[nsp] RPF problem with ICMP unreachables
sthaug@nethelp.no
sthaug@nethelp.no
Sun, 24 Nov 2002 15:13:50 +0100
> I have a problem with a customer when running simple RPF checking ("ip
> verify unicast reverse-path") to the customer. The problem is not on the
> side of the my router running RPF checking but rather on his side - and we
> have tried numerous different versions of IOS on his side. He announces a
> /27 to me via BGP. Suppose we call it 10.117.80.224/27. A user on my side
> now tries to ping 10.117.80.226/32. The IP is routed to his router but his
> router has no route to this specific IP. What should happen is the
> interface facing me should return the ICMP error message. But that doesn't
> happen. His router returns the ICMP error message with the IP address of
> the interface which has the *highest* IP address (which happens to start
> with 212.x.x.x) on that router. My RPF check drops the packet (correctly).
Does the customer router run any kind of MPLS VPNs? There is a known
issue (Cisco will not accept that the behavior is incorrect) where
outgoing telnet from a router, from an interface in a VRF, will choose
the IP address of the first interface in that VRF, not the outgoing
interface. It certainly breaks POLA big time. I was wondering if your
ICMP problem could be related.
Steinar Haug, Nethelp consulting, sthaug@nethelp.no