Fault Symptom
Router C is dual-homed to two routers in load balancing mode. The cost of the link between Router A and Router B is 500; the cost of the link between Router C and Router A is 800; the cost of the link between Router C and Router B is 800. Strict URPF is configured on Router A and Router B to protect them from DDoS attacks from Router C. After the configurations, Router B can ping GE 1/0/1 on Router C successfully but cannot ping GE 1/0/0 of Router C.
Fault Analysis
1. Run the display ip routing-table command on Router B to check routing entries. The command output shows that routing information is correct.
2. The ping failure occurs after URPF is enabled. Therefore, it is suspected that URPF discards ping packets. You can disable URPF and then check whether the ping operation succeeds.
Run the undo ip urpf command in the interface view on Router A and Router B to disable URPF.
3. Analyze the path along which a ping request packet travels.
When Router B pings GE 1/0/1, two paths are available: B-C with the cost being 800 and B-A-C with the cost being 2100. The first path is preferentially used. For the ping response packet, two paths are available: C-B with the cost being 800 and C-A-B with the cost being 1300. The first path is preferentially used.
When Router B pings GE 1/0/0, two paths are available: B-C with the cost being 1600 and B-A-C with the cost being 1300. The second path is preferentially used. For the ping response packet, two paths are available: C-B with the cost being 800 and C-A-B with the cost being 1300. The first path is preferentially used.
The URPF check is available in two forms: URPF loose check and URPF strict check.
· In the URPF loose check, a packet can pass the URPF check as long as the forwarding table has a routing entry whose destination address is the source address of the packet. The URPF loose check does not require that the inbound interface of the packet be the same as the outbound interface in the routing entry.
· In the URPF strict check, a packet can pass the URPF check only if the forwarding table has a routing entry whose destination address is the source address of the packet and whose outbound interface is the same as the inbound interface of the packet.
It can therefore be concluded that this problem is caused by the URPF strict check. In this troubleshooting case, when Router B pings GE 1/0/0, the paths of ping request packets and ping response packets are different. As a result, ping response packets cannot pass the URPF strict check, and the ping fails.
Procedure
1. Run the system-view command on Router A and Router B to enter the system view.
2. Run the interface interface-type interface-number command on Router A and Router B to enter the view of GE 1/0/0 on Router A and the view of GE 1/0/1 on Router B.
3. Run the ip urpf loose command on Router A and Router B to enable the URPF loose check function.
After the preceding operations, Router B can ping both GE 1/0/0 and GE 1/0/1 on Router C. The fault is thus rectified.
Summary
On the network where a device has two uplink paths, do not configure the URPF strict check function on the device.
