[c-nsp] juniper/cisco inter-as vpn strangeness

Rutger Bevaart rutger at netnova.nl
Sun Feb 20 06:44:17 EST 2011 

Hello list,

I'm puzzled by the following, maybe you've seen something like this as well.

We've setup an MPLS inter-AS VPN with us being a Cisco 7200 running 12.2(33)SRE2 and the other side a Juniper with unknown JUNOS release. BGP is used to exchange the VPN routes and MPLS labels, this appears to work fine...

Partial config from the 7200,

interface GigabitEthernet0/2
 description xconnect
 ip address X.114 255.255.255.252
 media-type rj45
 speed 100
 duplex full
 no negotiation auto
 mpls bgp forwarding
!
router bgp AS1
 bgp router-id 
 no bgp default route-target filter
 bgp log-neighbor-changes
 neighbor X.113 remote-as AS2
 neighbor X.113 description nni
 neighbor X.113 password xyz
 !
 address-family ipv4
  no synchronization
  no neighbor X.113 activate
  no auto-summary
 exit-address-family
 !        
 address-family vpnv4
  neighbor X.113 activate
  neighbor X.113 send-community extended
  neighbor X.113 route-map nba-glbx-customers in
  neighbor X.113 route-map nba-glbx-customers out
  neighbor X.113 maximum-prefix 10000
 exit-address-family
 !
 !
 address-family ipv4 vrf vpn-of-customer
  no synchronization
  redistribute connected metric 100
 exit-address-family
 !

Now this all seems to work fine, I'm learning the routes through BGP and (confirmed) the other end is learning my interfaces connected in this VPN as well with correct RT's.

7200a#show ip bgp vpnv4 all
BGP table version is 460, local router ID is 87.238.170.180
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: AAA:2 (default for vrf vpn-of-customer)
*> 192.168.253.0    0.0.0.0                100         32768 ?
*> 192.168.254.254/32
                    0.0.0.0                100         32768 ?
*> Y.204/30 X.113                         0 2 3 4 i
*> Y.206/32 X.113                         0 2 3 4 i

7200a#show ip bgp vpnv4 all Y.206
BGP routing table entry for AS1:2:Y.206/32, version 417
Paths: (1 available, best #1, table vpn-mechtronics)
  Not advertised to any peer
  2 3 4, imported path from x.y.z.36:11684:Y.206/32
    X.113 from X.113 (x.y.z.w)
      Origin IGP, localpref 100, valid, external, best
      Extended Community: RT:AS1:2
      mpls labels in/out nolabel/706208

Thus, route is learned properly, traffic to it across the inter-AS link will use MPLs label 706208.

Now, Y.206 is the WAN IP of a branch office router within the VPN of the customer. I can ping it through the inter-AS link,

7200a#ping vrf vpn-of-customer Y.206

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to Y.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 288/289/292 ms

But I cannot telnet to it?? The Inter-As peer can telnet to it from the PE router, the Y.206 router has a vanilla config. But through the NNI this is not working.

I did a debug ip packet on the internal link used a source (192.168.253.x) for the telnet, and it seems that the three-way handshake is not completed.

7200a#telnet Y.206 /vrf vpn-of-customer
Trying Y.206 ... 
% Connection timed out; remote host not responding

Interface output drops are not increasing, no issues on the ethernet port, no logging that points to an issue.

Anybody have a clue on what could be causing this?

Partial config of the Juniper available as well off list.

Regards
Rutger

More information about the cisco-nsp mailing list