Troubleshoot Mobile IP Tunnel Establishment
Available Languages
Introduction
This document describes how to troubleshoot Mobile Technologies on Cisco IOS® XE platforms.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Mobile IP
- Cisco IOS XE Software
- IP Mobility: Mobile IP Configuration Guide, Cisco IOS Release 15M&T
- Cisco High-Speed WAN Interface Cards
Components Used
The information in this document is based on Routers with Cisco IOS XE software.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
When you troubleshoot Mobile IP Technologies, the primary concern is to have a good signal between the Cellular interface and the Radio Network Controller (RNC). Your Internet Service Provider (ISP) provides the IP address that you use to establish the Tunnel between the Mobile Node and the Foreign Agent/Home Agent (FA/HA).
Mobile Node not Established on the DMNR Tunnel0
This section provides a solution to the common problem of Tunnel0 down on the Mobile Network (MN). This network diagram is used as an example:
Mobile node is unable to establish the Tunnel0 towards the Foreign Agent.
MN#show ip int br | exclude unassigned Interface IP-Address OK? Method Status Protocol GigabitEthernet1/0 192.0.2.254 YES NVRAM up up Cellular0/0/0 203.0.113.1 YES NVRAM up up Loopback1234 x.x.x.x YES NVRAM up up
Diagnose the Problem
1. Review the configuration on the MN to confirm that the parameters provided by the ISP are correct.
| Configuration Example |
ip mobile secure home-agent <IP HA> spi 101 key hex <32 Hex digits> algorithm md5 mode prefix-suffix |
2. Use the command show ip mobile router to confirm the parameters sent to the ISP.
MN#show ip mobile router
Mobile Router
Enabled 05/29/23 21:57:14
Last redundancy state transition NEVER
Configuration:
Home Address x.x.x.x Mask 255.255.255.0
Home Agent 203.0.113.10 Priority 100 (best)
Registration lifetime 65534 sec
Retransmit Init 1000, Max 5000 msec, Limit 3
Extend Expire 120, Retry 3, Interval 10
Reverse tunnel required
Request GRE tunnel
Multi-path enabled, Requested metric: bandwidth
Mobile Networks: GigabitEthernet1/0 (192.0.2.0/255.255.255.0)
Monitor:
Status -Pending-
No active agent
No Tunnel
3. Activate debug ip mobile router detail and examine the MobRtrX messages in the syslog.
MN#debug ip mobile router detail
Mobile router details debugging is on
MN#
*May 29 22:35:19.319: MobRtrX: Register timer to 203.0.113.2 (CoA 203.0.113.2) expired
*May 29 22:35:19.319: MobRtrX: Extsize 18 netcnt 1
*May 29 22:35:19.319: MobRtrX: 1) Mobile network 192.0.2.0/24
*May 29 22:35:19.319: MobRtrX: Roaming Interface Attributes: ID 6 BW 1000000
*May 29 22:35:19.319: MobRtrX: Status Pending -> Pending
<snip>
*May 29 22:35:28.319: MobRtrX: Register timer to 203.0.113.2 (CoA 203.0.113.2) expired
*May 29 22:35:28.319: MobRtrX: Status Isolated -> Isolated ...
Logs to consider:
- The Cellular interface sends a registration to the FA/HA with the Care of Address (CoA) that is part of the IP address on the ISP side.
MobRtrX: Register timer to 203.0.113.2 (CoA 203.0.113.2) expired
- Sends the advertisement of the networks that are allowed to cross over the tunnel.
MobRtrX: 1) Mobile network 192.0.2.0/24 - The MN waits for the reply of the HA to create the tunnel.
MobRtrX: Status Pending -> Pending - Exceeded the timer. This is declared isolated. Next action is to perform a new request.
MobRtrX: Register timer to 203.0.113.2 (CoA 203.0.113.2) expired
MobRtrX: Status Isolated -> Isolated
4. Validate if the registration is performed on the router. In this scenario, the counter restarts to counter 00:00.
MN#show ip mobile router registration
Mobile Router Registrations: Foreign agent 203.0.113.2: Registration count 4, Interval 5 sec, On Cellular0/0/0 Care-of addr 203.0.113.2, HA addr 203.0.113.10, Home addr x.x.x.x Lifetime requested 01:00:00 (3600) Flags sbdmG-T-, Identification E81FACF1.53E5A9D0 Register next time 00:00:02 Extensions: Mobile Network 192.0.2.0/24 MN-HA Authentication SPI 101
MN#show ip mobile router registration Mobile Router Registrations:
Foreign agent 203.0.113.2: Registration count 4, Interval 5 sec, On Cellular0/0/0 Care-of addr 203.0.113.2, HA addr 203.0.113.10, Home addr x.x.x.x Lifetime requested 01:00:00 (3600) Flags sbdmG-T-, Identification E81FACF1.53E5A9D0 Register next time 00:00:01 Extensions: Mobile Network 192.0.2.0/24 MN-HA Authentication SPI 101
Tip: Next time, the Register increases are registered with the HA.
