Cisco IOS Software Releases 12.3 T

Table Of Contents

Mobile IP—Support for RFC 3519 NAT Traversal

Contents

Restrictions for Mobile IP—Support for RFC 3519 NAT Traversal

Information About Mobile IP—Support for RFC 3519 NAT Traversal

Design of the Mobile IP—Support for RFC 3519 NAT Traversal Feature

Network Address Translation Devices

UDP Tunneling

Keepalive Management

New Message Extensions

UDP Tunnel Flag

How to Configure Mobile IP—Support for RFC 3519 NAT Traversal

Configuring the Home Agent for NAT Traversal Support

Configuring the Foreign Agent for NAT Traversal Support

Verifying NAT Traversal Support

Configuration Examples for Mobile IP—Support for RFC 3519 NAT Traversal

Home Agent Configuration: Examples

Foreign Agent Configuration: Example

Firewall Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

debug ip mobile

ip mobile foreign-agent nat traversal

ip mobile home-agent nat traversal

show ip mobile binding

show ip mobile globals

show ip mobile tunnel

show ip mobile visitor

Glossary

Mobile IP—Support for RFC 3519 NAT Traversal

---

The Mobile IP—Support for RFC 3519 NAT Traversal feature introduces an alternative method for tunneling Mobile IP data traffic. New extensions in the Mobile IP registration request and reply messages have been added for establishing User Datagram Protocol (UDP) tunneling.

The benefit of this feature is that mobile devices in collocated mode that use a private IP address (RFC 1918) or foreign agents (FAs) that use a private IP address for the care-of address (CoA) are now able to establish a tunnel and traverse a NAT-enabled router with mobile node (MN) data traffic from the home agent (HA).

Feature History for Mobile IP—Support for RFC 3519 NAT Traversal

Release	Modification
12.3(8)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Restrictions for Mobile IP—Support for RFC 3519 NAT Traversal

•Information About Mobile IP—Support for RFC 3519 NAT Traversal

•How to Configure Mobile IP—Support for RFC 3519 NAT Traversal

•Configuration Examples for Mobile IP—Support for RFC 3519 NAT Traversal

•Additional References

•Command Reference

•Glossary

Restrictions for Mobile IP—Support for RFC 3519 NAT Traversal

•If the network does not allow communication between a UDP port chosen by an MN and the HA UDP port 434, the Mobile IP registration and the data tunneling will not work.

•Only the IP-to-UDP encapsulation method is supported.

Information About Mobile IP—Support for RFC 3519 NAT Traversal

To configure the Mobile IP—Support for RFC 3519 NAT Traversal feature, you should understand the following concepts:

•Design of the Mobile IP—Support for RFC 3519 NAT Traversal Feature

•Network Address Translation Devices

•UDP Tunneling

Design of the Mobile IP—Support for RFC 3519 NAT Traversal Feature

Because of the depletion of globally routable addresses, service providers and enterprises are using addresses from private- and public-address realms and are using NAT-based solutions for achieving transparent routing between these address realms. Private IP addresses (RFC 1918) allow each enterprise to use the same addresses except that the addresses cannot be seen in the Internet outside of the enterprise or service provider network.

Network Address Translation (NAT) allows for the translation of a private IP address to a public IP address. NAT uses the port number in the second header to organize the translations and determine which translation (if any) to use when it sees a returning packet.

The Mobile IP—Support for RFC 3519 NAT Traversal feature uses new message extensions in registration packets to establish UDP tunneling. When the MN registration packet traverses a NAT-enabled router, the HA detects the traversal by comparing the source IP address with the CoA and establishes UDP tunneling if the MN indicates that it is capable of UDP tunneling. The MN indicates the UDP tunneling capability by including the UDP tunneling extension in the registration request.

The NAT-enabled router allows the UDP registration packet to proceed through. UDP tunneling allows data packets from the HA to use the NAT translation set up by the registration packet. This occurs because the UDP tunnel header uses the same UDP source and destination port as the original registration packet, thus allowing it to use the NAT translation created for and by the registration packet traversing the NAT-enabled router. This allows the MN to receive data packets from the HA when it normally would not with the default IPinIP tunneling.

Figure 1 shows Mobile IP components and their relationships.

Figure 1 Mobile IP Components and Relationships

---

Note UDP tunneling is the only method that supports NAT traversal in Mobile IP.

---

Network Address Translation Devices

Network Address Translation (NAT) devices rely on IP addresses and port numbers from IP, TCP, and UDP layers for demultiplexing data to peers behind a NAT network. When a message is initiated from a private-address host to a public-address host, NAT modifies the source IP address in the packet to a globally routable source address and the source port number to a unique source port number that it can use for identifying the peer that initiates the message. NAT then preserves the private address, port-to-public address, and port mapping in its translation table and uses the NAT-translation entry to route the return traffic.

The Mobile IP—Support for RFC 3519 NAT Traversal feature provides UDP tunneling for data packets so that NAT devices can translate the IP addresses and forward the data packets from the HA to the MN.

UDP Tunneling

There are two directions for UDP tunneling: forward and reverse. Forward tunneling is done by an HA that forwards packets towards the MN, and reverse tunneling starts at the MN care-of address and terminates at the HA.

UDP tunneled packets that have been sent by an MN use the same ports as the registration request message. In particular, the source port may vary between new registration requests, but remains the same for all tunneled data and reregistrations. The destination port is always 434. UDP tunneled packets that are sent by an HA use the same ports, but in reverse.

---

Note UDP tunneling is for Mobile IP data traffic only. Registration requests and replies do not use UDP tunneling.

---

By setting the force bit in the UDP tunneling request, the MN can request Mobile IP UDP tunneling be established regardless of the NAT detection outcome by the HA. The final outcome of whether or not the MN will receive UDP tunneling is determined by whether or not the HA is configured to accept such requests.

Keepalive Management

The purpose of the keepalive messages is to refresh the active timer on the NAT translation in the NAT-enabled router. This maintains the NAT translation for use by the HA even when the MN is silent. This allows data packets from the HA to use the NAT translation created by the registration packet to traverse the NAT-enabled router and reach the MN even when the MN may not be sending any packets to the HA to keep the NAT translation active.

The keepalive timer interval is configurable on both the HA and the FA but is controlled by the HA keepalive interval value sent in the registration reply. When the HA sends a keepalive value in the registration reply, the MN or FA must use that value as its keepalive timer interval.

The keepalive interval configured on the FA is only used if the HA returns a keepalive interval of zero in the registration reply.

---

Note You cannot configure the HA to send a keepalive interval value of zero the FA or MN.

---

New Message Extensions

An extension is added to the end of a registration packet and indicates that it is a type, length, value (TLV) message. RFC 3519 discusses the UDP tunnel request and reply extension and a Mobile IP tunnel data message that serves to differentiate traffic tunneled to port 434.

The Mobile IP—Support for RFC 3519 NAT Traversal feature adds the following new UDP tunnel message extensions:

•Request—This message extension indicates that the sender is capable of handling UDP tunneling. Some encapsulation formats are optional.

•Reply—This message extension indicates whether or not the HA will use UDP tunneling. The HA also sends the keepalive interval in the reply message.

•Mobile IP tunnel data—This message extension is used to differentiate UDP data traffic tunneled to port 434 from other Mobile IP messages that use a UDP header such as registration requests.

UDP Tunnel Flag

The Mobile IP—Support for RFC 3519 NAT Traversal feature adds a new UDP tunnel flag in the agent advertisement that indicates the capability of the FA to support NAT traversal. The flag is a bit set in the advertisement.

How to Configure Mobile IP—Support for RFC 3519 NAT Traversal

This section contains the following tasks:

•Configuring the Home Agent for NAT Traversal Support (required)

•Configuring the Foreign Agent for NAT Traversal Support (required)

•Verifying NAT Traversal Support (optional)

Configuring the Home Agent for NAT Traversal Support

This task shows you how to configure the HA for NAT traversal support.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip mobile home-agent nat traversal [keepalive keepalive-time] [forced {accept | reject}]

4. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip mobile home-agent nat traversal [keepalive keepalive-time] [forced {accept | reject}] Example: Router(config)# ip mobile home-agent nat traversal keepalive 45 forced accept	Enables UDP tunneling for an HA. The keywords and argument are as follows: •keepalive keepalive-time—(Optional) Time, in seconds, between keepalive messages that are sent between UDP endpoints to refresh NAT translation timers. The range is 0 to 65535. The default is 110. Note You cannot configure the HA to send a zero as the keepalive timer to the FA or MN. •forced—(Optional) Enables the HA to accept or reject forced UDP tunneling from the MN regardless of the NAT-detection outcome. –accept—Accepts UDP tunneling. –reject—Rejects UDP tunneling. This is the default. Note If the forced keyword is not specified, the command defaults to reject UDP tunneling.
Step 4	exit Example: Router(config)# exit	Exits global configuration mode.

