traffic-filter TU60-INBOUND in
ipv6 traffic-filter TU60-OUTBOUND out
no ipv6 redirects
tunnel source FastEthernet2/0.666
tunnel destination 193.109.122.244
tunnel mode ipv6ip
tunnel path-mtu-discovery
!
!
interface FastEthernet2/0.666
description "Interface to the bad internet world, vlan 666"
bandwidth 10240
encapsulation dot1Q 666
ip address dhcp client-id FastEthernet2/0 hostname router
ip access-group FA2/0.666-INBOUND in
!
!
ip access-list extended FA2/0.666-INBOUND
remark "List for inbound traffic on FA2/0.666 (Internet)"
remark "Permit only the real important ICMP messages"
permit icmp any host 84.245.x.y echo-reply log
permit icmp any host 84.245.x.y unreachable log
permit icmp any host 84.245.x.y packet-too-big log
permit icmp any host 84.245.x.y time-exceeded log
permit icmp any host 84.245.x.y traceroute log
permit icmp any host 84.245.x.y administratively-prohibited log
remark "IPv6 tunnels"
remark "Permit IPv6 tunnel traffic from *.sixxs.net"
permit 41 host 213.197.27.252 host 84.245.x.y
permit 41 host 212.19.192.219 host 84.245.x.y
permit 41 host 193.109.122.244 host 84.245.x.y
permit 41 host 195.143.155.2 host 84.245.x.y
remark "Permit ICMP echo for *.sixxs.net (POP's)"
permit icmp host 213.197.27.252 host 84.245.x.y echo log
permit icmp host 212.19.192.219 host 84.245.x.y echo log
permit icmp host 193.109.122.244 host 84.245.x.y echo log
permit icmp host 195.143.155.2 host 84.245.x.y echo log
remark "Deny and log the rest of the bogus on the interface"
deny ip any any log
!
!
ipv6 route 2000::/3 Tunnel60 2001:x:y:z::a
!
!
ipv6 access-list TU60-INBOUND
remark "List for inbound traffic on Tu60 (Internet IPv6)"
permit icmp any host 2001:x:y:z::b echo-request log-input
remark "Unsecure subnet"
permit ipv6 any 2001:x:y:k::/64
remark "Services in the DMZ"
permit icmp any host 2001:x:y:l::226 echo-request log-input
permit tcp any gt 1023 host 2001:x:y:l::c eq 22
permit tcp any gt 1023 host 2001:x:y:l::c eq smtp
permit udp any eq domain host 2001:x:y:l::c eq domain
permit udp any gt 1023 host 2001:x:y:l::c eq domain
evaluate TU60-REFLEXIVE
deny ipv6 any any log-input
!
ipv6 access-list TU60-OUTBOUND
remark "List for outbound traffic on Tu60 (Internet IPv6)"
permit icmp host 2001:x:y:z::b any echo-reply log-input
permit ipv6 any any log-input reflect TU60-REFLEXIVE
deny ipv6 any any log-input
!
ipv6 access-list VTY0-15-PERMIT-IPv6-LOGIN
deny ipv6 any any log
!
!
line vty 0 15
access-class VTY0-15-PERMIT-LOGIN in
ipv6 access-class VTY0-15-PERMIT-IPv6-LOGIN in
!
Posting is only allowed when you are logged in. |