tunnels and policy routing problem

sergey.klusov · ‎12-24-2007

Are tunnel encpsulated packets subject to local policy routing or not?

I have a router with two different ISP's channels and set up two tunnel interfaces with different source IPs accordingly. I set up a local policy to route each source IP to corresponding ISP gateway, but only one tunnel actually works, perhaps by means of CEF destination load sharing, but disabling CEF turns on packet based load sharing and only half of packets gets passed through tunnel, and local policy doesn't work.

Any workarounds?

sergey.klusov · ‎12-25-2007

Also looks like load-balancig ruins static NAT as well.

here is full config:

version 12.4

!

ip cef

!

ip sla monitor 10

type echo protocol ipIcmpEcho CENT.RAL.SITE.IP source-interface FastEthernet0/0

request-data-size 512

verify-data

frequency 10

ip sla monitor schedule 10 life forever start-time now

ip sla monitor 20

type echo protocol ipIcmpEcho CENT.RAL.SITE.IP source-interface FastEthernet0/1

request-data-size 512

verify-data

frequency 10

ip sla monitor schedule 20 life forever start-time now

!

voice-card 0

!

ip ssh version 2

!

track 10 rtr 10

delay down 20 up 30

!

track 20 rtr 20

delay down 20 up 30

!

interface Tunnel0

ip address 10.35.4.110 255.255.255.252

tunnel source MY.ISP.1.IP

tunnel destination CENT.RAL.CITE.IP

!

interface Tunnel1

ip address 10.35.4.114 255.255.255.252

tunnel source MY.ISP.2.IP

tunnel destination CENT.RAL.CITE.IP

!

interface FastEthernet0/0

ip address MY.ISP.1.IP 255.255.255.240

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/1

ip address MY.ISP.2.IP 255.255.255.252

ip flow egress

ip nat outside

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Vlan1

ip address 10.23.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router ospf 1

router-id 10.23.5.1

network 10.0.0.0 0.255.255.255 area 0.0.0.0

!

ip local policy route-map rm_local

ip route 0.0.0.0 0.0.0.0 MY.ISP.1.GW track 10

ip route 0.0.0.0 0.0.0.0 MY.ISP.2.GW track 20

ip route 0.0.0.0 0.0.0.0 MY.ISP.1.GW 200

ip route 0.0.0.0 0.0.0.0 MY.ISP.2.GW 200

!

ip nat pool pool_isp1 MY.ISP.1.IP MY.ISP.1.IP prefix-length 28

ip nat pool pool_isp2 MY.ISP.2.IP MY.ISP.2.IP prefix-length 30

!

ip nat inside source route-map rm_nat_isp1 pool pool_isp1 overload

ip nat inside source route-map rm_nat_isp2 pool pool_isp2 overload

!

ip nat inside source static tcp 10.23.7.2 3389 MY.ISP.2.IP 3389 extendable

ip nat inside source static tcp 10.23.6.123 3389 MY.ISP.2.IP 3390 extendable

ip nat inside source static tcp 10.23.7.2 3389 MY.ISP.1.IP 3389 extendable

ip nat inside source static tcp 10.23.6.123 3389 MY.ISP.1.IP 3390 extendable

!

ip access-list extended local_isp12any

deny ip host MY.ISP.1.IP 10.0.0.0 0.255.255.255

permit ip host MY.ISP.1.IP any

ip access-list extended local_isp22any

deny ip host MY.ISP.2.IP 10.0.0.0 0.255.255.255

permit ip host MY.ISP.2.IP any

!

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 2 permit 10.0.0.0 0.255.255.255

!

route-map rm_nat_isp2 permit 10

match ip address 1

match interface FastEthernet0/1

!

route-map rm_nat_isp1 permit 10

match ip address 1

match interface FastEthernet0/0

!

route-map rm_local permit 10

match ip address local_isp12any

match interface FastEthernet0/0

set ip next-hop MY.ISP.1.GW

!

route-map rm_local permit 20

match ip address local_isp22any

match interface FastEthernet0/1

set ip next-hop MY.ISP.2.GW

!

royalblues · ‎12-26-2007

What do you see when you do a debug ip policy?

It should show you that the policy is bein matched

Narayan

sergey.klusov · ‎12-26-2007

nothing

i've got messages about packets sent back into tunnel

but no messages about encapsulated packets generated by that tunnel itself.

like:

Dec 26 2007 13:36:31 MSK: IP: s=10.35.4.114 (local), d=10.35.4.113, len 84, policy rejected -- normal forwarding

and i see with tcpdump on monitoring unix box that packets leaving out of wrong interface destined to wrong gateway with correct source address and of course get filtered by ISP.

royalblues · ‎12-26-2007

Have you allowed the source interface from where you are trying in the access-list referencing the local policy?

You need to do an extedned trace with the above source interface to verify

Narayan

sergey.klusov · ‎12-26-2007

of course i did.

here is what i googled:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCds24740

CSCds24740 Bug Details

GRE packets are not subject to local policy routing

Symptom and conditions:

GRE packets are not subject to local policy routing though they are

originated by router itself. I.e. it is expected that in this configuration:

!

interface Tunnel0

ip address 192.168.2.1 255.255.255.0

tunnel source Loopback0

tunnel destination 192.168.1.2

!

ip local policy route-map dev

!

route-map dev permit 10

set ip precedence critical

set ip next-hop 192.168.4.2

!

GRE packets will receive higher priority and deviate from normal routing path.

But currently GRE-encapsulated packets ignore this policy routing map.

i can't access that link myself. is there any kind of bugfix in near future or more recent IOSes?

PS: the proposed workaround would not work for me, because i try to make two tunnels to the same destination address.