Configuring the Foreign Agent for NAT Traversal Support

This task shows you how to configure the FA for NAT traversal support.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]

4. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force] Example: Router(config)# ip mobile foreign-agent nat traversal keepalive 45 force	Enables UDP tunneling for the FA. The keywords and argument are as follows: •keepalive keepalive-time—(Optional) Allows the FA to use a configured time (in seconds) for keepalive messages when the HA keepalive time is not configured. The range is 0 to 65535. The default is 110. Note The Cisco HA will never send a time of zero. If you have Cisco hardware only, you do not need to configure the keepalive keyword. •force—(Optional) Sets the "force" bit in the message extension. The default is not to force UDP tunneling.
Step 4	exit Example: Router(config)# exit	Exits global configuration mode.

Verifying NAT Traversal Support

To verify that Support for RFC 3519 NAT Traversal is enabled and functioning properly, perform the following steps.

SUMMARY STEPS

1. show ip mobile globals

2. show ip mobile binding

3. show ip mobile visitor

4. show ip mobile tunnel

5. debug ip mobile

DETAILED STEPS

---

Step 1 show ip mobile globals

Use this command to verify the FA and HA configurations, for example:

Router# show ip mobile globals

IP Mobility global information:

Home agent

 Registration lifetime: 10:00:00 (36000 secs)

 Broadcast disabled

 Replay protection time: 7 secs

 Reverse tunnel enabled

 ICMP Unreachable enabled

 Strip realm disabled

 NAT Traversal disabled

 HA Accounting disabled

 NAT UDP Tunneling support enabled

 UDP Tunnel Keepalive 60

 Forced UDP Tunneling enabled

 Virtual networks

 10.99.101.0/24

Foreign agent is not enabled, no care-of address

0 interfaces providing service

Encapsulations supported: IPIP and GRE

Tunnel fast switching enabled, cef switching enabled

Tunnel path MTU discovery aged out after 10 min

In the example above, NAT UDP tunneling support is enabled on the HA with a keepalive timer set at 60 seconds and forced UDP tunneling enabled.

Step 2 show ip mobile binding

Use this command to verify that the HA is configured to detect NAT, for example:

Router# show ip mobile binding nai mn@cisco.com

Mobility Binding List:

 mn@cisco.com (Bindings 1):

 Home Addr 10.99.101.1

 Care-of Addr 192.168.1.202, Src Addr 209.165.157

 Lifetime granted 00:03:00 (180), remaining 00:02:20

 Flags sbDmg-T-, Identification BCF5F7FF.92C1006F

 Tunnel0 src 209.165.202.1 dest 209.165.157 reverse-allowed

 Routing Options - (D)Direct-to-MN (T)Reverse-tunnel

 Service Options:

 NAT detect

Step 3 show ip mobile visitor

Use this command to verify that the MN is registering with the HA (at the FA), for example:

Router# show ip mobile visitor

Mobile Visitor List:

Total 1

10.99.100.2:

 Interface FastEthernet3/0, MAC addr 00ff.ff80.002b

 IP src 10.99.100.2, dest 30.5.3.5, UDP src port 434

 HA addr 200.1.1.1, Identification BCE7E391.A09E8720

 Lifetime 01:00:00 (3600) Remaining 00:30:09

 Tunnel1 src 200.1.1.5, dest 200.1.1.1, reverse-allowed

 Routing Options - (T)Reverse Tunneling

Step 4 show ip mobile tunnel

Use this command to verify that UDP tunneling is established, for example:

Router# show ip mobile tunnel

Mobile Tunnels:

Total mobile ip tunnels 1

Tunnel0:

    src 10.30.30.1, dest 10.10.10.100

    src port 434, dest port 434

    encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1

    IP MTU 1480 bytes

    Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

    outbound interface Ethernet2/3

    FA created, fast switching disabled, ICMP unreachable enabled

    5 packets input, 600 bytes, 0 drops

    7 packets output, 780 bytes

The following output shows that the mobile node-home agent tunnel is still IP-in-IP, but the foreign agent-home agent tunnel is UDP, for example:

Router# show ip mobile tunnel

Mobile Tunnels:

Total mobile ip tunnels 2

Tunnel0:

 src 200.1.1.1, dest 10.99.100.2

 encap IP/IP, mode reverse-allowed, tunnel-users 1

 IP MTU 1460 bytes

 Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

 outbound interface Tunnel1

 HA created, fast switching enabled, ICMP unreachable enabled

 11 packets input, 1002 bytes, 0 drops

 5 packets output, 600 bytes

Tunnel1:

 src 200.1.1.1, dest 200.1.1.5

 src port 434, dest port 434

 encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1

 IP MTU 1480 bytes

 Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

 outbound interface GigabitEthernet0/2

 HA created, fast switching disabled, ICMP unreachable enabled

 11 packets input, 1222 bytes, 0 drops

 7 packets output, 916 bytes

In the following example, the MN has UDP tunneling established with the HA, for example:

Router# show ip mobile tunnel

Total mobile ip tunnels 1

Tunnel0:

    src 10.10.10.100, dest 10.10.10.50

    src port 434, dest port 434

    encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1

    IP MTU 1480 bytes

    Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

    outbound interface Ethernet2/1

    HA created, fast switching disabled, ICMP unreachable enabled

    5 packets input, 600 bytes, 0 drops

    5 packets output, 600 bytes

Step 5 debug ip mobile

Use this command to verify the registration, authentication, and establishment of UDP tunneling of the MN with the FA (important lines in bold), for example:

Dec 31 12:34:25.707: UDP: rcvd src=10.10.10.10(434),dst=10.30.30.1(434), length=54

Dec 31 12:34:25.707: MobileIP: ParseRegExt type MHAE(32) addr 2000FEEC end 2000FF02

Dec 31 12:34:25.707: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:25.707: MobileIP: FA rcv registration for MN 10.10.10.10 on Ethernet2/2 using 
 COA 10.30.30.1 HA 10.10.10.100 lifetime 65535 options sbdmg-T-identification 
 C1BC0D4FB01AC0D8

Dec 31 12:34:25.707: MobileIP: Ethernet2/2 glean 10.10.10.10 accepted

Dec 31 12:34:25.707: MobileIP: Registration request byte count = 74

Dec 31 12:34:25.707: MobileIP: FA queued MN 10.10.10.10 in register table

Dec 31 12:34:25.707: MobileIP: Visitor registration timer started for MN 10.10.10.10, 
 lifetime 120

Dec 31 12:34:25.707: MobileIP: Adding UDP Tunnel req extension

Dec 31 12:34:25.707: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:25.707: MobileIP: MN 10.10.10.10 FHAE added to HA 10.10.10.100 using SPI 1000

Dec 31 12:34:25.707: MobileIP: FA forwarded registration for MN 10.10.10.10 to HA 
 10.10.10.100

Dec 31 12:34:25.715: UDP: rcvd src=10.10.10.100(434), dst=10.30.30.1(434), length=94

Dec 31 12:34:25.715: MobileIP: ParseRegExt type NVSE(134) addr 20010B28 end 20010B6A

Dec 31 12:34:25.715: MobileIP: ParseRegExt type MN-config NVSE(14) subtype 1 (MN prefix 
 length) prefix length (24)

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 12 to next

Dec 31 12:34:25.715: MobileIP: ParseRegExt type MHAE(32) addr 20010B36 end 20010B6A

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:25.715: MobileIP: ParseRegExt type UDPTUNREPE(44) addr 20010B4C end 20010B6A

Dec 31 12:34:25.715: Parsing UDP Tunnel Reply Extension - length 6

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 6 to next

Dec 31 12:34:25.715: MobileIP: ParseRegExt type FHAE(34) addr 20010B54 end 20010B6A

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:25.715: MobileIP: FA rcv accept (0) reply for MN 10.10.10.10 on Ethernet2/3 
 using HA 10.10.10.100 lifetime 65535

Dec 31 12:34:25.719: MobileIP: Authenticating HA 10.10.10.100 using SPI 1000

Dec 31 12:34:25.719: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:25.719: MobileIP: Authenticated HA 10.10.10.100 using SPI 1000 and 16 byte 
 key

