Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Route-map doesn't get any hits

Hello community,

My network has two connections to a third party via links on two seperate ASA , one in location A and one in location B. The link in location A is the primary connection and the other in location B should be used by only two terminals (term1, term2) in location B.

ASA are running OSPF and are redistributing static routes as metric-type 1 in OSPF. In order to achive the aforementioned goal, I have configured a route-map on ASA location B, that sets the metric for the route towards the third party to a high value (100). This way, all routers, even those in site B prefer the exit through location A (metric about 24).

I have checked that my routers correctly have the route to the 3rd party through location A, and the OSPF database has records for the network from both locations.

In location B, I have configured the following route-map (on 6509)

route-map PREFER-LOCAL-ROUTER permit 10

match ip address XXX

set ip next hop locationB-ASA

int vlanYYYY

ip policy route-map PREFER-LOCAL-ROUTER

ip access-list extended XXX

permit ip host term1 route_to_3rd_party 0.0.255.255

permit ip host term2 route_to_3rd_party 0.0.255.255

From the terminals (term1 and term2) I have tried a traceroute towards the 3rd party's subnet, but I don't get any match neither on the access-list nor on the route-map. Unfortunately I have no other way to test that my configuration is correct, since the application on the terminals, that should access the 3rd party network, is not currently running.

I also addedd the statements below to the access-list, because of the test with tracert:

permit icmp host term1 route_to_3rd_party 0.0.255.255

permit icmp host term2 route_to_3rd_party 0.0.255.255

Nothing changed...

Is there something wrong with the above config? Is there a chance that there is a problem with the IOS, that simply doesn't show any hits?

I would really appreciate any possible assistance,

Kind Regards,

Katerina

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Route-map doesn't get any hits

Hi Katerina,

the fact that the next hop changes when you add/remove the PBR suggests that it is working.

Anyway, if your supervisor has a PFC newer than PFCA, you can check hardware counters from the TCAM directly even for the PBR. You will see then how many packets hit the PBR ACEs in hw.

It is not as straightforward as ACl/route-map counters but it will get you to the goal.

The command is:

sh tcam interface acl in ip

With the keywork 'detail' at the end you get more info... but more difficult to interpret.

IMHO you can spare your time and avoid IOS upgrade as nothing will change.

Riccardo

PS: please set question as answered if you are happy with it.

9 REPLIES
Community Member

Route-map doesn't get any hits

I would like to add that the IOS running on the 65xx is

s72033-ipservicesk9-mz.122-18.SXF3.bin

Thank you in advance,

Katerina

Cisco Employee

Route-map doesn't get any hits

Hi Katerina,

what you see is expected on this platform. PBR is performed in hardware while this type of stats comes from the software which does not see traffic passing.

There is a bug documenting the behavior

CSCtg33972    PBR route-map counters not updated for packets matching the PBR

This bug has been junked as this is the expected behavior on the 6500.

Please rate the question if useful.

Riccardo

Community Member

Route-map doesn't get any hits

Hello Riccardo and thank you for your reply!

I suppose that you are right about the IOS. The weird thing is that when I open a "debug ip policy" I see things that are rejected by the policy, but anything having source the two terminals doesn't show up.

I have tried to ping (from the terminals) something that is not matched by my route map. The debug doesn't show anything.

Even if I ping something matched by the route-map nothing happens.

Today we are going to upgrade (hopefully) to s72033-advipservicesk9_wan-mz.122-18.SXF17a.bin, due to some other problems we are facing, so I hope that the route-map issue is also resolved.

I can't otherwise see something wrong with the route-map itself.

Thanks.

Cisco Employee

Route-map doesn't get any hits

Hi Katerina,

debug ip policy will not work either as again it will only show traffic process switched and not the one handled in hardware.

The only way to know if your PBR works is to do a traceroute from the allowed sources and see if the next hop is the one you configured in your route-map (locationB-ASA)

Riccardo

Community Member

Route-map doesn't get any hits

Riccardo,

unfortunately I have com to a dead end.

Without the route-map the trace seems to go to locationA. With the route-map the trace changes. It seems to stay locally at locationB, but since the next-hop is the ASA itself, I don't get a reply from it. What buffles me is that in the ASA I also don't get any connections when from term1 I open a cmd and telnet to a tcp port (on the 3rd party server) that should be permitted.

I am waiting for the IOS update to see if it fixes anything, but I understand that this is the expected behaviour of 65xx (route-map counters).

I am really puzzled about the connections on the ASA. If the route-map were working at least I should see a connection trying to form...

Cisco Employee

Route-map doesn't get any hits

Hi Katerina,

the fact that the next hop changes when you add/remove the PBR suggests that it is working.

Anyway, if your supervisor has a PFC newer than PFCA, you can check hardware counters from the TCAM directly even for the PBR. You will see then how many packets hit the PBR ACEs in hw.

It is not as straightforward as ACl/route-map counters but it will get you to the goal.

The command is:

sh tcam interface acl in ip

With the keywork 'detail' at the end you get more info... but more difficult to interpret.

IMHO you can spare your time and avoid IOS upgrade as nothing will change.

Riccardo

PS: please set question as answered if you are happy with it.

Community Member

Route-map doesn't get any hits

Riccardo,

the upgrade will take place for other reasons.

Thank you for all the relevant commands.

Community Member

Route-map doesn't get any hits

I would like some more information on the following:

We are running WS-SUP720 with WS-F6K-PFC3A. Should the "sh tcam interface acl in ip" show any matches? Because unfortunately I don't see anything.

Even though the trace route does change when I apply the route-map I still don't get any connections on the ASA (I would suppose that I should get an attempt to open a connection). So I can't be sure that the route-map is fully working

I am really stuck

Community Member

Route-map doesn't get any hits

Dear all,

The route map is working!!!! I finally managed to see the connections in the ASA. The terminal I was doing my tests from was assigned a name on the ASA, so in order to see the connectons I should have used the name format!

The IOS upgrade was also needed. With the previous IOS my colleague couldn't see any denies on the ASA when filtering with the destination IP, now he does!!!

Thank you for your support!

914
Views
10
Helpful
9
Replies
CreatePlease to create content