Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CEF breaks IPSec/GRE tunnel

I have a pair subnets connected via an IPSec/GRE transport mode tunnel. Yesterday I turned on CEF using the "ip cef" command. The moment I did this the hosts on the two subnets stopped talking to each other. The routers themselves looked fine. They could ping each others private LAN and tunnel addresses with no problem. I removed the "ip cef" command and rebooted and still nothing. Then I compared the current config with a saved copy. I noticed that before I issued the "ip cef" command all interfaces had "no ip route-cache" configured. I re-added this command to all interfaces and everything was back to normal. Three questions:

1) Why did "ip cef" remove this command?

2) Why is "no ip route-cache" needed for my setup to work?

3) Is there a way to use "ip cef" without breaking my network?

Thanks,

Diego

7 REPLIES
Cisco Employee

Re: CEF breaks IPSec/GRE tunnel

1. "no ip route-cache" on the interface says you want to process switch all the traffic. Turning on "ip cef" says you want to CEF switch everything, so that interface command is removed. This is IOS version dependent, it doesn't happen in every version AFAIK.

2. Again, IOS version dependent. There's tons of bugs with CEF/fast switching and IPSec or GRE/IPSec. 12.0 was especially susceptible, but generally later 12.1 and 12.2 works fine, although again there are specific versions which do have the problem.

3. Upgrade to a code version that does not have a switching/GRE/IPSec bug. What code version are you running currently? I'd upgrade to the latest mainline version that fits in your flash/memory and you should be fine to then run CEF with GRE/IPSec.

New Member

Re: CEF breaks IPSec/GRE tunnel

12.3 still has the odd bug, this one caught us out for a little while.

bug id CSCec26653

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec26653&cco_product=IOS&fset=&swver=&keyw=ip%20route-cache&target=&train=

despite saying it's 2600's we found this on 1700, 800, 3600 range of routers and up to version 12.3.3 of IOS.

Rhodri

New Member

Re: CEF breaks IPSec/GRE tunnel

That bug will definitely affect one of the two routers that I am dealing with now so I guess an IOS upgrade won't fix all my problems. The main reason I need CEF is to do QoS classifying of traffic. The NAT and crypto stuff is on the serial interface. Assuming I can turn on CEF but somehow disable it on the serial interface will I be able to classify traffic coming in on the ethernet interface?

Thanks,

Diego

New Member

Re: CEF breaks IPSec/GRE tunnel

I just helped a customer with this recently. He is running 12.2(8)T on a 3640 with IPSec/GRE/cef/QoS pre-classify.

It seems to be working for him.

Re: CEF breaks IPSec/GRE tunnel

Does the 1700 support QOS pre-classify ? Some Cisco docs refer to this feature only available in 2600, 3600 and the 7200.. The software advisor dont list 1700 routers with this feature.

New Member

Re: CEF breaks IPSec/GRE tunnel

Hello Diego.. Did you have outbound access-groups applied? I'm working on a similar problem that was fixed when I added an element for 'gre' in the ACL applied to the interface. I'm now trying to determine if this behavior is by design or a bug....

Thanks.

Mike B.

New Member

Re: CEF breaks IPSec/GRE tunnel

Its been a while but what I think fixed it was an IOS upgrade to 12.3. I don't remember having to modify any ACLs. I would say "bug".

Diego

589
Views
0
Helpful
7
Replies
CreatePlease login to create content