I have a problem with my mobile IP configuration. The router has only one interface and therefore I have to use a virtual network.
The MN binds to the HA correctly, no errors. But if i want to ping a machine in the internet the packets arrive at the HA and then nothing happens.
Debugging the tunnel gives me:
02:55:45: Tunnel0: MIP UDP/IP to classify 22.214.171.124->126.96.36.199(len=116 ttl=53 tos=0x0)
On the other hand the mobile IP client seems to ping the HA and then this appears:
02:55:50: Tunnel0: MIP UDP/IP to classify 188.8.131.52->184.108.40.206 (len=60 ttl=53 tos=0x0)
02:55:50: UDP: rcvd src=220.127.116.11(10), dst=18.104.22.168(434), length=40
02:55:50: Tunnel0: to decaps MIPUDP/IP packet 22.214.171.124:10->126.96.36.199:434 (len=60, ttl=53)
02:55:50: Tunnel0: decapsulated MIPUDP/IP packet 10.10.10.5->188.8.131.52 (len=28 ttl=63)
02:55:50: IP: s=10.10.10.5 (Tunnel0), d=184.108.40.206, len 28, rcvd 4
02:55:50: ICMP: echo reply sent, src 220.127.116.11, dst 10.10.10.5
02:55:50: IP: tableid=0, s=18.104.22.168 (local), d=10.10.10.5(Tunnel0), routed via FIB
02:55:50: IP: s=22.214.171.124 (local), d=10.10.10.5 (Tunnel0), len 28, sending
02:55:50: MIPUDP encapsulating IP packet 126.96.36.199->10.10.10.5 (len=28, ttl=255)
02:55:50: UDP: sent src=188.8.131.52(434), dst=184.108.40.206(10)
02:55:50: Tunnel0: MIPUDP/IP encapsulated 220.127.116.11->18.104.22.168 (linktype=7, len=60)
So it seems that the tunneld ping requests are not decapsulatedd, but I don't know why.
If anybody could help me it would be very nice.
Of course and excuse me for not doing it in my first post.
The config is:
Current configuration : 1212 bytes
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
enable secret 5 xxx
enable password xxx
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip domain name mobisense
ip name-server 194.x.x.129
username xxx password 0 xxx
ip ssh rsa keypair-name xxx
ip ssh logging events
ip address 219.201.x.x.255.255.0
no ip unreachables
ip nat enable
ip route 0.0.0.0 0.0.0.0 22.214.171.124
ip http server
no ip http secure-server
ip mobile home-agent
ip mobile virtual-network 10.10.10.0 255.255.255.0
ip mobile host nai mobitest address 10.10.10.5 virtual-network 10.10.10.0 255.255.255.0
ip mobile secure host nai mobitest spi decimal xxx key ascii xxx algorithm md5 mode prefix-suffix
access-list 1 permit any
timer receive-rtp 1200
line con 0
line aux 0
line vty 0 4
I hope anybody can find the error.
As you say it looks like the mobile client can ping the HA - is this correct.
What address are you trying to ping on the internet and do you have debugging for that packet connection.
The mobile node can ping the HA, but there's a route set to it over a physical interface and therefore the ping is not using the tunnel, so that's nothing to wonder about. The mobile client seams to ping the HA irregular and this ping travels along the tunnel and is then answered by the HA correctly.
The problem appears if I try to ping any site and surfing does not work, too.
Every packet I try to send from the mobile node appears at the tunnel on the HA, but then it does not appear as a UDP packet.
On the mobile node everything looks correct. The packet is encapsulated and then sent via the physical interface.
What do you exactly mean with debugging for the connection?
Must admit it's been a while since i did mobile IP so i have just done a quick refresher course !.
Could you just confirm this is what you expect to happen.
1) From the MN you ping a destination on the internet.
2) The ping gets encapsulated and sent down the tunnel
3) The HA decapsulates the packet and
4) Forwards the packet on to the internet ??
If this is what you are expecting have you ensured that your NAT is working at the HA. Have you done some debugging on the internet connected interface to see if packets are actually going out towards the destination host ?
Sorry for all the questions :-)
1 to 4 are correct. I tried several NAT configurations. But I'm a little bit confused, because I have only this one physical interface. Is it inside or outside? I would say outside, but how can I assign a inside NAT to the virtual network.
But what I'm mostly wondering about is why not every MIP packet received is decapsulated and appearing as UDP packet in the debugging. And why are some packets (the packets sent by the mobile IP client automatically) correctly treated...
Just for clarity
HA = Home Agent
MN = MObile Node ie. your mobile IP client
CN = Correspondent Node ie. a remote host on the internet
I need to read some more but from the Cisco docs and memory when an MN on the internet sends a packet to a CN on the internet it does not send it via the HA but sends it direct to the CN. It sends it with it's virtual address so the CN sends traffic back via the HA which then tunnels it back to the MN.
Obviously for this to work the virtual network address has to be publically routable and yours aren't.
My question at present is when you ping from your MN to a CN on the internet do you see ANY traffic arriving at your HA from the (edit **) MN because i'm not sure you will as it may well be sent direct to the CN.
The only traffic you seem to be seeing is traffic from the MN directed to the HA and this is what you would expect.
There is a feature called reverse tunneling which may fix this. I will have a read myself when i get a chance.
I made a little difference between mobile node and mobile client, because the client generates the ping which is correctly decapsulated.
I'm using the reverse tunneling feature and therefore packets from the MN arrive at the HA.