[nsp] policy-routing GRE tunnel packets

Tue Aug 19 12:29:28 EDT 2003

We had a very very similar problem a few weeks ago.  We had trouble with
the mix of policy routes and gre's.  The same config had worked for years
before an IOS upgrade to 12.0(25)S1 (which we had to do get around the IOS
vulnerability). Then it just broke. After a week of pulling my hair out I
found that a combination of removing "ip accounting" and cef (only on the
source interface and tunnel interface) things started to work.  I had a TAC
guy looking for a bug, but he hasn't gotten back to me yet.

I'm sorry for you trouble, but I'm so glad to hear that I'm not alone in
having difficulty in getting these to work together.   

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Alexander Bochmann
> Sent: Tuesday, August 19, 2003 10:47 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] policy-routing GRE tunnel packets
> 
> Hi,
> 
> thanks for all the answers so far...
> 
> ...on Tue, Aug 19, 2003 at 10:14:27AM -0400, Streiner, Justin wrote:
> 
>  > > I had assumed that the Tunnel packets would be
>  > > subject to local policy routing, but that doesn't
>  > > seem to work - according to packet debugging, the
>  > You may be able to use VRF instances to make this work.  It should also
>  > work fine with 12.3(1a) since that's an outgrowth of 12.2T.  That train
> 
> Hum. Perhaps I should try to outline what I'm trying to
> do - possibly there's just some stupid mistake...
> 
> Following is a rough makeup of the original config:
> 
> !
> interface FastEthernet0/0
>  ip address 192.168.0.1 255.255.255.0
> !
> interface FastEthernet0/1
>  ip address 192.168.10.1 255.255.255.0
> !
> interface Tunnel0
>  ip address 10.0.0.1 255.255.255.252
>  tunnel source FastEthernet0/0
>  tunnel destination 172.16.0.1
> !
> interface Tunnel1
>  ip address 10.0.10.1 255.255.255.252
>  tunnel source FastEthernet0/1
>  tunnel destination 172.16.10.1
> !
> ip local policy route-map local-policy
> ip route 0.0.0.0 0.0.0.0 192.168.0.254
> !
> access-list 110 permit ip 192.168.10.1 0.0.0.0 any
> !
> route-map local-policy permit 10
>  match ip address 110
>  set ip next-hop 192.168.10.254
> !
> 
> Theoretically, Tunnel1 packets should be subject to
> the local policy route-map and be sent out via fa0/1 -
> but, in policy routing debugging, nothing is showing
> up right now, and packet debugging says that the packets
> are being sent out via fa0/0, following the default
> route.
> 
> Does local policy-routing depend on some other global
> configuration command that is not implicitly enabled
> by IOS?
> 
>  > Make sure you use the "ip tcp adjust-mss" global command and the
> "tunnel
>  > keepalive <X> <Y>" interface command.
> 
> Oh, I didn't know about the tunnel keepalives and was
> planning to use some routing protocol...
> 
> Alex.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/