|
ping problem - 877VA with 15.3(1)T
![[es]](/s/countries/es.gif) Shadow Hawkins on Monday, 17 December 2012 11:01:49
Hello all,
I've change my router Cisco and now i've a 877VA with IOS 15.3(1)T version.
My problem now is: i can't ping my other side of the tunnel but the tunnel is UP and i can access to internet:
From an inside server to google:
[root@xavier.ofi ~]# ping6 -c 4 2a00:1450:4016:801::1013
PING 2a00:1450:4016:801::1013(2a00:1450:4016:801::1013) 56 data bytes
64 bytes from 2a00:1450:4016:801::1013: icmp_seq=1 ttl=54 time=123 ms
64 bytes from 2a00:1450:4016:801::1013: icmp_seq=2 ttl=54 time=125 ms
64 bytes from 2a00:1450:4016:801::1013: icmp_seq=3 ttl=54 time=128 ms
64 bytes from 2a00:1450:4016:801::1013: icmp_seq=4 ttl=54 time=129 ms
--- 2a00:1450:4016:801::1013 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3133ms
rtt min/avg/max/mdev = 123.941/126.857/129.312/2.259 ms
[root@xavier.ofi ~]#
From the same server to my tunnel end:
[root@xavier.ofi ~]# ping6 -c 4 2001:B18:2000:xxx::2
PING 2001:B18:2000:138::2(2001:b18:2000:xxx::2) 56 data bytes
64 bytes from 2001:b18:2000:xxx::2: icmp_seq=1 ttl=64 time=0.883 ms
64 bytes from 2001:b18:2000:xxx::2: icmp_seq=2 ttl=64 time=1.12 ms
64 bytes from 2001:b18:2000:xxx::2: icmp_seq=3 ttl=64 time=0.790 ms
64 bytes from 2001:b18:2000:xxx::2: icmp_seq=4 ttl=64 time=0.786 ms
--- 2001:B18:2000:xxx::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.786/0.895/1.121/0.136 ms
[root@xavier.ofi ~]#
From the server to the other side of the tunnel:
[root@xavier.ofi ~]# ping6 -c 4 2001:B18:2000:xxx::1
PING 2001:B18:2000:138::1(2001:b18:2000:xxx::1) 56 data bytes
64 bytes from 2001:b18:2000:xxx::1: icmp_seq=1 ttl=63 time=71.7 ms
64 bytes from 2001:b18:2000:xxx::1: icmp_seq=2 ttl=63 time=99.8 ms
64 bytes from 2001:b18:2000:xxx::1: icmp_seq=3 ttl=63 time=72.9 ms
64 bytes from 2001:b18:2000:xxx::1: icmp_seq=4 ttl=63 time=82.1 ms
--- 2001:B18:2000:xxx::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3086ms
rtt min/avg/max/mdev = 71.794/81.672/99.803/11.214 ms
[root@xavier.ofi ~]#
But from the router to the tunnel destination:
adsl-qa#ping 2001:B18:2000:XXX::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:B18:2000:XXX::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
adsl-qa#
Doing some debug i can see my pings:
Dec 17 11:47:14 adsl-qa 1797: ICMPv6: Sent echo request, Src=2001:B18:2000:xxx::2, Dst=2001:B18:2000:xxx::1
Dec 17 11:47:16 adsl-qa 1798: ICMPv6: Sent echo request, Src=2001:B18:2000:xxx::2, Dst=2001:B18:2000:xxx::1
Dec 17 11:47:18 adsl-qa 1799: ICMPv6: Sent echo request, Src=2001:B18:2000:xxx::2, Dst=2001:B18:2000:xxx::1
Dec 17 11:47:20 adsl-qa 1800: ICMPv6: Sent echo request, Src=2001:B18:2000:xxx::2, Dst=2001:B18:2000:xxx::1
Dec 17 11:47:22 adsl-qa 1801: ICMPv6: Sent echo request, Src=2001:B18:2000:xxx::2, Dst=2001:B18:2000:xxx::1
And I can see how I reply to the requests:
Dec 17 11:35:53 adsl-qa 1736: %IPV6_ACL-6-ACCESSLOGDP: list ipv6-internet-in/15 permitted icmpv6 2001:B18:2000:xxx::1 (Tunnel0) -> 2001:B18:2000:xxx::2 (128/0), 6 packets
Dec 17 11:36:07 adsl-qa 1737: ICMPv6: Received echo request, Src=2001:B18:2000:xxx::1, Dst=2001:B18:2000:xxx::2
Dec 17 11:36:07 adsl-qa 1738: ICMPv6: Sent echo reply, Src=2001:B18:2000:xxx::2, Dst=2001:B18:2000:xxx::1
I've configured the router following this http://www.sixxs.net/wiki/Cisco
Any idea?
