IP CEF

I've got a strange one or I'm getting a good case of the stupids.  I have an ASA5505 Security Plus back in the US on my home network & a 881W with 15.1 Adv IP Services in Afghanistan.  I set up a site-to-site VPN between the two.  I could ping my 2511 for my home lab from the 881W when sourced from the crypto map's "interesting traffic" VLAN, but not from my laptop which is on that same VLAN.  Set up an ACL to debug the IP packets between the two hosts.  Turned off ip cef so I could get the debug info & did a ping - the traffic went through.  Turned ip cef back on & the traffic was blocked again.  What is with ip cef?  Are there any negative interactions with IPSec VPNs?  Pertinent excerpt from "show ip cef" be;ow.

Prefix               Next Hop             Interface
10.10.30.18/32       attached             Vlan30
10.101.2.0/24        173.11.153.25        FastEthernet4
10.139.22.176/28     attached             FastEthernet4
10.139.22.176/32     receive              FastEthernet4
10.139.22.177/32     attached             FastEthernet4
10.139.22.178/32     receive              FastEthernet4

10.10.30.18 on VLAN30 is my laptop.  173.11.153.25 is my outside interface on the ASA (other end of IPSec tunnel).  10.101.2.0 is the interesting traffic on the home network.  10.139.22.177 is the satellite modem GW & .178 is my 881W outdside interface.  It is NAT'd by the satellite provider to a public IP.

Thanks, David D.

Comments









  • If changing the switching path fixes the problem, it's very likely it's a bug.  Try changing code versions and see what the result is.  Otherwise you could just disable CEF if you're not switching that much traffic.

     

     


    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com



     




    From: [email protected] [[email protected]] On Behalf Of dunhamdd [[email protected]]

    Sent: Sunday, May 22, 2011 8:47 AM

    To: Brian McGahan

    Subject: [CCIE R&S] IP CEF





    I've got a strange one or I'm getting a good case of the stupids.  I have an ASA5505 Security Plus back in the US on my home network & a 881W with 15.1 Adv IP Services in Afghanistan.  I set up a site-to-site VPN between the two.  I could ping my 2511 for
    my home lab from the 881W when sourced from the crypto map's "interesting traffic" VLAN, but not from my laptop which is on that same VLAN.  Set up an ACL to debug the IP packets between the two hosts.  Turned off ip cef so I could get the debug info & did
    a ping - the traffic went through.  Turned ip cef back on & the traffic was blocked again.  What is with ip cef?  Are there any negative interactions with IPSec VPNs?  Pertinent excerpt from "show ip cef" be;ow.

    Prefix               Next Hop             Interface

    10.10.30.18/32       attached             Vlan30

    10.101.2.0/24        173.11.153.25        FastEthernet4

    10.139.22.176/28     attached             FastEthernet4

    10.139.22.176/32     receive              FastEthernet4

    10.139.22.177/32     attached             FastEthernet4

    10.139.22.178/32     receive              FastEthernet4

    10.10.30.18 on VLAN30 is my laptop.  173.11.153.25 is my outside interface on the ASA (other end of IPSec tunnel).  10.101.2.0 is the interesting traffic on the home network.  10.139.22.177 is the satellite modem GW & .178 is my 881W outdside interface. 
    It is NAT'd by the satellite provider to a public IP.

    Thanks, David D.








    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx




  • Thanks - you make me feel better.  I thought I was misunderstanding CEF.  Not much traffic, so I will leave it.  Will worry about a TAC ticket next month when my contract is complete and I'm back home again for a while.

  • Latest IOS loaded & no longer a problem.  Couldn't find anything in the bug fix tool though.  Thanks, Brian.  Appreciated teh feedback.

    David

Sign In or Register to comment.