Dec 31 12:34:25.719: MobileIP: HA accepts UDP Tunneling

Dec 31 12:34:25.719: MobileIP: Update visitor table for MN 10.10.10.10

Dec 31 12:34:25.719: MobileIP: Enabling UDP Tunneling

Dec 31 12:34:25.719: MobileIP: Tunnel0 (MIPUDP/IP) created with src 10.30.30.1 dst 
 10.10.10.100

Dec 31 12:34:25.719: MobileIP: Setting up UDP Keep-Alive Timer for tunnel 10.30.30.1:0 - 
 10.10.10.100:0 with keep-alive 30

Dec 31 12:34:25.719: MobileIP: Starting the tunnel keep-alive timer

Dec 31 12:34:25.719: MobileIP: ARP entry for MN 10.10.10.10 using 10.10.10.10 inserted on 
 Ethernet2/2

Dec 31 12:34:25.719: MobileIP: FA route add 10.10.10.10 successful. Code = 0

Dec 31 12:34:25.719: MobileIP: MN 10.10.10.10 added to ReverseTunnelTable of Ethernet2/2 
 (Entries 1)

Dec 31 12:34:25.719: MobileIP: FA dequeued MN 10.10.10.10 from register table

Dec 31 12:34:25.719: MobileIP: MN 10.10.10.10 using 10.10.10.10 visiting on Ethernet2/2 
Dec 31 12:34:25.719: MobileIP: Reply in for MN 10.10.10.10 using 10.10.10.10, accepted

Dec 31 12:34:25.719: MobileIP: registration reply byte count = 84

Dec 31 12:34:25.719: MobileIP: FA forwarding reply to MN 10.10.10.10 (10.10.10.10 mac 
 0060.70ca.f021)

Dec 31 12:34:26.095: MobileIP: agent advertisement byte count = 48

Dec 31 12:34:26.095: MobileIP: Agent advertisement sent out Ethernet2/2: type=16, len=10, 
 seq=55, lifetime=65535, flags=0x1580(rbhFmG-TU),

Dec 31 12:34:26.095: Care-of address: 10.30.30.1

Dec 31 12:34:26.719: MobileIP: swif coming up Tunnel0

!

Dec 31 12:34:35.719: UDP: sent src=10.30.30.1(434), dst=10.10.10.100(434)

Dec 31 12:34:35.719: UDP: rcvd src=10.10.10.100(434), dst=10.30.30.1(434), length=32d0

In the following example, the registration, authentication, and establishment of UDP tunneling of the MN with the HA is displayed:

Dec 31 12:34:26.167: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:26.167: MobileIP: ParseRegExt type UDPTUNREQE(144) addr 2001E762 end 2001E780

Dec 31 12:34:26.167: MobileIP: Parsing UDP Tunnel Request Extension - length 6

Dec 31 12:34:26.167: MobileIP: ParseRegExt skipping 6 to next

Dec 31 12:34:26.167: MobileIP: ParseRegExt type FHAE(34) addr 2001E76A end 2001E780

Dec 31 12:34:26.167: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:26.167: MobileIP: HA 167 rcv registration for MN 10.10.10.10 on Ethernet2/1 
 using HomeAddr 10.10.10.10 COA 10.30.30.1 HA 10.10.10.100 lifetime 65535 options 
 sbdmg-T-identification C1BC0D4FB01AC0D8

Dec 31 12:34:26.167: MobileIP: NAT detected SRC:10.10.10.50 COA: 10.30.30.1

Dec 31 12:34:26.167: MobileIP: UDP Tunnel Request accepted 10.10.10.50:434

Dec 31 12:34:26.167: MobileIP: Authenticating FA 10.30.30.1 using SPI 1000

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and truncated key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authenticated FA 10.30.30.1 using SPI 1000 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authenticating MN 10.10.10.10 using SPI 1000

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and truncated key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authenticated MN 10.10.10.10 using SPI 1000 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Mobility binding for MN 10.10.10.10 created

Dec 31 12:34:26.167: MobileIP: NAT detected for MN 10.10.10.10. Terminating tunnel on 
 10.10.10.50

Dec 31 12:34:26.167: MobileIP: Tunnel0 (MIPUDP/IP) created with src 10.10.10.100 dst 
 10.10.10.50

Dec 31 12:34:26.167: MobileIP: Setting up UDP Keep-Alive Timer for tunnel 10.10.10.100:0 - 
 10.10.10.50:0 with keep-alive 30

Dec 31 12:34:26.167: MobileIP: Starting the tunnel keep-alive timer 

Dec 31 12:34:26.167: MobileIP: MN 10.10.10.10 Insert route for 10.10.10.10/255.255.255.255 
 via gateway 10.10.10.50 on Tunnel0

Dec 31 12:34:26.167: MobileIP: MN 10.10.10.10 is now roaming

Dec 31 12:34:26.171: MobileIP: Gratuitous ARPs sent for MN 10.10.10.10 MAC 0002.fca5.bc39

Dec 31 12:34:26.171: MobileIP: Mask for address is 24

Dec 31 12:34:26.171: MobileIP: HA accepts registration from MN 10.10.10.10

Dec 31 12:34:26.171: MobileIP: Dynamic and Static Network Extension Length 0 - 0

Dec 31 12:34:26.171: MobileIP: Composed mobile network extension length:0

Dec 31 12:34:26.171: MobileIP: Added prefix length vse in reply

Dec 31 12:34:26.171: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 MHAE added to MN 10.10.10.10 using SPI 1000

Dec 31 12:34:26.171: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 FHAE added to FA 10.10.10.50 using SPI 1000

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 - HA sent reply to 10.10.10.50

Dec 31 12:34:26.171: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 HHAE added to HA 10.10.10.3 using SPI 1000

Dec 31 12:34:26.175: MobileIP: ParseRegExt type CVSE(38) addr 2000128C end 200012AE

Dec 31 12:34:26.175: MobileIP: ParseRegExt type HA red. version CVSE(6)

Dec 31 12:34:26.175: MobileIP: ParseRegExt skipping 8 to next

Dec 31 12:34:26.175: MobileIP: ParseRegExt type HHAE(35) addr 20001298 end 200012AE

Dec 31 12:34:26.175: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:26.175: MobileIP: Authenticating HA 10.10.10.3 using SPI 1000

Dec 31 12:34:26.175: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.175: MobileIP: Authentication algorithm MD5 and truncated key

Dec 31 12:34:26.175: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.175: MobileIP: Authenticated HA 10.10.10.3 using SPI 1000 and 16 byte key

Dec 31 12:34:27.167: MobileIP: swif coming up Tunnel0d0

In the following example, the force option is missing on the HA configuration, so the UDP tunneling request is rejected:

Router# debug ip mobile

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type NVSE(134) addr C368C6C

end C368

C9C

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type dynamic mobile-network

NVSE(9)

*Jun 6 20:49:28.147: MobileIP: ParseRegExt skipping 16 to next

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type MHAE(32) addr C368C7E

end C368C9C

*Jun 6 20:49:28.147: MobileIP: ParseRegExt skipping 20 to next

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type UDPTUNREQE(144) addr

C368C94 end C368C9C

*Jun 6 20:49:28.147: MobileIP: Parsing UDP Tunnel Request Extension -

length 6

*Jun 6 20:49:28.147: MobileIP: ParseRegExt skipping 6 to next

*Jun 6 20:49:28.147: MobileIP: HA 143 rcv registration for MN

10.99.100.2 on Gi

gabitEthernet0/2 using HomeAddr 10.99.100.2 COA 200.1.1.5 HA 200.1.1.1

lifetime

3600 options sbdmg-T- identification BCE7E253A7CAF30C

*Jun 6 20:49:28.147: MobileIP: NAT not detected SRC:200.1.1.5 COA:

200.1.1.5

*Jun 6 20:49:28.147: MobileIP: Forced UDP Tunneling requested

*Jun 6 20:49:28.147: MobileIP: UDP Tunnel Request rejected

*Jun 6 20:49:28.147: MobileIP: HA rejects registration for MN

10.99.100.2 - registration id mismatch (133)

---

Configuration Examples for Mobile IP—Support for RFC 3519 NAT Traversal

This section contains the following configuration examples:

•Home Agent Configuration: Examples

•Foreign Agent Configuration: Example

•Firewall Configuration: Example

Home Agent Configuration: Examples

The following example shows an active HA configuration.

ip mobile home-agent nat traversal keepalive 56 forced accept

ip mobile home-agent redundancy Phy1 virtual-network

ip mobile virtual-network 10.60.60.0 255.255.255.0 address 10.60.60.200

The following example shows a standby HA configuration.

ip mobile home-agent nat traversal keepalive 56 forced accept

ip mobile home-agent redundancy Phy1 virtual-network

ip mobile virtual-network 10.60.60.0 255.255.255.0 address 10.60.60.200

Foreign Agent Configuration: Example

The following example shows the FA configuration on Ethernet interface 2/2. The FA does not use the 45-second keepalive interval unless the HA sends back a zero as the interval in the registration reply.

ip mobile foreign-agent care-of Ethernet2/2

ip mobile foreign-agent nat traversal keepalive 45 force

Firewall Configuration: Example

The following example shows a configuration when a firewall is sitting between a FA and a HA. The firewall blocks IP-in-IP and GRE packets, but permits UDP packets. The HA and FA are configured to force the HA to use the UDP encapsulation.

