IP CEF

dunhamdd

I've got a strange one or I'm getting a good case of the stupids.  I have an ASA5505 Security Plus back in the US on my home network & a 881W with 15.1 Adv IP Services in Afghanistan.  I set up a site-to-site VPN between the two.  I could ping my 2511 for my home lab from the 881W when sourced from the crypto map's "interesting traffic" VLAN, but not from my laptop which is on that same VLAN.  Set up an ACL to debug the IP packets between the two hosts.  Turned off ip cef so I could get the debug info & did a ping - the traffic went through.  Turned ip cef back on & the traffic was blocked again.  What is with ip cef?  Are there any negative interactions with IPSec VPNs?  Pertinent excerpt from "show ip cef" be;ow.

Prefix               Next Hop             Interface
10.10.30.18/32       attached             Vlan30
10.101.2.0/24        173.11.153.25        FastEthernet4
10.139.22.176/28     attached             FastEthernet4
10.139.22.176/32     receive              FastEthernet4
10.139.22.177/32     attached             FastEthernet4
10.139.22.178/32     receive              FastEthernet4

10.10.30.18 on VLAN30 is my laptop.  173.11.153.25 is my outside interface on the ASA (other end of IPSec tunnel).  10.101.2.0 is the interesting traffic on the home network.  10.139.22.177 is the satellite modem GW & .178 is my 881W outdside interface.  It is NAT'd by the satellite provider to a public IP.

Thanks, David D.

Brian McGahan

If changing the switching path fixes the problem, it's very likely it's a bug.  Try changing code versions and see what the result is.  Otherwise you could just disable CEF if you're not switching that much traffic.

 

 

Brian McGahan, CCIE #8593 (R&S/SP/Security)

[email protected]

 

Internetwork Expert, Inc.

http://www.INE.com

Online Community: http://www.IEOC.com

CCIE Blog: http://blog.INE.com

 

---

From: [email protected] [[email protected]] On Behalf Of dunhamdd [[email protected]]

Sent: Sunday, May 22, 2011 8:47 AM

To: Brian McGahan

Subject: [CCIE R&S] IP CEF

I've got a strange one or I'm getting a good case of the stupids.  I have an ASA5505 Security Plus back in the US on my home network & a 881W with 15.1 Adv IP Services in Afghanistan.  I set up a site-to-site VPN between the two.  I could ping my 2511 for
my home lab from the 881W when sourced from the crypto map's "interesting traffic" VLAN, but not from my laptop which is on that same VLAN.  Set up an ACL to debug the IP packets between the two hosts.  Turned off ip cef so I could get the debug info & did
a ping - the traffic went through.  Turned ip cef back on & the traffic was blocked again.  What is with ip cef?  Are there any negative interactions with IPSec VPNs?  Pertinent excerpt from "show ip cef" be;ow.

Prefix               Next Hop             Interface

10.10.30.18/32       attached             Vlan30

10.101.2.0/24        173.11.153.25        FastEthernet4

10.139.22.176/28     attached             FastEthernet4

10.139.22.176/32     receive              FastEthernet4

10.139.22.177/32     attached             FastEthernet4

10.139.22.178/32     receive              FastEthernet4

10.10.30.18 on VLAN30 is my laptop.  173.11.153.25 is my outside interface on the ASA (other end of IPSec tunnel).  10.101.2.0 is the interesting traffic on the home network.  10.139.22.177 is the satellite modem GW & .178 is my 881W outdside interface. 
It is NAT'd by the satellite provider to a public IP.

Thanks, David D.

INE - The Industry Leader in CCIE Preparation

http://www.INE.com



Subscription information may be found at:

http://www.ieoc.com/forums/ForumSubscriptions.aspx

dunhamdd

Thanks - you make me feel better.  I thought I was misunderstanding CEF.  Not much traffic, so I will leave it.  Will worry about a TAC ticket next month when my contract is complete and I'm back home again for a while.

dunhamdd

Latest IOS loaded & no longer a problem.  Couldn't find anything in the bug fix tool though.  Thanks, Brian.  Appreciated teh feedback.

David