What does your GRE tunnel configuration look like, what IP addresses's are you using for source and destination.
Very interesting ... I cannot wait to watch this email string - seems like an interesting one. JS On Sat, Oct 27, 2012 at 3:05 AM, Keller Giacomarro <[email protected]>wrote: > I ran into something in a practice lab that has me scratching my head. The > situation was like this... > > CE1 ----- PE1 ---- <ipv4 cloud> ---- PE2 ----- CE2 > > PE1 and PE2 are running MPLS via a GRE tunnel across the IPv4 cloud. They > are exchanging customer routes between CE1 and CE2 via MP-BGP. > > The task was to create a ZBF on PE1 that blocked some things and allowed > others. Seemed simple enough. I did my class-maps, policy-maps, zones, > and zone-pairs as normal. The trouble came when I applied my ZBF to the > interfaces. > > PE1: > interface tunnel 0 > ! mpls GRE tunnel to PE2 > keepalive 10 3 > zone-member sec vpn > ! > interface s0/0 > ! serial link to CE1 > zone-member sec outside > > PE2: > interface tunnel 0 > keeaplive 10 3 > > Everything worked fine...for 30 seconds or so. PE2 drops its tunnel. A > 'debug tunnel keepalive' shows that PE2 is not getting responses to its > keepalives. PE1's keepalives are normal, and the tunnel stays up even > though the other side is down. > From PE2, I can ping the physical interface on PE1 fine. It's just the > keepalives that are dropping. > > The fix is to do one of three things... > PE1: > interface tun 0 > no keepalive > ! tunnel stays up and traffic passes correctly both over the tunnel and to > the underlying physical interface > > OR > > PE1: > interface f0/0 > ! ipv4 cloud interface > zone-member sec vpn > ! adds the underlying tunnel physical interface to the same zone, possibly > having other side-effects > > OR > > PE1: > zone sec physical > ! > zone-pair sec vpn-to-physical source vpn destination physical > service-policy type inspect pm-permit-any > zone-pair sec physical-to-vpn source physical destination vpn > service-policy type inspect pm-permit any > ! > interface f0/0 > zone-member sec physical > ! create a new zone for the physical interface and allow traffic to pass > between it and the vpn zone on the tunnel > > My question is...WHY? Why does the physical interface for the tunnel need > to be in the same ZBF zone or one that is allowed to communicate with the > tunnel's zone? And why does it only affect keepalives? I can ping the > interfaces fine, it's only keepalives that drop. > > Without the pinging caveat, I would think we need to think of the > interfaces like this... > > Router (Self Zone) ----- Tunnel (VPN Zone) ---- Interface (Physical Zone) > ---- <outside> > > Requiring us to allow the traffic to pass through each of these zones as it > enters/exits the router. But the ping things messes me up! Any insight as > to how this really works would be appreciated! > > Keller Giacomarro > [email protected] > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