5. Validate the traffic status with the command show ip mobile router traffic.
MN#show ip mobile router traffic
Mobile Router Counters:
Agent Discovery:
Solicitations sent 11, advertisements received 494
Agent reboots detected 0
Registration:
Register 988, Deregister 0 requests sent
Register 987, Deregister 0 replies received
Requests accepted 0, denied 0 by HA 0 / FA 0
Denied due to mismatched ID 0
Authentication failed for HA 0 / FA 0
Invalid extensions 0, ignored 0
Invalid home address 0, ID 987
Unknown HA 0 / FA 0
Gratuitous ARPs sent 0
Movement:
Came up on HA 0, on FA 0
Moved HA to FA 0, FA to FA 0, FA to HA 0
Better interface detected 0
New HA Registrations 0
Tunnel Traffic:
Packets received 0, sent 0
Mobile Router Counters:
Bytes received 0, sent 0
Services:
Redundancy state active 0, passive Important logs:
- Mobile node sends a packet to validate if this is connected to the FA or if the device has moved from its location; this message is an ICMP with TTL 1, after the FA receives the packet, it replies with the point of attachment to the internet (advertisement).
Solicitations sent 11, advertisements received 494 - FA/HA accepts the mobile node to be registered.
Requests accepted 0, denied 0 by HA 0 / FA 0 < Fail output >
Requests accepted 2, denied 1 by HA 0 / FA 1 < works output >
6. Proceed with an Embedded Packet Capture (EPC) in control-plane to validate the Register packet to the FA, the response packet's code from the FA to the mobile node. This shows the reason for failure.
In the capture, the MN sends a request to solicit the tunnel, the FA replies with a error code 78. This code means there is a problem to establish the tunnel between the MN and the HA since the packet is not being delivered properly; due to this condition the FA sends a time out.
Tip: Refer to the value codes at the end of this document
Mobile Tunnel is not Established (Intermittent Connectivity)
In this scenario, the problem is with the ISP provider that does not create the connection with the Mobile node to the FA as a first step in order to create the Tunnel between the HA and Mobile Node.
Mobile node is unable to establish the Tunnel0 and maintain a stable Tunnel.
MN#show log | sec Tunnel *May 30 17:11:08.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *May 30 17:17:01.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *May 30 17:23:27.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *May 30 17:29:16.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *May 30 17:30:45.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *May 30 17:34:07.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up *May 30 17:35:16.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
1. Check the cellular signal towards the Anthenna (RNC)
Note: Cellular troubleshooting is out of the scope for this document.
2. Validate the mobile router status.
MN#show ip mobile router
Mobile Router
Enabled 05/30/23 17:11:00
Last redundancy state transition NEVER
Configuration:
Home Address x.x.x.x Mask 255.255.255.0
Home Agent 203.0.113.10 Priority 100 (best) (current)
Registration lifetime 65534 sec
Retransmit Init 1000, Max 5000 msec, Limit 3
Extend Expire 120, Retry 3, Interval 10
Reverse tunnel required
Request GRE tunnel
Multi-path enabled, Requested metric: bandwidth
Mobile Networks: GigabitEthernet1/0 (192.0.2.0/255.255.255.0)
Monitor:
Status -Pending-
No active agent
No Tunnel4. Enable debug ip mobile router and validate the logs.
