gre外层可以ping通,内侧地址无法ping通
- 0关注
- 0收藏,859浏览
问题描述:
gre外层可以ping通,内侧地址无法ping通 (12.1.1.2),suidao 是down的,
debugg日志
GRE/7/error: Tunnel100 status check: Source address is not the address of a local interface.
IPFW/7/IPFW_INFO: MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 1(flowmgr), Bitmap is 5000000000000000, return 2(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation20.260,s= 12.1.1.2, d= 12.1.1.1, protocol= 1, pktid = 56178.
FILTER/7/PACKET: -Slot=8.1; The packet is permitted. Src-ZOne=Local, Dst-ZOne=Trust;If-In=InLoopBack0(6988), If-Out=Route-Aggregation20.260(7004); Packet Info:Src-IP=12.1.1.2, Dst-IP=12.1.1.1, VPN-Instance=5G-BanGong-WangGeTong, Src-MacAddr=0000-0000-0000,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=ICMP(22742), Url-category=invalid(65535), SecurityPolicy=ping-any-WangGeTong, Rule-ID=110.
IPFW/7/IPFW_PACKET: -Slot=8.1;
Sending, interface = Route-Aggregation20.260
version = 4, headlen = 20, tos = 0
pktlen = 84, pktid = 56178, offset = 0, ttl = 255, protocol = 1
checksum = 50737, s = 12.1.1.2, d = 12.1.1.1
channelID = 0, vpn-InstanceIn = 2, vpn-InstanceOut = 0.
prompt: Sending IP packet from local at interface Route-Aggregation20.260.
Payload: ICMP
type = 8, code = 0, checksum = 0xa052.
Request time out
IPFW/7/IPFW_INFO:
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 1(flowmgr), Bitmap is 5000000000000000, return 2(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation20.260,
s= 12.1.1.2, d= 12.1.1.1, protocol= 1, pktid = 56240.
Request time out
IPFW/7/IPFW_INFO:
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 1(flowmgr), Bitmap is 5000000000000000, return 2(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation20.260,
s= 12.1.1.2, d= 12.1.1.1, protocol= 1, pktid = 56264.
Request time out
IPFW/7/IPFW_INFO:
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 1(flowmgr), Bitmap is 5000000000000000, return 2(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation20.260,
s= 12.1.1.2, d= 12.1.1.1, protocol= 1, pktid = 56290.
Request time out
IPFW/7/IPFW_INFO:
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 1(flowmgr), Bitmap is 5000000000000000, return 2(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation20.260,
s= 12.1.1.2, d= 12.1.1.1, protocol= 1, pktid = 56317.
抓会话显示无回包
组网及组网描述:
一般什么情况下会出现这种问题?有排查思路吗?
- 2024-02-24提问
- 举报
-
(0)
最佳答案
Tunnel口带vpn-instance需要配置如下命令:
tunnel vpn-instance命令用来配置隧道目的端地址所属的VPN实例。
undo tunnel vpn-instance命令用来恢复缺省情况。
【命令】
tunnel vpn-instance vpn-instance-name
undo tunnel vpn-instance
【缺省情况】
隧道目的端地址属于公网,设备查找公网路由表转发隧道封装后的报文。
【视图】
Tunnel接口视图
【缺省用户角色】
network-admin
mdc-admin
vsys-admin
【参数】
vpn-instance-name:MPLS L3VPN的VPN实例名称,为1~31个字符的字符串,区分大小写。
【使用指导】
通过本命令指定隧道目的端地址所属的VPN实例后,设备将查找指定VPN实例的路由表转发隧道封装后的报文。
在隧道的源接口上通过ip binding vpn-instance命令可以指定隧道源端地址所属的VPN实例。隧道的源端地址和目的端地址必须属于相同的VPN实例,否则隧道接口链路状态无法UP。
【举例】
# 在接口Tunnel1上指定封装后的隧道报文在vpn10中进行路由发送。(路由应用)
<Sysname> system-view
[Sysname] ip vpn-instance vpn10
[Sysname-vpn-instance-vpn10] route-distinguisher 1:1
[Sysname-vpn-instance-vpn10] vpn-target 1:1
[Sysname-vpn-instance-vpn10] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip binding vpn-instance vpn10
[Sysname-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] source gigabitethernet 1/0/1
[Sysname-Tunnel1] destination 1.1.1.2
[Sysname-Tunnel1] tunnel vpn-instance vpn10
# 在接口Tunnel1上指定封装后的隧道报文在vpn10中进行路由发送。(交换应用)
<Sysname> system-view
[Sysname] ip vpn-instance vpn10
[Sysname-vpn-instance-vpn10] route-distinguisher 1:1
[Sysname-vpn-instance-vpn10] vpn-target 1:1
[Sysname-vpn-instance-vpn10] quit
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ip binding vpn-instance vpn10
[Sysname-Vlan-interface10] ip address 1.1.1.1 24
[Sysname-Vlan-interface10] quit
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1] source vlan-interface 10
[Sysname-Tunnel1] destination 1.1.1.2
[Sysname-Tunnel1] tunnel vpn-instance vpn10
- 2024-02-24回答
- 评论(0)
- 举报
-
(0)
根据您提供的信息,您遇到的问题可能与GRE隧道配置有关。错误消息“GRE/7/error: Tunnel100 status check: Source address is not the address of a local interface”表明隧道源地址配置不正确,它不是本地接口的地址。这可能是导致隧道状态为down的原因。
IPFW的日志显示MBUF被拦截,这可能是由于安全策略或配置不当导致的。在这种情况下,您需要检查隧道的配置,确保源地址是本地接口的地址,并且隧道的目的地址是对端设备的地址。此外,您还需要检查IPFW的配置,确保安全策略允许GRE隧道的流量。
如果您需要具体的命令来调整配置,可以参考以下示例:
```shell
interface Tunnel100
ip address 12.1.1.2 255.255.255.0
tunnel source [本地接口地址]
tunnel destination [对端设备地址]
- 2024-02-24回答
- 评论(0)
- 举报
-
(0)
暂无评论
gre+vrf场景配置案例:
1、拓扑
FW1:
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip binding vpn-instance vpn1
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel10 mode gre
ip binding vpn-instance vpn1
ip address 1.1.1.1 255.255.255.0
source 192.168.1.1
destination 192.168.2.2
tunnel vpn-instance vpn1
#
interface LoopBack0
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
#
ip route-static vpn-instance vpn1 10.2.2.0 24 Tunnel10
ip route-static vpn-instance vpn1 192.168.2.0 24 192.168.1.2
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
import interface Tunnel10
#
security-policy ip
rule 1 name 111
action pass
vrf vpn1
#
R1:
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 192.168.2.1 255.255.255.0
#
FW2:
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip binding vpn-instance vpn1
ip address 192.168.2.2 255.255.255.0
#
interface Tunnel10 mode gre
ip binding vpn-instance vpn1
ip address 1.1.1.2 255.255.255.0
source 192.168.2.2
destination 192.168.1.1
tunnel vpn-instance vpn1
#
interface LoopBack0
ip binding vpn-instance vpn1
ip address 10.2.2.2 255.255.255.0
#
ip route-static vpn-instance vpn1 10.1.1.0 24 Tunnel10
ip route-static vpn-instance vpn1 192.168.1.0 24 192.168.2.1
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
import interface Tunnel10
#
security-policy ip
rule 1 name 111
action pass
vrf vpn1
#
业务测试:
注意:gre+vrf需注意要在interface Tunnelxx mode gre下配置tunnel vpn-instance xxx,否则gre是down的。
- 2024-02-26回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论