HA Configuration

interface Loopback1

ip address 200.1.1.1 255.255.255.255

!

router mobile

!

! The following command set UDP keepalive interval to 60 second and enables the HA to 
accept forced UDP tunneling registration requests.

!

ip mobile home-agent nat traversal keepalive 60 forced accept

ip mobile home-agent

ip mobile virtual-network 10.99.100.0 255.255.255.0

ip mobile host 10.99.100.1 10.99.100.100 virtual-network 10.99.100.0 255.255.255.0

ip mobile mobile-networks 10.99.100.2

description MAR-3200

register

ip mobile secure host 10.99.100.1 10.99.100.100 spi 100 key hex

12345678123456781234567812345678 algorithm md5 mode prefix-suffix

Foreign Agent Configuration

interface Loopback1

ip address 10.1.1.5 255.255.255.255

!

interface FastEthernet3/0

ip address 10.5.3.5 255.255.255.0

ip irdp

ip irdp maxadvertinterval 9

ip irdp minadvertinterval 3

ip irdp holdtime 27

ip mobile foreign-service reverse-tunnel

!

ip mobile foreign-agent care-of Loopback1

!

! The following command forces the FA to request the HA to use UDP tunneling for MN. 
Without this command, the HA is configured to accept UDP tunneling. The HA will not use 
UDP tunneling if it is not NAT detected.

ip mobile foreign-agent nat traversal force

Mobile Router Configuration

interface Loopback1

!Description MR's home address.

ip address 10.99.100.2 255.255.255.255

!

interface FastEthernet0/0

description "802.11 Wi-Fi Link"

ip address 10.5.3.32 255.255.255.0

ip mobile router-service roam priority 120

!

ip mobile router

address 10.99.100.2 255.255.255.0

collocated single-tunnel

home-agent 10.1.1.1 priority 110

mobile-network Vlan210

reverse-tunnel

Cisco IOS Firewall

In the following example, an IP access-list is used to simulate the blocking of IP-in-IP and GRE packets.

!Input interface for the traffic coming from MR.

interface FastEthernet0/1

ip address 10.1.35.3 255.255.255.0

ip access-group Block-IPinIP-GRE-Packets in

!

ip access-list extended Block-IPinIP-GRE-Packets

deny ipinip any any

deny gre any any

permit ip any any

Additional References

The following sections provide references related to the Mobile IP—Support for RFC 3519 NAT Traversal feature.

Related Documents

Related Topic	Document Title
Generic routing encapsulation	Generic Routing Encapsulation, RFC 1701
IP encapsulation	IP Encapsulation in IP, RFC 2003
Mobile IP overview and configuration	"Configuring Mobile IP" chapter of the Cisco IOS IP Configuration Guide, Release 12.3
Mobile IP traversal of NAT devices	Mobile IP Traversal of Network Address Translation (NAT) Devices, RFC 3519
Mobile IP command description and syntax	Cisco IOS IP Command Reference, Volume 4 of 4: IP Mobility, Release 12.3 T
NAT and Network Address Port Translation (NAPT) overview and configuration	•"Configuring IP Addressing" chapter of the Cisco IOS IP Configuration Guide, Release 12.3 •Cisco IOS IP Command Reference, Volume 1 of 4: IP Addressing and Services, Release 12.3 T •IP NAT Terminology and Considerations, RFC 2663 •Network Address Translation - Protocol Translation, RFC 2766

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents new and modified commands only.

New Commands

•ip mobile foreign-agent nat traversal

•ip mobile home-agent nat traversal

Modified Commands

•debug ip mobile

•show ip mobile binding

•show ip mobile globals

•show ip mobile tunnel

•show ip mobile visitor

debug ip mobile

To display IP mobility activities, use the debug ip mobile command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug ip mobile [advertise | host [access-list-number] | standby]

no debug ip mobile

Syntax Description

advertise	(Optional) Advertisement information.
host	(Optional) The mobile node host.
access-list-number	(Optional) The number of an IP access list.
standby	(Optional) Redundancy activities.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.0(2)T	The standby keyword was added.
12.2(13)T	This command was enhanced to display information about foreign agent reverse tunnels and the mobile networks attached to the mobile router.
12.3(8)T	The output was enhanced to display information about UDP tunneling.

Usage Guidelines

Use the debug ip mobile standby command to troubleshoot redundancy problems.

No per-user debugging output is shown for mobile nodes using the network access identifier (NAI) for the debug ip mobile host command. Debugging of specific mobile nodes using an IP address is possible through the access list.

Examples

The following is sample output from the debug ip mobile command when foreign agent reverse tunneling is enabled:

MobileIP:MN 14.0.0.30 deleted from ReverseTunnelTable of Ethernet2/1(Entries 0)

The following is sample output from the debug ip mobile advertise command:

Router# debug ip mobile advertise

MobileIP: Agent advertisement sent out Ethernet1/2: type=16, len=10, seq=1, 
lifetime=36000, 

flags=0x1400(rbhFmGv-rsv-), 

Care-of address: 68.0.0.31 

Prefix Length ext: len=1 (8 )

FA Challenge value:769C808D

Table 1 describes the significant fields shown in the display.

Table 1 debug ip mobile advertise Field Descriptions 

Field	Description
type	Type of advertisement.
len	Length of extension (in bytes).
seq	Sequence number of this advertisement.
lifetime	Lifetime (in seconds).
flags	Capital letters represent bits that are set; lowercase letters represent unset bits.
Care-of address	IP address.
Prefix Length ext	Number of prefix lengths advertised. This is the bits in the mask of the interface sending this advertisement. Used for roaming detection.
FA Challenge value	Foreign Agent challenge value (randomly generated by the foreign agent.)

The following is sample output from the debug ip mobile host command:

Router# debug ip mobile host

MobileIP: HA received registration for MN 20.0.0.6 on interface Ethernet1 using COA

68.0.0.31 HA 66.0.0.5 lifetime 30000 options sbdmgvT

MobileIP: Authenticated FA 68.0.0.31 using SPI 110 (MN 20.0.0.6)

MobileIP: Authenticated MN 20.0.0.6 using SPI 300

MobileIP: HA accepts registration from MN 20.0.0.6

MobileIP: Mobility binding for MN 20.0.0.6 updated

MobileIP: Roam timer started for MN 20.0.0.6, lifetime 30000

MobileIP: MH auth ext added (SPI 300) in reply to MN 20.0.0.6

MobileIP: HF auth ext added (SPI 220) in reply to MN 20.0.0.6

MobileIP: HA sent reply to MN 20.0.0.6

The following is sample output from the debug ip mobile standby command. In this example, the active home agent receives a registration request from mobile node 20.0.0.2 and sends a binding update to peer home agent 1.0.0.2:

MobileIP:MN 20.0.0.2 - sent BindUpd to HA 1.0.0.2 HAA 20.0.0.1

MobileIP:HA standby maint started - cnt 1

MobileIP:MN 20.0.0.2 - sent BindUpd id 3780410816 cnt 0 elapsed 0

adjust -0 to HA 1.0.0.2 in grp 1.0.0.10 HAA 20.0.0.1

In this example, the standby home agent receives a binding update for mobile node 20.0.0.2 sent by the active home agent:

MobileIP:MN 20.0.0.2 - HA rcv BindUpd from 1.0.0.3 HAA 20.0.0.1

UDP Tunneling for NAT Traversal

The following output displays the registration, authentication, and establishment of UDP tunneling of an MN with a FA (important lines are bold):

Dec 31 12:34:25.707: UDP: rcvd src=10.10.10.10(434),dst=30.30.30.1(434), length=54

Dec 31 12:34:25.707: MobileIP: ParseRegExt type MHAE(32) addr 2000FEEC end 2000FF02