Thanks a lot
Xavier
ping problem - 877VA with 15.3(1)T
i can't ping my other side of the tunnel
Check your routing tables. Maybe you are routing the tunnel /64 to a wrong location?
As you are masking out IP address, not much to tell if you are using something wrong or not.
ping problem - 877VA with 15.3(1)T
Shadow Hawkins on Monday, 17 December 2012 12:05:47
Thanks for your response
Check your routing tables. Maybe you are routing the tunnel /64 to a wrong location?
ipv6 route ::/0 Tunnel0
As you are masking out IP address, not much to tell if you are using something wrong or not.
Sorry. That's my tunnel endpoint IP 2001:B18:2000:138::2
ping problem - 877VA with 15.3(1)T
ipv6 route ::/0 Tunnel0
That is one route, you will at least have a route for the tunnel and also one for the subnet, next to that link-locals.
ping problem - 877VA with 15.3(1)T
Shadow Hawkins on Monday, 17 December 2012 15:37:24adsl-qa#sh ipv6 route
IPv6 Routing Table - default - 9 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
R - RIP, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect
S ::/0 [1/0]
via Tunnel0, directly connected
C 2001:B18:2000:138::/64 [0/0]
via Tunnel0, directly connected
L 2001:B18:2000:138::2/128 [0/0]
via Tunnel0, receive
S 2001:B18:4076:4::/64 [1/0]
via 2001:B18:4076:9::254
C 2001:B18:4076:9::/64 [0/0]
via Vlan1, directly connected
L 2001:B18:4076:9::246/128 [0/0]
via Vlan1, receive
S 2001:B18:4076:60::/64 [1/0]
via 2001:B18:4076:9::254
S 2607:F2F8:ADB8::/64 [1/0]
via 2001:B18:2000:138::1
L FF00::/8 [0/0]
via Null0, receive
adsl-qa#
ping problem - 877VA with 15.3(1)T
Shadow Hawkins on Monday, 17 December 2012 14:47:47adsl-qa#sh ipv6 route
IPv6 Routing Table - default - 9 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
R - RIP, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect
S ::/0 [1/0]
via Tunnel0, directly connected
C 2001:B18:2000:138::/64 [0/0]
via Tunnel0, directly connected
L 2001:B18:2000:138::2/128 [0/0]
via Tunnel0, receive
S 2001:B18:4076:4::/64 [1/0]
via 2001:B18:4076:9::254
C 2001:B18:4076:9::/64 [0/0]
via Vlan1, directly connected
L 2001:B18:4076:9::246/128 [0/0]
via Vlan1, receive
S 2001:B18:4076:60::/64 [1/0]
via 2001:B18:4076:9::254
S 2607:F2F8:ADB8::/64 [1/0]
via 2001:B18:2000:138::1
L FF00::/8 [0/0]
via Null0, receive
adsl-qa#
ping problem - 877VA with 15.3(1)T
![[gb]](/s/countries/gb.gif) Shadow Hawkins on Monday, 17 December 2012 17:40:41
Do you have any ipv6 access lists, ip inspect or zone-based forewall configured?
Can you post the relevant parts of your startup-config?
I use a similar setup using 867VAE and IOS 15.1 with a static tunnel. I have ipv6 inspect configured to permit IPv6 ICMP and allow replies back though the firewall.
ping problem - 877VA with 15.3(1)T
Shadow Hawkins on Tuesday, 18 December 2012 15:52:31!
!Chassis type: 887VA - a 887VA router
!CPU: MPC8300
!
!Memory: main 196608K/65536K
!Memory: nvram 256K
!
!Image: Software: C880DATA-UNIVERSALK9-M, 15.3(1)T, RELEASE SOFTWARE (fc1)
!Image: Compiled: Mon 26-Nov-12 21:23 by prod_rel_team
!Image: flash:c880data-universalk9-mz.153-1.T.bin
!
!ROM Bootstrap: Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
!
!
!
config-register 0x2102
!
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname adsl-qa
!
boot-start-marker
boot system flash c880data-universalk9-mz.153-1.T.bin
boot-end-marker
!
