[nsp] RPF problem with ICMP unreachables
Hank Nussbacher
hank@att.net.il
Sun, 24 Nov 2002 16:17:00 +0200
At 03:13 PM 24-11-02 +0100, sthaug@nethelp.no wrote:
> > I have a problem with a customer when running simple RPF checking ("ip
> > verify unicast reverse-path") to the customer. The problem is not on the
> > side of the my router running RPF checking but rather on his side - and we
> > have tried numerous different versions of IOS on his side. He announces a
> > /27 to me via BGP. Suppose we call it 10.117.80.224/27. A user on my
> side
> > now tries to ping 10.117.80.226/32. The IP is routed to his router but
> his
> > router has no route to this specific IP. What should happen is the
> > interface facing me should return the ICMP error message. But that
> doesn't
> > happen. His router returns the ICMP error message with the IP address of
> > the interface which has the *highest* IP address (which happens to start
> > with 212.x.x.x) on that router. My RPF check drops the packet (correctly).
>
>Does the customer router run any kind of MPLS VPNs? There is a known
>issue (Cisco will not accept that the behavior is incorrect) where
>outgoing telnet from a router, from an interface in a VRF, will choose
>the IP address of the first interface in that VRF, not the outgoing
>interface. It certainly breaks POLA big time. I was wondering if your
>ICMP problem could be related.
No MPLS. No VRF.
-Hank
>Steinar Haug, Nethelp consulting, sthaug@nethelp.no