Dec 31 12:34:25.707: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:25.707: MobileIP: FA rcv registration for MN 10.10.10.10 on Ethernet2/2 using 
 COA 30.30.30.1 HA 10.10.10.100 lifetime 65535 options sbdmg-T-identification 
 C1BC0D4FB01AC0D8

Dec 31 12:34:25.707: MobileIP: Ethernet2/2 glean 10.10.10.10 accepted

Dec 31 12:34:25.707: MobileIP: Registration request byte count = 74

Dec 31 12:34:25.707: MobileIP: FA queued MN 10.10.10.10 in register table

Dec 31 12:34:25.707: MobileIP: Visitor registration timer started for MN 10.10.10.10, 
 lifetime 120

Dec 31 12:34:25.707: MobileIP: Adding UDP Tunnel req extension

Dec 31 12:34:25.707: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:25.707: MobileIP: MN 10.10.10.10 FHAE added to HA 10.10.10.100 using SPI 1000

Dec 31 12:34:25.707: MobileIP: FA forwarded registration for MN 10.10.10.10 to HA 
 10.10.10.100

Dec 31 12:34:25.715: UDP: rcvd src=10.10.10.100(434), dst=30.30.30.1(434), length=94

Dec 31 12:34:25.715: MobileIP: ParseRegExt type NVSE(134) addr 20010B28 end 20010B6A

Dec 31 12:34:25.715: MobileIP: ParseRegExt type MN-config NVSE(14) subtype 1 (MN prefix 
 length) prefix length (24)

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 12 to next

Dec 31 12:34:25.715: MobileIP: ParseRegExt type MHAE(32) addr 20010B36 end 20010B6A

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:25.715: MobileIP: ParseRegExt type UDPTUNREPE(44) addr 20010B4C end 20010B6A

Dec 31 12:34:25.715: Parsing UDP Tunnel Reply Extension - length 6

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 6 to next

Dec 31 12:34:25.715: MobileIP: ParseRegExt type FHAE(34) addr 20010B54 end 20010B6A

Dec 31 12:34:25.715: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:25.715: MobileIP: FA rcv accept (0) reply for MN 10.10.10.10 on Ethernet2/3 
 using HA 10.10.10.100 lifetime 65535

Dec 31 12:34:25.719: MobileIP: Authenticating HA 10.10.10.100 using SPI 1000

Dec 31 12:34:25.719: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:25.719: MobileIP: Authenticated HA 10.10.10.100 using SPI 1000 and 16 byte 
 key

Dec 31 12:34:25.719: MobileIP: HA accepts UDP Tunneling

Dec 31 12:34:25.719: MobileIP: Update visitor table for MN 10.10.10.10

Dec 31 12:34:25.719: MobileIP: Enabling UDP Tunneling

Dec 31 12:34:25.719: MobileIP: Tunnel0 (MIPUDP/IP) created with src 30.30.30.1 dst 
 10.10.10.100

Dec 31 12:34:25.719: MobileIP: Setting up UDP Keep-Alive Timer for tunnel 30.30.30.1:0 - 
 10.10.10.100:0 with keep-alive 30

Dec 31 12:34:25.719: MobileIP: Starting the tunnel keep-alive timer

Dec 31 12:34:25.719: MobileIP: ARP entry for MN 10.10.10.10 using 10.10.10.10 inserted on 
 Ethernet2/2

Dec 31 12:34:25.719: MobileIP: FA route add 10.10.10.10 successful. Code = 0

Dec 31 12:34:25.719: MobileIP: MN 10.10.10.10 added to ReverseTunnelTable of Ethernet2/2 
 (Entries 1)

Dec 31 12:34:25.719: MobileIP: FA dequeued MN 10.10.10.10 from register table

Dec 31 12:34:25.719: MobileIP: MN 10.10.10.10 using 10.10.10.10 visiting on Ethernet2/2 
Dec 31 12:34:25.719: MobileIP: Reply in for MN 10.10.10.10 using 10.10.10.10, accepted

Dec 31 12:34:25.719: MobileIP: registration reply byte count = 84

Dec 31 12:34:25.719: MobileIP: FA forwarding reply to MN 10.10.10.10 (10.10.10.10 mac 
 0060.70ca.f021)

Dec 31 12:34:26.095: MobileIP: agent advertisement byte count = 48

Dec 31 12:34:26.095: MobileIP: Agent advertisement sent out Ethernet2/2: type=16, len=10, 
 seq=55, lifetime=65535, flags=0x1580(rbhFmG-TU),

Dec 31 12:34:26.095: Care-of address: 30.30.30.1

Dec 31 12:34:26.719: MobileIP: swif coming up Tunnel0

!

Dec 31 12:34:35.719: UDP: sent src=30.30.30.1(434), dst=10.10.10.100(434)

Dec 31 12:34:35.719: UDP: rcvd src=10.10.10.100(434), dst=30.30.30.1(434), length=32d0

The follow output shows the registration, authentication, and establishment of UDP tunneling of an MN with an HA (important lines are bold), for example:

Dec 31 12:34:26.167: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:26.167: MobileIP: ParseRegExt type UDPTUNREQE(144) addr 2001E762 end 2001E780

Dec 31 12:34:26.167: MobileIP: Parsing UDP Tunnel Request Extension - length 6

Dec 31 12:34:26.167: MobileIP: ParseRegExt skipping 6 to next

Dec 31 12:34:26.167: MobileIP: ParseRegExt type FHAE(34) addr 2001E76A end 2001E780

Dec 31 12:34:26.167: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:26.167: MobileIP: HA 167 rcv registration for MN 10.10.10.10 on Ethernet2/1 
 using HomeAddr 10.10.10.10 COA 30.30.30.1 HA 10.10.10.100 lifetime 65535 options 
 sbdmg-T-identification C1BC0D4FB01AC0D8

Dec 31 12:34:26.167: MobileIP: NAT detected SRC:10.10.10.50 COA: 30.30.30.1

Dec 31 12:34:26.167: MobileIP: UDP Tunnel Request accepted 10.10.10.50:434

Dec 31 12:34:26.167: MobileIP: Authenticating FA 30.30.30.1 using SPI 1000

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and truncated key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authenticated FA 30.30.30.1 using SPI 1000 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authenticating MN 10.10.10.10 using SPI 1000

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and truncated key

Dec 31 12:34:26.167: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Authenticated MN 10.10.10.10 using SPI 1000 and 16 byte key

Dec 31 12:34:26.167: MobileIP: Mobility binding for MN 10.10.10.10 created

Dec 31 12:34:26.167: MobileIP: NAT detected for MN 10.10.10.10. Terminating tunnel on 
 10.10.10.50

Dec 31 12:34:26.167: MobileIP: Tunnel0 (MIPUDP/IP) created with src 10.10.10.100 dst 
 10.10.10.50

Dec 31 12:34:26.167: MobileIP: Setting up UDP Keep-Alive Timer for tunnel 10.10.10.100:0 - 
 10.10.10.50:0 with keep-alive 30

Dec 31 12:34:26.167: MobileIP: Starting the tunnel keep-alive timer 

Dec 31 12:34:26.167: MobileIP: MN 10.10.10.10 Insert route for 10.10.10.10/255.255.255.255 
 via gateway 10.10.10.50 on Tunnel0

Dec 31 12:34:26.167: MobileIP: MN 10.10.10.10 is now roaming

Dec 31 12:34:26.171: MobileIP: Gratuitous ARPs sent for MN 10.10.10.10 MAC 0002.fca5.bc39

Dec 31 12:34:26.171: MobileIP: Mask for address is 24

Dec 31 12:34:26.171: MobileIP: HA accepts registration from MN 10.10.10.10

Dec 31 12:34:26.171: MobileIP: Dynamic and Static Network Extension Length 0 - 0

Dec 31 12:34:26.171: MobileIP: Composed mobile network extension length:0

Dec 31 12:34:26.171: MobileIP: Added prefix length vse in reply

Dec 31 12:34:26.171: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 MHAE added to MN 10.10.10.10 using SPI 1000

Dec 31 12:34:26.171: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 FHAE added to FA 10.10.10.50 using SPI 1000

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 - HA sent reply to 10.10.10.50

Dec 31 12:34:26.171: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.171: MobileIP: MN 10.10.10.10 HHAE added to HA 10.10.10.3 using SPI 1000

Dec 31 12:34:26.175: MobileIP: ParseRegExt type CVSE(38) addr 2000128C end 200012AE

Dec 31 12:34:26.175: MobileIP: ParseRegExt type HA red. version CVSE(6)

