Jul
09

"Why doesn't this PING work!?!"

Here is a simple 3 router configuration, well at least it is simple on 2 of the 3 routers. R1 and R3 are configured quite traditionally, but R2 is a bit more involved.
Here is the diagram.

ZBF Transparent VRF R2

Here are the details.

R2 is using a VRF which includes both LAN interfaces. R2 is also acting as a Zone Based Firewall in transparent mode, allowing all ICMP traffic in both directions, as well as SSH from the inside to the outside networks. R2 has a bridged virtual interface in the 10.123.0.0/24 network. All are running OSPF, but pings issued from R2 to the loopbacks of R1 and R3 are failing.

Can you identify why?
Here is the relevant output:

R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/DR 00:00:39 10.123.0.3 FastEthernet0/0
10.123.0.2 1 FULL/BDR 00:00:32 10.123.0.2 FastEthernet0/0
R1#show ip route ospf
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 10.123.0.3, 00:01:33, FastEthernet0/0

R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/88/172 ms
R1#ssh -l admin 3.3.3.3
Password: <password>

R3#show ssh
Connection Version Mode Encryption Hmac State Username
0 1.99 IN aes128-cbc hmac-sha1 Session started admin
0 1.99 OUT aes128-cbc hmac-sha1 Session started admin
%No SSHv1 server connections running.
R3#exit

[Connection to 3.3.3.3 closed by foreign host]
R1#

Now for R2:

R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:00:37 10.123.0.1 BVI1
3.3.3.3 1 FULL/DR 00:00:35 10.123.0.3 BVI1

R2#show ip route ospf

R2#show policy-map type inspect zone-pair
Zone-pair: zp-in-to-out

Service-policy inspect : p-in-to-out

Class-map: c-in-to-out (match-any)
Match: protocol icmp
4 packets, 320 bytes
30 second rate 0 bps
Match: protocol ssh
3 packets, 72 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [4:390]
icmp packets: [0:50]

Session creations since subsystem startup or last reset 8
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:1]
Last session created 00:02:23
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 3
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: zp-out-to-in

Service-policy inspect : p-out-to-in

Class-map: c-out-to-in (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:20]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:25:24
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop (default action)
4 packets, 96 bytes

R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2# show run
version 12.4
hostname R2
!
ip vrf myvrf
!
class-map type inspect match-any c-in-to-out
match protocol icmp
match protocol ssh
class-map type inspect match-all c-out-to-in
match protocol icmp
!
policy-map type inspect p-in-to-out
class type inspect c-in-to-out
inspect
class class-default
policy-map type inspect p-out-to-in
class type inspect c-out-to-in
inspect
class class-default
!
zone security inside
zone security outside
zone-pair security zp-in-to-out source inside destination outside
service-policy type inspect p-in-to-out
zone-pair security zp-out-to-in source outside destination inside
service-policy type inspect p-out-to-in
bridge irb
!
interface FastEthernet0/0
ip vrf forwarding myvrf
no ip address
zone-member security inside
bridge-group 1
!
interface FastEthernet0/1
ip vrf forwarding myvrf
no ip address
zone-member security outside
bridge-group 1
!
interface BVI1
ip vrf forwarding myvrf
ip address 10.123.0.2 255.255.255.0
!
router ospf 1 vrf myvrf
router-id 10.123.0.2
network 0.0.0.0 255.255.255.255 area 0
!
bridge 1 protocol ieee
bridge 1 route ip
end

Here is R3:

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:00:32 10.123.0.1 FastEthernet0/1
10.123.0.2 1 FULL/BDR 00:00:31 10.123.0.2 FastEthernet0/1

R3#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.123.0.1, 00:29:36, FastEthernet0/1

R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/117/176 ms
R3#

Similar configuration scenarios are included in both our RS and SC workbooks at INE.

Take a moment, and post your ideas on why the PING from R2 is failing, and thanks for taking the time to assist!

Best wishes.

INE Instructor
About INE Instructor

Subscribe to INE Blog Updates