MN#debug ip mobile router Mobile router debugging is on *May 30 18:29:53.103: MobRtr: Delete FA 203.0.113.2 CoA 203.0.113.2 int Cellular0/0/0 *May 30 18:29:53.103: MobRtr: Delete reg to FA 203.0.113.2 (CoA 203.0.113.2) int Cellular0/0/0 *May 30 18:29:53.103: MobRtr: Delete default route (Tunnel0) *May 30 18:29:53.107: MobRtr: Delete host route to HA 203.0.113.10 via 203.0.113.2 (Cellular0/0/0) *May 30 18:29:53.107: MobRtr: Delete GW 203.0.113.2 *May 30 18:29:53.111: MobRtr: Status Registered -> Isolated *May 30 18:29:53.111: MobRtr: Delete tunnel Tunnel0 s x.x.x.x d 203.0.113.10 *May 30 18:30:04.159: MobRtr: New agent 203.0.113.2 CoA 203.0.113.2 int Cellular0/0/0 MAC ca03.429d.0038 *May 30 18:30:04.163: MobRtr: Register reason: left home *May 30 18:30:04.167: HA entry 203.0.113.10 updated with RegID E820BF2C *May 30 18:30:04.171: MobRtr: Register to FA 203.0.113.2 CoA 203.0.113.2 home x.x.x.x HA 203.0.113.10 life 36000
int Cellular0/0/0 flag sbdmGT cnt 0 id E820BF2C.2AEC80C8 *May 30 18:30:04.171: MobRtr: Status Isolated -> Pending *May 30 18:30:04.319: MobRtr: MN rcv accept (0) reply on Cellular0/0/0 from 203.0.113.2 lifetime 36000
id E820BF2C.2AEC80C8 *May 30 18:30:04.323: MobRtr: No Active FA *May 30 18:30:04.323: MobRtr: Status Pending -> Registered *May 30 18:30:04.387: MobRtr: Add host route to HA 203.0.113.10 via 203.0.113.2 (Cellular0/0/0) 0 *May 30 18:30:04.391: MobRtr: Add default route via 203.0.113.2 (Tunnel0) 0 MN# *May 30 18:30:04.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Important Logs:
- Due to the unstable connection, the Care of Address (CoA) is disconnected and as a consequence, the default route through the Tunnel0 is deleted from the MN along with the connection between the MN and the HA. This results in Isolated status on the debug.
MobRtr: Delete FA 203.0.113.2 CoA 203.0.113.2 int Cellular0/0/0
MobRtr: Delete default route (Tunnel0)
MobRtr: Delete host route to HA 203.0.113.10 via 203.0.113.2 (Cellular0/0/0)
MobRtr: Status Registered -> Isolated
MobRtr: Delete tunnel Tunnel0 s x.x.x.x d 203.0.113.10 - Mobile Node sends the ID to the FA in order to establish the new Tunnel.
HA entry 203.0.113.10 updated with RegID E820BF2C
MobRtr: Register to FA 203.0.113.2 CoA 203.0.113.2 home x.x.x.x HA 203.0.113.10 life 36000 int Cellular0/0/0 flag sbdmGT cnt 0 id E820BF2C.2AEC80C8
MobRtr: Status Isolated -> Pending - Mobile Node receives code 0 from the HA and registers this connection, creating the host route towards the MN and HA. Once the Tunnel is created, the default route is sent to the HA.
MobRtr: MN rcv accept (0) reply on Cellular0/0/0 from 203.0.113.2 lifetime 36000 id E820BF2C.2AEC80C8
MobRtr: Status Pending -> Registered
MobRtr: Add host route to HA 203.0.113.10 via 203.0.113.2 (Cellular0/0/0) 0
MobRtr: Add default route via 203.0.113.2 (Tunnel0) 0
5- Proceed with an Embedded Packet Capture (EPC) in control-plane and validate the packets from the MN to the FA and vice versa.
In the capture, the MN sends a request. The HA does not receive the response, as a consequence, the FA replies with code 80 with the network unreachable.
Tip: Refer to the value codes at the end of this document.
In this scenario, the problem is with the ISP path being unstable. The communication between the HA and the FA is not stable, and is not creating the tunnel between them to deliver the packets.
Value Codes
| Value Codes | Description |
| 0 | Registration Accepted |
| Registration Denied | Foreign Agent |
| 64 | Reason Unspecified |
| 65 | Administratively Prohibited |
| 66 | Insufficient Resources |
| 67 | Mobile Node Failed Authentication |
| 68 | Home Agent Failed Authentication |
| 69 | Requested Lifetime too long |
| 70 | Poorly Formed Request |
| 71 | Poorly Formed Reply |
| 72 | Requested Encapsulation Unavailable |
| 73 | Reserved and Unavailable |
| 77 | Invalid care-of Address |
| 78 | Registration Timeout |
| 80 | Home Network Unreachable ( ICMP error received ) |
| 81 | Home Agent Host Unreachable ( ICMP error received ) |
| 82 | Home Agent Port Unreachable ( ICMP error received ) |
| 88 | Home Agent Unreachable ( other ICMP error received ) |
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
2.0 |
24-Jul-2023 |
Images made larger. |
1.0 |
20-Jul-2023 |
Initial Release |
Feedback