Dec 31 12:34:26.175: MobileIP: ParseRegExt skipping 8 to next

Dec 31 12:34:26.175: MobileIP: ParseRegExt type HHAE(35) addr 20001298 end 200012AE

Dec 31 12:34:26.175: MobileIP: ParseRegExt skipping 20 to next

Dec 31 12:34:26.175: MobileIP: Authenticating HA 10.10.10.3 using SPI 1000

Dec 31 12:34:26.175: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.175: MobileIP: Authentication algorithm MD5 and truncated key

Dec 31 12:34:26.175: MobileIP: Authentication algorithm MD5 and 16 byte key

Dec 31 12:34:26.175: MobileIP: Authenticated HA 10.10.10.3 using SPI 1000 and 16 byte key

Dec 31 12:34:27.167: MobileIP: swif coming up Tunnel0d0

In the following example, the force option is missing on the HA configuration, so the UDP tunneling request is rejected:

Router# debug ip mobile

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type NVSE(134) addr C368C6C

end C368

C9C

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type dynamic mobile-network

NVSE(9)

*Jun 6 20:49:28.147: MobileIP: ParseRegExt skipping 16 to next

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type MHAE(32) addr C368C7E

end C368C9C

*Jun 6 20:49:28.147: MobileIP: ParseRegExt skipping 20 to next

*Jun 6 20:49:28.147: MobileIP: ParseRegExt type UDPTUNREQE(144) addr

C368C94 end C368C9C

*Jun 6 20:49:28.147: MobileIP: Parsing UDP Tunnel Request Extension -

length 6

*Jun 6 20:49:28.147: MobileIP: ParseRegExt skipping 6 to next

*Jun 6 20:49:28.147: MobileIP: HA 143 rcv registration for MN

10.99.100.2 on Gi

gabitEthernet0/2 using HomeAddr 10.99.100.2 COA 200.1.1.5 HA 200.1.1.1

lifetime

3600 options sbdmg-T- identification BCE7E253A7CAF30C

*Jun 6 20:49:28.147: MobileIP: NAT not detected SRC:200.1.1.5 COA:

200.1.1.5

*Jun 6 20:49:28.147: MobileIP: Forced UDP Tunneling requested

*Jun 6 20:49:28.147: MobileIP: UDP Tunnel Request rejected

*Jun 6 20:49:28.147: MobileIP: HA rejects registration for MN

10.99.100.2 - registration id mismatch (133)

Related Commands

Command	Description
ip mobile foreign-agent nat traversal	Enables NAT UDP traversal support for MIP FAs.
ip mobile home-agent nat traversal	Enables NAT UDP traversal support for MIP HAs.
show ip mobile binding	Displays the mobility binding table.
show ip mobile globals	Displays global information about MIP HAs, FAs, and MNs.
show ip mobile tunnel	Displays information about UDP tunneling.
show ip mobile visitor	Displays the table that contains a visitor list of FAs.

ip mobile foreign-agent nat traversal

To enable NAT traversal support for Mobile IP (MIP) foreign agents (FAs), use the ip mobile foreign-agent nat traversal command in global configuration mode. To disable NAT traversal support, use the no form of this command.

ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]

no ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]

Syntax Description

keepalive keepalive-time	(Optional) Allows the FA to use a configured time for keepalive messages when the home agent (HA) keepalive time was not configured. The range is 0 to 65535 seconds. Default is 110 seconds. Note The Cisco HA will never send a time of zero. If you have Cisco hardware only, you do not need to configure the keepalive keyword.
force	(Optional) Allows the FA to force the HA to allocate a User Datagram Protocol (UDP) tunnel. The force keyword only sets the "force" bit in the message extension. The default is not to force UDP tunneling.

Defaults

Network Address Translation (NAT) traversal support for FAs is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.
12.4T	The keepalive keepalive-time range changed.

Usage Guidelines

You need to enable this command under the following circumstances:

•If you have a NAT box in your network.

•If you have a NAT box in your network, and you are using private an IP address for the care-of address (CoA) or source IP address in the registration request.

A likely scenario for using this command and when to set the force bit is when there is a firewall between an FA and HA. The firewall blocks IP-in-IP and GRE packets but permits UDP packets.

Examples

The following example shows a FA configuration with a keepalive time of 45 and forced UDP tunneling.

ip mobile foreign-agent care-of Ethernet2/2

ip mobile foreign-agent nat traversal keepalive 45 force

Related Commands

Command	Description
debug ip mobile	Displays IP mobility activities.
ip mobile home-agent nat traversal	Enables NAT UDP traversal support for MIP HAs.
show ip mobile bindings	Displays the mobility binding table.
show ip mobile globals	Displays global information about MIP HAs, FAs, and MNs.
show ip mobile visitor	Displays information about UDP tunneling.
show ip mobile tunnel	Displays the table that contains a visitor list of FAs.

ip mobile home-agent nat traversal

To enable NAT traversal support for Mobile IP home agents (HAs), use the ip mobile home-agent nat traversal command in global configuration mode. To disable Network Address Translation (NAT) traversal support for Mobile IP for the HA, use the no form of this command.

ip mobile home-agent nat traversal [keepalive keepalive-time] [forced {accept | reject}]

no ip mobile home-agent nat traversal [keepalive keepalive-time] [forced {accept | reject}]

Syntax Description

keepalive keepalive-time

(Optional) Configures the keepalive interval in seconds the HA uses in registration replies. When the HA replies with a keepalive interval other than zero, it forces the FA or MN to use this interval. If it replies with an interval of zero, the FA or MN should use its default configured interval. The range is 0 to 65535 seconds. The default is 110 seconds. Note The HA cannot be configured to return a zero keepalive interval in a registration reply.

forced

(Optional) Enables the HA to accept or reject forced UDP tunneling from the mobile node (MN) regardless of the NAT-detection outcome. •accept—Accepts UDP tunneling. •reject—Rejects UDP tunneling. Note If the forced keyword is not specified, the command defaults to rejecting registration requests where the "force" bit is set in the UDP tunnel extension. MN registration attempts will fail until the MN retires without the "forced" bit set in the UDP tunnel extension. The registration will fail until the MN retries the registration.

Defaults

NAT traversal support for Mobile IP is disabled for the HA.

Command Modes

Global configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.
12.4T	the keepalive keepalive-time range changed.

Usage Guidelines

Enable this command if your MNs will roam behind a NAT-enabled router or firewall.

Examples

The following example shows an HA configured with a keepalive timer set to 56 seconds and forced to accept UDP tunneling.

ip mobile home-agent nat traversal 56 forced accept

ip mobile home-agent replay 255

ip mobile home-agent redundancy Phy1 virtual-network

Related Commands

Command	Description
debug ip mobile	Displays IP mobility activities.
ip mobile foreign-agent nat traversal	Enables NAT UDP traversal support for MIP FAs.
show ip mobile binding	Displays the mobility binding table.
show ip mobile globals	Displays global information about MIP HAs, FAs, and MNs.
show ip mobile tunnel	Displays information about UDP tunneling.
show ip mobile visitor	Displays the table that contains a visitor list of FAs.

show ip mobile binding

To display the mobility binding table on the home agent (HA), use the show ip mobile binding command in privileged EXEC mode.

show ip mobile binding [home-agent ip-address | nai string [session-id string] | summary]

Syntax Description

home-agent	(Optional) Mobility bindings for a specific home agent (HA).
ip-address	(Optional) IP address for the HA.
nai string	(Optional) Mobile node (MN) identified by the network access identifier (NAI).
session-id string	(Optional) Session identifier. The string argument must be fewer than 25 characters in length.
summary	(Optional) Total number of bindings in the table.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.0(2)T	The home-agent keyword and ip-address argument were added.
12.1(2)T	The summary keyword was added.
12.2(2)XC	The nai keyword was added.
12.2(13)T	This command was enhanced to display the service options field and to include information about the mobile networks registered on the home agent.
12.3(4)T	The session-id keyword was added.
12.3(8)T	The output was enhanced to display UDP tunneling information.

Usage Guidelines

You can display a list of all bindings if you press enter, or you can specify an IP address. You can also specify an IP address for a specific HA using the show ip mobile binding home-agent ip-address command.

If the session-id string combination is specified, only the binding entry for that session identifier is displayed. A session identifier is used to uniquely identify a Mobile IP flow. A Mobile IP flow is the set of {NAI, IP address}. The flow allows a single NAI to be associated with one or multiple IP addresses, for example, {NAI, ipaddr1}, {NAI, ipaddr2}, and so on. A single user can have multiple sessions for example, when logging through different devices such as a PDA, cellular phone, or laptop. If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from that MN.

