Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
3
Replies

Router will not forward packet without outbound ACL and 'log' keyword.

Daniel Smith
Level 1
Level 1

‎11-13-2014 10:39 AM - edited ‎03-07-2019 09:30 PM

This is an odd case that I have seen before, but not recalling the fix. We have GRE tunnel that runs across an AT&T MPLS cloud. RIP routing works across the tunnel and we can ping the far end of the tunnel. However, we cannot ping or access IPs in the subnet learned via RIP across te tunnel. Far end routing is as it should be, default route back across the tunnel. I was able to get this to work by adding an outbound ACL on the Cisco 2811 tunnel interface; shown here:

interface Tunnel9120
 description xxxxxxxxxxxxxx
 ip address 10.123.59.122 255.255.255.252
  ip access-group findout out
 qos pre-classify
 tunnel source 10.123.63.252
 tunnel destination 10.123.62.3
end

xxxxxxxxxx-wan2#sal findout
Extended IP access list findout
    1 permit icmp any host 10.123.6.182 log (6116 matches)
    10 permit ip any any log (24583 matches)

Removal of the 'findout' access-list, or the line 1 above with out the log keyword will cause these connections to fail....appreciate your suggestions.

 

Labels:
0 Helpful
3 Replies 3

ghostinthenet
Level 7
Level 7

‎11-13-2014 11:05 AM

This sort of symptom shows up when something isn't working quite right with CEF. By putting the log keyword on your ACL entry, you're forcing the traffic to be processed by the CPU and are bypassing CEF. What happens if you remove the ACL from the tunnel and add "no ip route-cache cef" to the tunnel and LAN interfaces?

0 Helpful

Daniel Smith
Level 1
Level 1
In response to ghostinthenet

‎11-16-2014 07:40 AM

I first confirmed that all involved interfaces had CEF enabled, with 'show ip interface' command, and all did. I next disabled route caching on the tunnel interface and the serial interface to the carrier, followed by removing the access-group on the tunnel interface. Unfortunately, my test pings to the far end began to fail immediately. Restoral of the access-group corrected the situation.

0 Helpful

ghostinthenet
Level 7
Level 7
In response to Daniel Smith

‎11-16-2014 08:16 AM

Try re-activating the "ip route-cache cef" on your tunnel and WAN, but removing it from your LAN interface? If that doesn't produce a working test, try deactivating CEF globally with "no ip cef" instead.

What IOS version are your running?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card