[nsp] RPF problem with ICMP unreachables

Ilker TEMIR itemir@cisco.com
Sun, 24 Nov 2002 19:01:12 +0100


Hank,

This did not make sense to me, is that possible to see the interface
configuration of the customer router ?

What is the version on the box, or what versions have you tried.

Can you collect 'deb ip icmp' while doing this on customer's router ?

Thanks

Ilker

----- Original Message -----
From: "Hank Nussbacher" <hank@att.net.il>
To: <cisco-nsp@puck.nether.net>
Sent: Sunday, November 24, 2002 2:55 PM
Subject: [nsp] RPF problem with ICMP unreachables


> I have a problem with a customer when running simple RPF checking ("ip
> verify unicast reverse-path") to the customer.  The problem is not on the
> side of the my router running RPF checking but rather on his side - and we
> have tried numerous different versions of IOS on his side.  He announces a
> /27 to me via BGP.  Suppose we call it 10.117.80.224/27.  A user on my
side
> now tries to ping 10.117.80.226/32.  The IP is routed to his router but
his
> router has no route to this specific IP.  What should happen is the
> interface facing me should return the ICMP error message.  But that
doesn't
> happen.  His router returns the ICMP error message with the IP address of
> the interface which has the *highest* IP address (which happens to start
> with 212.x.x.x) on that router.  My RPF check drops the packet
(correctly).
>
> How does one force a router to not use *highest* IP address to return ICMP
> unreachables and instead use the interface from where the ICMP came?
>
> -Hank
>
> _______________________________________________
> cisco-nsp mailing list  real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>