[nsp] RPF problem with ICMP unreachables
Hank Nussbacher
hank@att.net.il
Mon, 25 Nov 2002 09:39:48 +0200
At 07:01 PM 24-11-02 +0100, Ilker TEMIR wrote:
>Hank,
>
>This did not make sense to me, is that possible to see the interface
>configuration of the customer router ?
!
interface ATM5/1/0.200 point-to-point
description Internet2
ip address 128.139.190.17 255.255.255.252
ip access-group 122 out
no ip redirects
ip accounting output-packets
ip nat outside
no ip route-cache
no ip mroute-cache
pvc Internet2 0/200
ubr 10000
encapsulation aal5snap
!
access-list 122 permit tcp host 128.139.190.17 host 128.139.190.18 eq bgp
access-list 122 permit ip 192.117.80.224 0.0.0.31 any
access-list 122 deny ip any any log
>What is the version on the box, or what versions have you tried.
Currently at 12.2(12a)
>Can you collect 'deb ip icmp' while doing this on customer's router ?
3d07h: IP: s=212.25.114.142 (local), d=193.205.194.22 (ATM5/1/0.200), len
56, sending
3d07h: ICMP type=3, code=1
3d07h: IP: s=212.25.114.142 (local), d=193.205.194.22 (ATM5/1/0.200), len
56, sending
3d07h: ICMP type=3, code=1
3d07h: IP: s=212.25.114.142 (local), d=66.197.0.86 (Null0), len 56, sending
3d07h: ICMP type=3, code=1
3d07h: IP: s=212.25.114.142 (local), d=66.197.0.81 (Null0), len 56, sending
3d07h: ICMP type=3, code=1
3d07h: IP: s=212.25.114.142 (local), d=66.197.0.82 (Null0), len 56, sending
3d07h: ICMP type=3, code=1
3d07h: IP: s=212.25.114.142 (local), d=192.117.232.176 (Null0), len 56, sending
3d07h: ICMP type=3, code=1
>Thanks
>
>Ilker
-Hank
>----- Original Message -----
>From: "Hank Nussbacher" <hank@att.net.il>
>To: <cisco-nsp@puck.nether.net>
>Sent: Sunday, November 24, 2002 2:55 PM
>Subject: [nsp] RPF problem with ICMP unreachables
>
>
> > I have a problem with a customer when running simple RPF checking ("ip
> > verify unicast reverse-path") to the customer. The problem is not on the
> > side of the my router running RPF checking but rather on his side - and we
> > have tried numerous different versions of IOS on his side. He announces a
> > /27 to me via BGP. Suppose we call it 10.117.80.224/27. A user on my
>side
> > now tries to ping 10.117.80.226/32. The IP is routed to his router but
>his
> > router has no route to this specific IP. What should happen is the
> > interface facing me should return the ICMP error message. But that
>doesn't
> > happen. His router returns the ICMP error message with the IP address of
> > the interface which has the *highest* IP address (which happens to start
> > with 212.x.x.x) on that router. My RPF check drops the packet
>(correctly).
> >
> > How does one force a router to not use *highest* IP address to return ICMP
> > unreachables and instead use the interface from where the ICMP came?
> >
> > -Hank
> >
> > _______________________________________________
> > cisco-nsp mailing list real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >