What does your GRE tunnel configuration look like, what IP addresses's are
you using for source and destination.
Very interesting ... I cannot wait to watch this email string - seems like
an interesting one.
JS
On Sat, Oct 27, 2012 at 3:05 AM, Keller Giacomarro <keller.g_at_gmail.com>wrote:
> I ran into something in a practice lab that has me scratching my head. The
> situation was like this...
>
> CE1 ----- PE1 ---- <ipv4 cloud> ---- PE2 ----- CE2
>
> PE1 and PE2 are running MPLS via a GRE tunnel across the IPv4 cloud. They
> are exchanging customer routes between CE1 and CE2 via MP-BGP.
>
> The task was to create a ZBF on PE1 that blocked some things and allowed
> others. Seemed simple enough. I did my class-maps, policy-maps, zones,
> and zone-pairs as normal. The trouble came when I applied my ZBF to the
> interfaces.
>
> PE1:
> interface tunnel 0
> ! mpls GRE tunnel to PE2
> keepalive 10 3
> zone-member sec vpn
> !
> interface s0/0
> ! serial link to CE1
> zone-member sec outside
>
> PE2:
> interface tunnel 0
> keeaplive 10 3
>
> Everything worked fine...for 30 seconds or so. PE2 drops its tunnel. A
> 'debug tunnel keepalive' shows that PE2 is not getting responses to its
> keepalives. PE1's keepalives are normal, and the tunnel stays up even
> though the other side is down.
> From PE2, I can ping the physical interface on PE1 fine. It's just the
> keepalives that are dropping.
>
> The fix is to do one of three things...
> PE1:
> interface tun 0
> no keepalive
> ! tunnel stays up and traffic passes correctly both over the tunnel and to
> the underlying physical interface
>
> OR
>
> PE1:
> interface f0/0
> ! ipv4 cloud interface
> zone-member sec vpn
> ! adds the underlying tunnel physical interface to the same zone, possibly
> having other side-effects
>
> OR
>
> PE1:
> zone sec physical
> !
> zone-pair sec vpn-to-physical source vpn destination physical
> service-policy type inspect pm-permit-any
> zone-pair sec physical-to-vpn source physical destination vpn
> service-policy type inspect pm-permit any
> !
> interface f0/0
> zone-member sec physical
> ! create a new zone for the physical interface and allow traffic to pass
> between it and the vpn zone on the tunnel
>
> My question is...WHY? Why does the physical interface for the tunnel need
> to be in the same ZBF zone or one that is allowed to communicate with the
> tunnel's zone? And why does it only affect keepalives? I can ping the
> interfaces fine, it's only keepalives that drop.
>
> Without the pinging caveat, I would think we need to think of the
> interfaces like this...
>
> Router (Self Zone) ----- Tunnel (VPN Zone) ---- Interface (Physical Zone)
> ---- <outside>
>
> Requiring us to allow the traffic to pass through each of these zones as it
> enters/exits the router. But the ping things messes me up! Any insight as
> to how this really works would be appreciated!
>
> Keller Giacomarro
> keller.g_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Oct 30 2012 - 08:54:22 ART
This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 10:53:34 ART