[nsp] RPF problem with ICMP unreachables

Hank Nussbacher hank@att.net.il
Mon, 25 Nov 2002 09:39:48 +0200


At 07:01 PM 24-11-02 +0100, Ilker TEMIR wrote:
>Hank,
>
>This did not make sense to me, is that possible to see the interface
>configuration of the customer router ?


!
interface ATM5/1/0.200 point-to-point
  description Internet2
  ip address 128.139.190.17 255.255.255.252
  ip access-group 122 out
  no ip redirects
  ip accounting output-packets
  ip nat outside
  no ip route-cache
  no ip mroute-cache
  pvc Internet2 0/200
   ubr 10000
   encapsulation aal5snap
!
access-list 122 permit tcp host 128.139.190.17 host 128.139.190.18 eq bgp
access-list 122 permit ip 192.117.80.224 0.0.0.31 any
access-list 122 deny   ip any any log



>What is the version on the box, or what versions have you tried.

Currently at 12.2(12a)


>Can you collect 'deb ip icmp' while doing this on customer's router ?

3d07h: IP: s=212.25.114.142 (local), d=193.205.194.22 (ATM5/1/0.200), len 
56, sending

3d07h:     ICMP type=3, code=1

3d07h: IP: s=212.25.114.142 (local), d=193.205.194.22 (ATM5/1/0.200), len 
56, sending

3d07h:     ICMP type=3, code=1

3d07h: IP: s=212.25.114.142 (local), d=66.197.0.86 (Null0), len 56, sending

3d07h:     ICMP type=3, code=1

3d07h: IP: s=212.25.114.142 (local), d=66.197.0.81 (Null0), len 56, sending

3d07h:     ICMP type=3, code=1

3d07h: IP: s=212.25.114.142 (local), d=66.197.0.82 (Null0), len 56, sending

3d07h:     ICMP type=3, code=1

3d07h: IP: s=212.25.114.142 (local), d=192.117.232.176 (Null0), len 56, sending

3d07h:     ICMP type=3, code=1


>Thanks
>
>Ilker

-Hank


>----- Original Message -----
>From: "Hank Nussbacher" <hank@att.net.il>
>To: <cisco-nsp@puck.nether.net>
>Sent: Sunday, November 24, 2002 2:55 PM
>Subject: [nsp] RPF problem with ICMP unreachables
>
>
> > I have a problem with a customer when running simple RPF checking ("ip
> > verify unicast reverse-path") to the customer.  The problem is not on the
> > side of the my router running RPF checking but rather on his side - and we
> > have tried numerous different versions of IOS on his side.  He announces a
> > /27 to me via BGP.  Suppose we call it 10.117.80.224/27.  A user on my
>side
> > now tries to ping 10.117.80.226/32.  The IP is routed to his router but
>his
> > router has no route to this specific IP.  What should happen is the
> > interface facing me should return the ICMP error message.  But that
>doesn't
> > happen.  His router returns the ICMP error message with the IP address of
> > the interface which has the *highest* IP address (which happens to start
> > with 212.x.x.x) on that router.  My RPF check drops the packet
>(correctly).
> >
> > How does one force a router to not use *highest* IP address to return ICMP
> > unreachables and instead use the interface from where the ICMP came?
> >
> > -Hank
> >
> > _______________________________________________
> > cisco-nsp mailing list  real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >