Re: [nsp] 7500 tag switching bugs

From: Zaheer Aziz (zaziz@cisco.com)
Date: Wed Aug 08 2001 - 15:46:06 EDT


At 09:59 PM 8/7/2001 -0400, jlewis@lewis.org wrote:
>On Tue, 7 Aug 2001, Zaheer Aziz wrote:

comments and questions in-line.

> > At 05:44 PM 8/7/2001 -0400, jlewis@lewis.org wrote:
> > >I've run into a problem with a 7500 (RSP4 with VIP2-50s) apparently eating
> > >icmp ttl exceeded packets if tag-switching is turned on (to support MPLS
> > >VPN traffic transitting the router).
> >
> > This is probably during the traceroute reply. Does that happen at LSR (P)
> > or at ELSR(PE).
> > A small diag with exact problem description would help more
>
>It seems to happen at the 7500, which I guess is a P. The setup is:
> P -- PE
> /
>internet === 7500 -- P -- PE
> |
> PE
>
>i.e. there are MPLS VPN PE routers directly and indirectly connected to
>the 7500. When we deployed our first MPLS VPN, we enabled tag-switching
>and set the tag-switching mtu to 1520 (the T3's with tag-switching enabled
>have the interface MTU set to 1500) on all router interfaces that would
>transmit MPLS VPN packets. That includes PA-2T3's and MC-T3 T1 interfaces
>on the 7500, PA-2T3's on several 7206's (some are P, some PE), HSSI and
>T1 on 3640's (PE's).
>
>We just noticed that if we traceroute from the internet to certain (not
>all) non-VPN DSL customers terminated on a 3640 that happens to be one of
>the PE's on the right, the last hop the traceroute sees is the 7500.
>Packet debugging shows the P and PE routers are seeing and at least
>claiming to respond with ttl exceeded, but the packets don't make it back
>through the 7500.

Was the debugging through a sniffer or debug outputs?

If you have the luxury the enable tag-switching back I like to get the
following output from

7500,P,3600

sh ip cef non-vpn customer route
sh ip cef internet source

if 7500 is running distributed cef then
above sh ip cef output from the line card facing P router and facing internet
(if-con to the interface).

In addition if you could provide the debugging information from P and PE
that you mention, would be nice.

If P and PE are sending the TTL expire message then no ip propagate-ttl
command should have no effect
as this command is used to hide P routers from external world during the
trace route

Zaheer

> The really odd thing is traceroutes to some other DSL
>customers on the same PE work fine. When I disable tag-switching only on
>the 7500, the traceroutes go back to normal and ttl exceeded messages get
>back out to the internet.
>
>--
>----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> System Administrator | therefore you are
> Atlantic Net |
>_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:48 EDT