I am using one VRF for two tunnels which is configured on the same router.
Both the tunnels are using same interface as source address. While i do vrf ping for wan ip,getting !.!.!.! type of results.Can anyone confirm that,as i am using same source and same VRF.. if i try to ping other end wan whether my packet is going on both tunnel and getting reply only from one.. this wot i guess. In genral,if we config two static routes with equal cost, we use to get this type of results. As i am running BGP between CE & PE i can't isolate this issue. Please give your suggestions.. Thanks , Manick
Hi, regualar interval drops in ping attempts are often due to anti DOS configurations on devices, I see this quite often, it varies in the drops sometime the pattern will be !....!....!....!, other times it will be as you are seeing. Do you manage the CE and PE routers or are they being managed by your service provider?? Also, is the device that you are trying to ping a router or is it a server??
I would investigate what security configurations are on the device you are trying to ping.
Hi Rob, Thanks for your reply
We are managing the both PE & CE. We are trying to ping CE end WAN ip from PE end. We have configured only access list under tunnel interfaces. So no need to check the security part.We are using Tunnels for WAN.
Ok, Manick, sorry for useless question.
In my opinion, this is a routing issue, and not a security issue (even if the Rob post could be helpful).
you have 2 GRE tunnels with same source IP (but different exit, is it?), same metric, same mtu ... and 2 static routes with equal cost, or 2 eBGP sessions?
Could you send us more infos, and a conf if you please?
I agree with Andrea that the symptoms described so far sound more like a routing issue than a security anti-DOS issue. Seeing details from the router config would be very helpful.
I have seen a number of time where a router had two routes for the same destination over two tunnels, but only one tunnel was actually working and transporting responses. So it might be worth while verifying whether both tunnels are actually carrying data successfully.
there is load balancing going on - there must be for a 50% swing each time absolutely defintootly load balancing. If its not then Rob can eat his hat ;-)
Thanks for your feedback
In my case the GRE destination are diffrent not same destination. The connectivity is 7507-6500-4700. I have configured GRE between 7507-4700,and one more bet same 7500 and diffrent 4700.I am running ISL in 6506. Whether this ISL will add more header when the traffic flow between GRE's as source and destination are fastethernet/ethernet which connected to 6500.
switch.The protocol used between 7507(PE) and 4700 ( Boundary router)is BGP.
I have frequently configured two (and sometimes more) GRE tunnels using the same source address for the tunnel with different destination address (though I have not so much experience with vrf) and they work just fine.
I still believe that the symptoms suggest that it is an issue with routing logic - probably with two paths appearing for the destination but only one of them really works. It would be helpful if you would post some additional information. Would you post the output of show ip route
I thought "!.!.!.!" was telling you that the echos were being blocked by an access list at the far end ?
i.e. ICMP unreachables