Multi VRF Issue

I have a 1941 router release ver 15.0(1r)M9, License ipbasek9.  I am connecting across a tunnel to another location.  Our location(s) uses VRF for several networks.  The 1941 should have two VRF's on it, but everytime I try to add more than one network the routing does not work, there is no connectivity between the 1941 site and the main site VRF's.  The tunnels are up and can ping across no problem.  I need to have both VRF's running between the sites, but it seems I can not have VRF's on the router at all.  If I take off VRF and just have one network configured it works fine for either network.  But if I use vrf-lite with both networks, then neither one works, and the only way I can connect to the 1941 router is through the tunnel source IP.  

Does anyone know if there is a problem with this release?  I have 2911's and they are fine, the only thing I haven't done is to config a 1941 with multi vrf's but no tunnel, and test it locally.  Am not sure what the issue is.  Thanks in advance.
hayesieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Can you post the proposed config?
hayesieAuthor Commented:
I will do it tomorrow, I have left work now.  Thanks.
hayesieAuthor Commented:
Okay, here are the three router configs and a visio drawing.  Thanks.
VRF-HOME1.TXT
VRF-HOME2.TXT
VRF-REMOTE.txt
EXPERTS-VISIO.vsd
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
On one router, you have "XNET" as the vrf for everything except it is not defined (it is EXNET).  On the other it is the reverse.

This works in a labe environment.  Could you do some additional commands for me?

ping vrf EXNET 192.168.10.9 source 192.168.100.10
Do the reverse
Do for both VRF's


show ip ospf neigh vrf EXNET
show ip ospf neigh vrf ANET

Thanks
hayesieAuthor Commented:
Okay have done and attached. There may be some inconsistencies with the name, was trying to edit for public.  And with the tunnel id's as VRF-HOME1 has more than one...but did not want to edit in case I took out something that was relevant.  Rest assured as far as VRF names, and tunnel #'s go, they are correct.  Thanks, Rhonda
commands.txt
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Does a net work fine when both tunnels exist?  It seems to be a problem with xnet (in a mock I did I encountered the same thing.  Give me some time to play and I will get back to you.)
hayesieAuthor Commented:
I had this problem a couple of months ago, but did not need both VRF's right then, so I  just took off the ANET VRF and it's config, then all was well with XNET.  I don't need them both on again for the up and coming test...but eventually I will.  Thought I would take a stab at it again.

I changed all my ANET IP's to the 194.168.X.X subnets, except the VLAN 6 on RTR HOME2 and it has made no difference.

I also brought up another 1941 router and put two vrf's on it.  But no tunnels.  Still having some issues with pinging across to the REMOTE router...but nowhere else.  So am beginning to think it is the tunnels.  Or it doesn't like 2 tunnels, one worked fine earlier this spring when I had to take off a VRF.  I have no control over the tunnel IP's or the tunnel config on the transport router.  Thanks for your help with this.
hayesieAuthor Commented:
I had to push two VRF's before on a IPSEC Tunnel - and we used a FVRF, it worked fine.  I have not had problems with two or more configured VRF's across the network (not using a tunnel though) on 2911 Cisco routers.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Okay,

I believe your problem is specifically related to using only GRE tunnels.   Since they are only GRE tunnels, there is nothing to differentiate the one tunnel from the other as far as where the incoming packet is destine (no "state" information that is different).

You will have to create two loopbacks and initate the Tunnels from those loopback interfaces.  If you have NAT after the fact, you have no way of doing this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hayesieAuthor Commented:
I have the loopbacks already for vrf XNET and ANET, so use those loopbacks for the tunnel IP's instead of the one's I created separately.  So like this?

REMOTE VRF
!
interface Tunnel0
 description Link to EXTERNAL RTR G0/1/4
 ip vrf forwarding XNET
 ip address 192.168.100.5 255.255.255.252
 ip mtu 1446
 ip tcp adjust-mss 1406
 tunnel source 10.254.X.X
 tunnel destination 10.254.X.X
!
interface Tunnel1
 ip vrf forwarding ANET
 ip address 194.168.100.1 255.255.255.252
 ip mtu 1446
 ip tcp adjust-mss 1406
 tunnel source 10.254.X.X
 tunnel destination 10.254.X.X
!

and the same on the HOME1 router

!
interface Tunnel0
 description Link to REMOTE VRF G0/1/4
 ip vrf forwarding XNET
 ip address 192.168.100.1 255.255.255.252
 ip mtu 1446
 ip tcp adjust-mss 1406
 tunnel source 10.254.X.X
 tunnel destination 10.254.X.X
!
!
interface Tunnel1
 ip vrf forwarding ANET
 ip address 194.168.100.3 255.255.255.252 <-------changed loopback1 on my HOME1
 ip mtu 1446
 ip tcp adjust-mss 1406
 tunnel source 10.254.X.X
 tunnel destination 10.254.X.X
!

Or I guess make the tunnels iPSec and use FVRF.

Thanks, Rhonda
hayesieAuthor Commented:
No guess that is not what you meant, when I tried to use the loopbacks already in place it gave me an error regarding overlap.  

Rhonda
hayesieAuthor Commented:
I think I have found the problem, thanks to your help.  I found this random page talking about 2 tunnels with the same source and destination IP's and in that mess Cisco support stated that they do not support that config - yet.  Then later down the page they said -

"in 15.4(1)T, we have added support for 2 tunnels between the same IP endpoints. - See more at: https://supportforums.cisco.com/discussion/11818321/flexvpn-f-vrf-and-multiple-tunnels#sthash.ZjhtLZvI.dpuf"

My firmware is Version 15.1(3)T

Problem solved.  At least we know why now.  I will have to get my hands on the new firmware in order for this to work - ever.  Thanks again for your help, will be awarding you the points.  Got me going on the right track.
hayesieAuthor Commented:
Although not the complete solution, got me looking at the tunnels instead of the VRF's.  Thanks Daniel!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.