Router will not forward packet without outbound ACL and 'log' keyword.
This is an odd case that I have seen before, but not recalling the fix. We have GRE tunnel that runs across an AT&T MPLS cloud. RIP routing works across the tunnel and we can ping the far end of the tunnel. However, we cannot ping or access IPs in the subnet learned via RIP across te tunnel. Far end routing is as it should be, default route back across the tunnel. I was able to get this to work by adding an outbound ACL on the Cisco 2811 tunnel interface; shown here:
interface Tunnel9120 description xxxxxxxxxxxxxx ip address 10.123.59.122 255.255.255.252 ip access-group findout out qos pre-classify tunnel source 10.123.63.252 tunnel destination 10.123.62.3 end
xxxxxxxxxx-wan2#sal findout Extended IP access list findout 1 permit icmp any host 10.123.6.182 log (6116 matches) 10 permit ip any any log (24583 matches)
Removal of the 'findout' access-list, or the line 1 above with out the log keyword will cause these connections to fail....appreciate your suggestions.
This sort of symptom shows up when something isn't working quite right with CEF. By putting the log keyword on your ACL entry, you're forcing the traffic to be processed by the CPU and are bypassing CEF. What happens if you remove the ACL from the tunnel and add "no ip route-cache cef" to the tunnel and LAN interfaces?
I first confirmed that all involved interfaces had CEF enabled, with 'show ip interface' command, and all did. I next disabled route caching on the tunnel interface and the serial interface to the carrier, followed by removing the access-group on the tunnel interface. Unfortunately, my test pings to the far end began to fail immediately. Restoral of the access-group corrected the situation.
Try re-activating the "ip route-cache cef" on your tunnel and WAN, but removing it from your LAN interface? If that doesn't produce a working test, try deactivating CEF globally with "no ip cef" instead.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.