[nsp] RPF problem with ICMP unreachables

sthaug@nethelp.no sthaug@nethelp.no
Sun, 24 Nov 2002 15:13:50 +0100


> I have a problem with a customer when running simple RPF checking ("ip 
> verify unicast reverse-path") to the customer.  The problem is not on the 
> side of the my router running RPF checking but rather on his side - and we 
> have tried numerous different versions of IOS on his side.  He announces a 
> /27 to me via BGP.  Suppose we call it 10.117.80.224/27.  A user on my side 
> now tries to ping 10.117.80.226/32.  The IP is routed to his router but his 
> router has no route to this specific IP.  What should happen is the 
> interface facing me should return the ICMP error message.  But that doesn't 
> happen.  His router returns the ICMP error message with the IP address of 
> the interface which has the *highest* IP address (which happens to start 
> with 212.x.x.x) on that router.  My RPF check drops the packet (correctly).

Does the customer router run any kind of MPLS VPNs? There is a known
issue (Cisco will not accept that the behavior is incorrect) where
outgoing telnet from a router, from an interface in a VRF, will choose
the IP address of the first interface in that VRF, not the outgoing
interface. It certainly breaks POLA big time. I was wondering if your
ICMP problem could be related.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no