Examples

The following is sample output from the show ip mobile binding command:

Router# show ip mobile binding

Mobility Binding List:

Total 1

10.0.0.1: 

 Care-of Addr 10.0.0.31, Src Addr 10.0.0.31, 

 Lifetime granted 02:46:40 (10000), remaining 02:46:32

 Flags SbdmGvt, Identification B750FAC4.C28F56A8, 

 Tunnel100 src 10.0.0.5 dest 10.0.0.31 reverse-allowed

 Routing Options - (G)GRE

  Service Options:

  NAT detect

The following is sample output from the show ip mobile binding command when mobile networks are configured or registered on the home agent:

Router# show ip mobile binding

Mobility Binding List:

Total 1

10.0.4.1:

 Care-of Addr 10.0.0.5, Src Addr 10.0.0.5

 Lifetime granted 00:02:00 (120), remaining 00:01:56

 Flags sbDmgvT, Identification B7A262C5.DE43E6F4

 Tunnel0 src 10.0.0.3 dest 10.0.0.5 reverse-allowed

 MR Tunnel1 src 10.0.0.3 dest 10.0.4.1 reverse-allowed

 Routing Options - (D)Direct-to-MN (T)Reverse-tunnel

 Mobile Networks: 10.0.0.0/255.255.255.0(S)

  10.0.0.0/255.255.255.0 (D)

  10.0.0.0/255.0.0.0(D)

The following is sample output from the show ip mobile binding command with session identifier information:

Router# show ip mobile binding

Mobility Binding List:

Total 1

 10.100.100.19: 

 Care-of Addr 10.70.70.2, Src Addr 10.100.100.1, 

 Lifetime granted 00:33:20 (20000), remaining 00:30:56

 Flags SbdmGvt, Identification BC1C2A04.EA42659C, 

 Tunnel0 src 10.100.100.100 dest 10.70.70.2 reverse-allowed

 Routing Options 

 Session identifier 998811234

 SPI 333 (decimal 819) MD5, Prefix-suffix, Timestamp +/-255, root key

 Key 38a38987ad0a399cb80940835689da66

 SPI 334 (decimal 820) MD5, Prefix-suffix, Timestamp +/-255, session key

 Key 34c7635a313038611dec8c16681b55e0

The following sample output shows that the HA is configured to detect NAT:

Router# show ip mobile binding nai mn@cisco.com

Mobility Binding List:

 mn@cisco.com (Bindings 1):

 Home Addr 10.99.101.1

 Care-of Addr 192.168.1.202, Src Addr 209.165.157

 Lifetime granted 00:03:00 (180), remaining 00:02:20

 Flags sbDmg-T-, Identification BCF5F7FF.92C1006F

 Tunnel0 src 209.165.202.1 dest 209.165.157 reverse-allowed

 Routing Options - (D)Direct-to-MN (T)Reverse-tunnel

 Service Options:

 NAT detect

Table 2 describes the significant fields shown in the display.

Table 2 show ip mobile binding Field Descriptions 

Field	Description
Total	Total number of mobility bindings.
10.0.4.1	Home IP address of the mobile node. The NAI is displayed if configured.
Care-of Addr	Care-of address of the mobile node.
Src Addr	IP source address of the registration request as received by the home agent. Will be either the colocated care-of address of a mobile node or an address on the foreign agent or the active HA address. If it is the active HA address, then this is a binding update from the active HA to the standby HA and not a registration directly received from the MN or FA.
Lifetime granted	The lifetime (in hh:mm:ss) granted to the mobile node for this registration. Number of seconds appears in parentheses.
remaining	The time (in hh:mm:ss) remaining until the registration expires. It has the same initial value as lifetime granted and is counted down by the home agent.
Flags	Services requested by the mobile node. The mobile node requests these services by setting bits in the registration request. Uppercase characters denote bit set.
Identification	Identification used in that binding by the mobile node. This field has two purposes: unique identifier for each request and replay protection.
Tunnel	The tunnel used by the mobile node is characterized by the source and destination addresses, and reverse-allowed or reverse-off for reverse tunnel. The default encapsulation is IPIP. The mobile node can request GRE.
Routing Options	Routing options identify the services that the home agent is currently providing. The mobile node must request these services in its registration request by setting the services flag (see Flags field description). For example, the V bit may have been requested by the mobile node (shown in the Flags field), but the home agent will not provide such service. Possible options are B (broadcast), D (direct-to-mobile node), G (GRE), and T (reverse-tunnel).
Service Options	Service options configured.
NAT detect	NAT detect, which indicates that the mobile node is registering from behind a NAT-enabled router.
Mobile Networks	Mobile networks configured or registered on the home agent. D denotes dynamic (registered) mobile networks and S denotes static (configured) mobile networks.
Session identifier	The ID used to uniquely identify a Mobile IP flow.
SPI	The security parameter index (SPI) is the 4-byte opaque index within the mobility security association that selects the specific security parameters to be used to authenticate the peer.
MD5	Message Digest 5 authentication algorithm. HMAC-MD5 is displayed if configured.
Prefix-suffix	Authentication mode.
Timestamp	Replay protection method.
root key	Dynamic key based on the Microsoft Windows password shared between the mobile node and AAA or Windows domain controller or active directory. Once a mobile node registers, this key is established until the binding persists on the home agent. Subsequent registration requests can be authenticated using the root key.
session key	Dynamic key that is derived using the root key. This key can be refreshed, and the refreshed keys are based off the root key. Subsequent registration renewal messages can be authenticated using the session key. The period or frequency for the session key refresh is determined by the mobile node. Registration requests that also request session key refresh are authenticated using the root key.

Related Commands

Command	Description
debug ip mobile	Displays IP mobility activities.
ip mobile foreign-agent nat traversal	Enables NAT UDP traversal support for Mobile IP FAs.
ip mobile home-agent nat traversal	Enables NAT UDP traversal support for Mobile IP HAs.
show ip mobile globals	Displays global information about Mobile IP HAs, FAs, and MNs.
show ip mobile tunnel	Displays information about UDP tunneling.
show ip mobile visitor	Displays the table that contains a visitor list of FAs.

show ip mobile globals

To display global information for mobile agents, use the show ip mobile globals command in privileged EXEC mode.

show ip mobile globals

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.2(13)T	This command was enhanced to display the NAT detect field and the Strip realm domain field.
12.2(15)T	This command was enhanced to display the HA Accounting field.
12.3(7)T	This command was enhanced to display information about foreign agent route optimization.
12.3(8)T	This command was enhanced to display UDP tunneling.

Usage Guidelines

This command shows the services provided by the home agent or foreign agent. Note the deviation from RFC 2006: the foreign agent will not display busy or registration required information. Both are handled on a per-interface basis (see the show ip mobile interface command), not at the global foreign agent level.

Examples

The following is sample output from the show ip mobile globals command:

Router# show ip mobile globals

IP Mobility global information:

Home Agent

    Registration lifetime: 10:00:00 (36000 secs)

    Broadcast enabled

    Replay protection time: 7 secs

    Reverse tunnel enabled

    ICMP Unreachable enabled

    Strip realm enabled

    NAT detect disabled

    HA Accounting enabled using method list: mylist

    Address 1.1.1.1

    Virtual networks

        10.0.0.0/8

Foreign Agent

    Pending registrations expire after 120 seconds	

    Care-of address advertised

    Mobile network route injection enabled

    Mobile network route redistribution disabled

    Mobile network route injection access list mobile-net-list

    Ethernet2/2 (10.10.10.1) - up

Mobility Agent

1 interfaces providing service

Encapsulations supported: IPIP and GRE

Tunnel fast switching enabled, cef switching enabled

Discovered tunnel MTU aged out after 1:00:00

The following example shows that HA UDP tunneling is enabled with a keepalive timer set at 60 seconds and forced UDP tunneling enabled.

Router# show ip mobile globals

IP Mobility global information:

Home agent

 Registration lifetime: 10:00:00 (36000 secs)

 Broadcast disabled

 Replay protection time: 7 secs

 Reverse tunnel enabled

 ICMP Unreachable enabled

 Strip realm disabled

 NAT Traversal disabled

 HA Accounting disabled

 NAT UDP Tunneling support enabled

 UDP Tunnel Keepalive 60

 Forced UDP Tunneling enabled

 Virtual networks

 10.99.101.0/24

Foreign agent is not enabled, no care-of address

0 interfaces providing service

Encapsulations supported: IPIP and GRE

Tunnel fast switching enabled, cef switching enabled

Tunnel path MTU discovery aged out after 10 min

The following example shows that NAT UDP tunneling support is enabled on the FA with a keepalive timer set at 110 seconds and forced UDP tunneling disabled.