!enable secret 5 <removed>
!enable password <removed>
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
memory-size iomem 25
clock timezone GMT 1 0
clock summer-time GMT recurring
!
no ip source-route
!
ip dhcp pool crwstest
origin ipcp
!
no ip domain lookup
ip domain name soft.com
ip cef
ipv6 source-route
ipv6 nd ns-interval 1000
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 multicast rpf use-bgp
!
license udi pid CISCO887VA-K9 sn <removed>
!
username sistemas secret 5 <removed>
!
controller VDSL 0
!
ip ssh time-out 60
ip ssh authentication-retries 2
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
no crypto isakmp enable
!
interface Tunnel0
description IPv6 uplink to SixXS
no ip address
ip tcp adjust-mss 1420
ipv6 address 2001:B18:2000:138::2/64
ipv6 enable
ipv6 mtu 1480
ipv6 inspect cbac-ipv6 out
ipv6 traffic-filter ipv6-internet-in in
tunnel source ATM0.1
tunnel mode ipv6ip
tunnel destination 82.102.0.131
!
interface ATM0
no ip address
no ip unreachables
no ip route-cache
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
hold-queue 208 in
!
interface ATM0.1 point-to-point
ip address <removed>
ip mtu 1452
ip nat outside
ip virtual-reassembly in
no ip route-cache
pvc 8/32
encapsulation aal5snap
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 172.20.9.246 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:B18:xxxx:9::246/64
ipv6 nd ns-interval 1000
hold-queue 100 out
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat translation tcp-timeout 600
ip nat inside source list control_nat interface ATM0.1 overload
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 172.20.0.0 255.255.0.0 172.20.9.254
!
ip access-list extended control_nat
permit ip any any
!
logging trap debugging
logging host 172.20.4.20
no cdp run
ipv6 route 2001:B18:xxxx:60::/64 2001:B18:xxxx:9::254
ipv6 route ::/0 Tunnel0
!
snmp-server community <removed> RO
snmp-server host 172.20.4.20 soft_secure
!
ipv6 access-list ipv6-internet-in
remark allow ping by SixXS PoP to determine tunnel status
sequence 20 permit icmp host 2001:B18:2000:138::1 host 2001:B18:2000:138::2 echo-request
remark prevent ingress of all addresses except global unicast and multicast
deny ipv6 ::/3 any log
deny ipv6 8000::/2 any log
deny ipv6 C000::/3 any log
deny ipv6 E000::/4 any log
deny ipv6 F000::/5 any log
deny ipv6 F800::/6 any log
deny ipv6 FC00::/7 any log
deny ipv6 FE00::/8 any log
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any echo-request
permit icmp any any echo-reply
deny ipv6 any any log
!
line con 0
exec-timeout 0 0
! password <removed>
no modem enable
transport preferred ssh
transport output all
stopbits 1
line aux 0
transport output all
stopbits 1
line vty 0 4
exec-timeout 120 0
! password <removed>
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp server 172.20.4.219
ntp server 172.20.4.220
!
end
ping problem - 877VA with 15.3(1)T
Shadow Hawkins on Tuesday, 18 December 2012 21:57:44
I would take a close look at your ipv6 access list rather than trying to copy and modify the one in the wiki. Decide exactly what traffic you want to allow into and out of your network then write it down and convert it into a list.
Be aware that ACLs start from the top down and match the first rule. At the
end of the list is an implied DENY ANY ANY.
I would start with something simple that denies everything except ICMP and build it up from there:
ipv6 access-list ipv6-internet-in
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any echo-request
permit icmp any any echo-reply
deny ipv6 any any log
I've also wondering if ipv6 has changed in this version of IOS. in ipv4 inspect there is an option to append router-traffic to tcp, udp and icmp which is required to permit pings, dns queries, etc. from the router.
Can you check to see if it accepts the command
ipv6 inspect name cbac-ipv6 icmp router-traffic
HTH,
Nick.
ping problem - 877VA with 15.3(1)T
Shadow Hawkins on Wednesday, 19 December 2012 14:33:04
No way with router-traffic
adsl-qa(config)#ipv6 inspect name cbac-ipv6 icmp router-traffic
^
% Invalid input detected at '^' marker.
adsl-qa(config)#ipv6 inspect name cbac-ipv6 icmp ?
alert Turn on/off alert
audit-trail Turn on/off audit trail
timeout Specify the inactivity timeout time
<cr>
adsl-qa(config)#
I will start working on the access-list.
Thanks a lot for your time.
Xavier
|
![[ch]](/s/countries/ch.gif)
on Monday, 17 December 2012 11:03:12
Posting is only allowed when you are