Re: CEF breaks IPSec/GRE tunnel

tato386 · ‎09-26-2003

I have a pair subnets connected via an IPSec/GRE transport mode tunnel. Yesterday I turned on CEF using the "ip cef" command. The moment I did this the hosts on the two subnets stopped talking to each other. The routers themselves looked fine. They could ping each others private LAN and tunnel addresses with no problem. I removed the "ip cef" command and rebooted and still nothing. Then I compared the current config with a saved copy. I noticed that before I issued the "ip cef" command all interfaces had "no ip route-cache" configured. I re-added this command to all interfaces and everything was back to normal. Three questions:

1) Why did "ip cef" remove this command?

2) Why is "no ip route-cache" needed for my setup to work?

3) Is there a way to use "ip cef" without breaking my network?

Thanks,

Diego

gfullage · ‎09-28-2003

1. "no ip route-cache" on the interface says you want to process switch all the traffic. Turning on "ip cef" says you want to CEF switch everything, so that interface command is removed. This is IOS version dependent, it doesn't happen in every version AFAIK.

2. Again, IOS version dependent. There's tons of bugs with CEF/fast switching and IPSec or GRE/IPSec. 12.0 was especially susceptible, but generally later 12.1 and 12.2 works fine, although again there are specific versions which do have the problem.

3. Upgrade to a code version that does not have a switching/GRE/IPSec bug. What code version are you running currently? I'd upgrade to the latest mainline version that fits in your flash/memory and you should be fine to then run CEF with GRE/IPSec.

rjphillips · ‎09-29-2003

12.3 still has the odd bug, this one caught us out for a little while.

bug id CSCec26653

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec26653&cco_product=IOS&fset=&swver=&keyw=ip%20route-cache&target=&train=

despite saying it's 2600's we found this on 1700, 800, 3600 range of routers and up to version 12.3.3 of IOS.

Rhodri

tato386 · ‎09-29-2003

That bug will definitely affect one of the two routers that I am dealing with now so I guess an IOS upgrade won't fix all my problems. The main reason I need CEF is to do QoS classifying of traffic. The NAT and crypto stuff is on the serial interface. Assuming I can turn on CEF but somehow disable it on the serial interface will I be able to classify traffic coming in on the ethernet interface?

Thanks,

Diego

JOSH GANT · ‎10-08-2003

I just helped a customer with this recently. He is running 12.2(8)T on a 3640 with IPSec/GRE/cef/QoS pre-classify.

It seems to be working for him.

thisisshanky · ‎05-25-2004

Does the 1700 support QOS pre-classify ? Some Cisco docs refer to this feature only available in 2600, 3600 and the 7200.. The software advisor dont list 1700 routers with this feature.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

mballard · ‎06-01-2004

Hello Diego.. Did you have outbound access-groups applied? I'm working on a similar problem that was fixed when I added an element for 'gre' in the ACL applied to the interface. I'm now trying to determine if this behavior is by design or a bug....

Thanks.

Mike B.

tato386 · ‎06-02-2004

Its been a while but what I think fixed it was an IOS upgrade to 12.3. I don't remember having to modify any ACLs. I would say "bug".

Diego