[c-nsp] How to debug this?
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Wed Feb 14 14:46:24 EST 2007
>
> On Wed, 14 Feb 2007, Tuc at T-B-O-H.NET wrote:
>
> > Hi,
> >
> > It looks like the only unix machine at my remote site
> > has decided to take a VERY long nap, and my "remote hands"
> > person is unavailable due to weather.
> >
> > I have 2 3640's with an IPSEC/GRE tunnel between
> > them. When I try to ping from one end to something on
> > the E0/0 interface, I don't get a reply. I would think
> > even though the 3640 at the end point ISN'T the default
> > route, it would come back via its standard default route.
> >
> > What debug can I do just on the remote end
> > using the 3640 to see whats happening with the packets
> > that come in over the tunnel, and I'm not sure they
> > are making it out the E0/0.
>
> Drop in a permissive ACL with a logging statement on the interfaces you
> expect the traffic to go through. Exercise caution if this is a heavily
> traffic'd interface.
>
> Also, check your arp cache.
>
Ok, done... But all I see is :
.Feb 14 14:40:09 EST: %SEC-6-IPACCESSLOGDP: list 123 permitted icmp 204.107.90.128 (Tunnel0 ) -> 192.168.3.247 (0/0), 41 packets
Yes, I tried to ping from 204.107.90.128, yes, it was supposed
to go through the tunnel, yes it was icmp, no there weren't 41 of them
that I know of, only 20, and yes, the destination was 192.168.3.247,
and yes, it should be able to be seen off the 0/0 interface. But I
have the access list of :
access-list 123 permit ip any any log-input
on both tunnel0 and eth0/0, shouldn't I have seen it
go out the eth0/0 also?
Hrm, now without any more pinging I see :
.Feb 14 14:42:09 EST: %SEC-6-IPACCESSLOGP: list 123 permitted udp 204.107.90.128(0) (Tunnel0 ) -> 192.168.3.247(0), 8 packets
.Feb 14 14:43:09 EST: %SEC-6-IPACCESSLOGDP: list 123 permitted icmp 192.168.3.247 (Ethernet0/0 0040.8c44.3bf9) -> 192.168.3.111 (0/0), 4 packets
Whats happening?
Thanks, Tuc
More information about the cisco-nsp
mailing list