|
2 identical tunnels from same IPv4 endpoint. nlams04 works, nlede01 says it doesn't
![[nl]](/s/countries/nl.gif) Carmen Sandiego on Sunday, 20 November 2011 15:52:48
Hi,
Since quite a while I'm having two tunnels on the same endpoint, a Cisco 1841 running 12.4.24. One tunnel to nlams04 (T17046), one to nlede01 (T1391). All worked fine with the help of some source-routing.
This friday my ISP changed it's modem for a new router (includig a new IP), which is now placed in front of the router. Everything is now forwarded from that router to this Cisco. On the Cisco nothing is changed, it already got it's IP adress in the previous setup via DHCP only now it's an rfc1918 instead of a public one. After the IP change of these tunnels endpoints, the tunnel with nlams04 is working.
ciscort001#ping 2001:960:2:88::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:960:2:88::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/16 ms
Nov 20 15:35:12: %IPV6_ACL-6-ACCESSLOGDP: list Tunnel0-in/50 permitted icmpv6 2001:960:2:88::1 -> 2001:960:2:88::2 (1/0), 1 packet
And the tunnel with nlede01 seems to work also:
ciscort001#ping 2001:7B8:2FF:22A::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:7B8:2FF:22A::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/32 ms
Nov 20 15:37:45: %IPV6_ACL-6-ACCESSLOGDP: list Tunnel3-in/20 permitted icmpv6 2001:7B8:2FF:22A::1 -> 2001:7B8:2FF:22A::2 (129/0), 5 packets
But still I'm getting emails that this tunnel isn't responding and the graphs also show this.
It seems protocol 41 is working. Before the previous ping:
ciscort001#sh access-list inet-incoming | incl 193.109.122.244
70 permit 41 host 193.109.122.244 any (6245 matches)
After the ping:
ciscort001#sh access-list inet-incoming | incl 193.109.122.244
70 permit 41 host 193.109.122.244 any (6250 matches)
Again, nothing is changed to the configuration of the Cisco. Here are, I guess, the most important parts of it's configuration:
interface Tunnel0
description SixXS IPv6 tunnel Scarlet - T17046
no ip address
ipv6 address 2001:960:2:88::2/64
ipv6 enable
ipv6 traffic-filter Tunnel0-in in
ipv6 traffic-filter Tunnel0-out out
ipv6 mtu 1280
ipv6 inspect IPFirewall-IPv6 out
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 213.204.193.2
tunnel mode ipv6ip
!
interface Tunnel3
description SixXS IPv6 tunnel BIT - T1391
no ip address
ipv6 address 2001:7B8:2FF:22A::2/64
ipv6 enable
ipv6 traffic-filter Tunnel3-in in
ipv6 traffic-filter Tunnel3-out out
ipv6 mtu 1280
ipv6 inspect IPFirewall-IPv6 out
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 193.109.122.244
tunnel mode ipv6ip
end
!
ciscort001#sh ipv6 access-list Tunnel0-in
IPv6 access list Tunnel0-in
permit icmp any host 2001:960:2:88::2 log (7572 matches) sequence 20
permit icmp any 2001:960:644::/48 log (5 matches) sequence 25
deny ipv6 any any log (540 matches) sequence 30
ciscort001#sh ipv6 access-list Tunnel3-in
IPv6 access list Tunnel3-in
permit icmp any host 2001:7B8:2FF:22A::2 log (6157 matches) sequence 20
permit icmp any 2001:7B8:3FA::/48 log sequence 25
deny ipv6 any any log (108 matches) sequence 30
!
ciscort001#sh access-list inet-incoming | incl 213.204.193.2
50 permit 41 host 213.204.193.2 any (75220 matches)
ciscort001#sh access-list inet-incoming | incl 193.109.122.244
70 permit 41 host 193.109.122.244 any (6245 matches)
What am I doing wrong?
2 identical tunnels from same IPv4 endpoint. nlams04 works, nlede01 says it doesn't
![[de]](/s/countries/de.gif) Shadow Hawkins on Monday, 21 November 2011 10:49:26
could u also show output of
sh access-list Tunnel3-out
2 identical tunnels from same IPv4 endpoint. nlams04 works, nlede01 says it doesn't
only now it's an rfc1918 instead of a public one
Thus you are definitely behind a NAT and likely your NAT box can't handle protocol-41 from two endpoints.
2 identical tunnels from same IPv4 endpoint. nlams04 works, nlede01 says it doesn't
Carmen Sandiego on Monday, 21 November 2011 19:16:12
Yes, I'm definitely behind a NAT, but it does like dual nat. See this output from a friends machine which also has an IPv6 tunnel to nlede01:
[dennis@averell ~]$ ifconfig sixxs
sixxs Link encap:IPv6-in-IPv4
inet6 addr: fe80::d594:e58f/128 Scope:Link
inet6 addr: 2001:7b8:2ff:61::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:381976 errors:0 dropped:0 overruns:0 frame:0
TX packets:232912 errors:45 dropped:0 overruns:0 carrier:45
collisions:0 txqueuelen:0
RX bytes:540883839 (515.8 MiB) TX bytes:17805037 (16.9 MiB)
[dennis@averell ~]$ ping6 2001:7B8:2FF:22A::2
PING 2001:7B8:2FF:22A::2(2001:7b8:2ff:22a::2) 56 data bytes
64 bytes from 2001:7b8:2ff:22a::2: icmp_seq=1 ttl=63 time=23.5 ms
64 bytes from 2001:7b8:2ff:22a::2: icmp_seq=2 ttl=63 time=29.6 ms
64 bytes from 2001:7b8:2ff:22a::2: icmp_seq=3 ttl=63 time=23.7 ms
64 bytes from 2001:7b8:2ff:22a::2: icmp_seq=4 ttl=63 time=27.0 ms
^C
--- 2001:7B8:2FF:22A::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 23.585/26.017/29.664/2.520 ms
[dennis@averell ~]$
[dennis@averell ~]$ ping6 2001:960:2:88::2
PING 2001:960:2:88::2(2001:960:2:88::2) 56 data bytes
64 bytes from 2001:960:2:88::2: icmp_seq=1 ttl=59 time=27.7 ms
64 bytes from 2001:960:2:88::2: icmp_seq=2 ttl=59 time=25.7 ms
64 bytes from 2001:960:2:88::2: icmp_seq=3 ttl=59 time=24.9 ms
64 bytes from 2001:960:2:88::2: icmp_seq=4 ttl=59 time=30.7 ms
64 bytes from 2001:960:2:88::2: icmp_seq=5 ttl=59 time=25.2 ms
^C
--- 2001:960:2:88::2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 24.980/26.887/30.758/2.173 ms
[dennis@averell ~]$
So both tunnels are responding. Anything on the nlede01 perhaps?
2 identical tunnels from same IPv4 endpoint. nlams04 works, nlede01 says it doesn't
Carmen Sandiego on Monday, 21 November 2011 20:01:26
Tag [/code] is not closed
|
![[ch]](/s/countries/ch.gif)
on Monday, 21 November 2011 12:47:09
Posting is only allowed when you are