Router# show ip mobile globals

IP Mobility global information:

Foreign Agent

Pending registrations expire after 120 secs

Care-of addresses advertised

Mobile network route injection disabled

Ethernet2/2 (30.30.30.1) - up

1 interface providing service

Encapsulations supported: IPIP and GRE

Tunnel fast switching enabled, cef switching enabled

Tunnel path MTU discovery aged out after 10 min

NAT UDP Tunneling support enabled

UDP Tunnel Keepalive 110

Forced UDP Tunneling disabled

Table 3 describes the significant fields shown in the sample output.

Table 3 show ip mobile globals Field Descriptions 

Field	Description
Home Agent
Registration lifetime	Default lifetime (in hh:mm:ss) for all mobile nodes. Number of seconds given in parentheses.
Roaming access list	Determines which mobile nodes are allowed to roam. Displayed if defined.
Care-of access list	Determines which care-of addresses are allowed to be accepted. Displayed if defined.
Broadcast	Whether broadcast is enabled or disabled.
Replay protection time	Time, in seconds, that the time stamp on a registration request (RRQ) from a mobile node may differ from the router's internal clock.
Reverse tunnel	Whether reverse tunnel is enabled or disabled.
ICMP Unreachable	Sends ICMP unreachable messages, which are enabled or disabled for the virtual network.
Strip realm	Whether strip realm is enabled or disabled.
NAT detect	Whether NAT detect is enabled or disabled. If NAT detect is enabled, the home agent can detect a registration request that has traversed a NAT-enabled device and can apply a tunnel to reach the Mobile IP client.
HA Accounting	Whether home agent accounting is enabled or disabled.
Address	Home agent address.
Virtual networks	Lists virtual networks serviced by the home agent. Displayed if defined.
Foreign Agent
Pending registrations expire after	The amount of time, in seconds, before a pending registration will time out.
Care-of addresses advertised	Displayed if care-of addresses are defined.
Mobile network route injection	Mobile network route injection can be enabled or disabled.
Mobile network route redistribution	Mobile network route redistribution can be enabled or disabled.
Mobile network route injection access list	The name of the access list used if mobile network route injection is enabled.
up, interface-only, transmit-only	Up status is displayed if the foreign agent is configured to function in an asymmetric link environment. Interface-only status is displayed if the foreign agent is configured to advertise only its own address as the care-of address an an asymmetric link environment. Transmit-only status is displayed if the foreign agent is configured to transmit only from the interface in an asymmetric link environment.
Mobility Agent
Number of interfaces providing service	See the show ip mobile interface command for more information on the interfaces providing service. Agent advertisements are sent when ICMP Router Discovery Protocol (IRDP) is enabled.
Encapsulations supported	The encapsulation types that are supported. Possible encapsulation types are IPIP and GRE.
Tunnel fast switching	Whether tunnel fast switching is enabled or disabled.
cef switching	Whether CEF switching is enabled or disabled.
Discovered tunnel MTU	Aged out after amount of time (in hh:mm:ss).

Related Commands

Command	Description
show ip mobile interface	Displays advertisement information for interfaces that are providing foreign agent service or that are home links for mobile nodes.

show ip mobile tunnel

To display active tunnels, use the show ip mobile tunnel command in EXEC mode.

show ip mobile tunnel [interface]

Syntax Description

interface

(Optional) Displays a particular tunnel interface. The interface argument is tunnel x.

Command Modes

EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.2(13)T	The output was enhanced to display route maps configured on the home agent.
12.2(15)T	The output was enhanced to display tunnel templates for multicast configured on the home agent or mobile router.
12.3(8)T	The output was enhanced to display UDP tunneling.

Usage Guidelines

This command displays active tunnels created by Mobile IP. When no more users are on the tunnel, the tunnel is released.

Examples

The following is sample output from the show ip mobile tunnel command:

Router# show ip mobile tunnel

Mobile Tunnels:

Tunnel0:

 src 68.0.0.32, dest 68.0.0.48

 encap IP/IP, mode reverse-allowed, tunnel-users 1

 IP MTU 1480 bytes

 HA created, fast switching enabled, ICMP unreachable enabled

 0 packets input, 0 bytes, 0 drops

 1591241 packets output, 1209738478 bytes

 Route Map is: MoIPMap

Running template configuration for this tunnel:

ip pim sparse-dense-mode

The following is sample output from the show ip mobile tunnel command that verifies UDP tunneling is established:

Router# show ip mobile tunnel

Mobile Tunnels:

Total mobile ip tunnels 1

Tunnel0:

    src 10.30.30.1, dest 10.10.10.100

    src port 434, dest port 434

    encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1

    IP MTU 1480 bytes

    Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

    outbound interface Ethernet2/3

    FA created, fast switching disabled, ICMP unreachable enabled

    5 packets input, 600 bytes, 0 drops

    7 packets output, 780 bytes

The following is sample output from the show ip mobile tunnel command that shows the mobile node-home agent tunnel is still IP-in-IP, but the foreign agent-home agent tunnel is UDP:

Router# show ip mobile tunnel

Mobile Tunnels:

Total mobile ip tunnels 2

Tunnel0:

 src 200.1.1.1, dest 10.99.100.2

 encap IP/IP, mode reverse-allowed, tunnel-users 1

 IP MTU 1460 bytes

 Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

 outbound interface Tunnel1

 HA created, fast switching enabled, ICMP unreachable enabled

 11 packets input, 1002 bytes, 0 drops

 5 packets output, 600 bytes

Tunnel1:

 src 200.1.1.1, dest 200.1.1.5

 src port 434, dest port 434

 encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1

 IP MTU 1480 bytes

 Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

 outbound interface GigabitEthernet0/2

 HA created, fast switching disabled, ICMP unreachable enabled

 11 packets input, 1222 bytes, 0 drops

 7 packets output, 916 bytes

The following is sample output from the show ip mobile tunnel command that shows the MN has UDP tunneling established with the HA:

Router# show ip mobile tunnel

Total mobile ip tunnels 1

Tunnel0:

    src 10.10.10.100, dest 10.10.10.50

    src port 434, dest port 434

    encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1

    IP MTU 1480 bytes

    Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never

    outbound interface Ethernet2/1

    HA created, fast switching disabled, ICMP unreachable enabled

    5 packets input, 600 bytes, 0 drops

    5 packets output, 600 bytes

Table 4 describes the significant fields shown in the display.

Table 4 show ip mobile tunnel Field Descriptions 

Field	Description
src	Tunnel source IP address.
dest	Tunnel destination IP address.
encap	Tunnel encapsulation type.
mode	Either reverse-allowed or reverse-off for reverse tunnel mode.
tunnel-users	Number of users on the tunnel.
HA created	Home agent created (or mobile router created).
fast switching	Enabled or disabled.
ICMP unreachable	Enabled or disabled.
packets input	Number of packets in.
bytes	Number of bytes in.
0 drops	Number of packets dropped. Packets are dropped when there are no visitors to send to after the foreign agent deencapsulates incoming packets. This prevents loops because the foreign agent will otherwise route the deencapsulated packets back to the home agent.
packets output	Number of packets output.
bytes	Number of bytes output.
Route Map is	Name of the route map.
Running template configuration	If tunnel templates for multicast are enabled or disabled, this information is displayed or absent, respectively.

Related Commands

Command	Description
debug ip mobile	Displays IP mobility activities.
ip mobile foreign-agent nat traversal	Enables NAT UDP traversal support for MIP FAs.
ip mobile home-agent nat traversal	Enables NAT UDP traversal support for MIP HAs.
show ip mobile binding	Displays the mobility binding table.
show ip mobile globals	Displays global information about MIP HAs, FAs, and MNs.
show ip mobile host	Displays mobile node information.
show ip mobile visitor	Displays the table that contains a visitor list of FAs.

show ip mobile visitor

To display the visitor table that contains information on mobile nodes (MNs) using this foreign agent (FA), use the show ip mobile visitor command in privileged EXEC mode.

show ip mobile visitor [[pending] [ip-address | summary] | nai string [session-id string]]

Syntax Description

pending	(Optional) Displays the pending registration table.
ip-address	(Optional) IP address of visiting MNs.
summary	(Optional) Displays all values in the table.
nai string	(Optional) Network access identifier (NAI).
session-id string	(Optional) Session identifier. The string value must be fewer than 25 characters.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.2(2)XC	The nai keyword was added.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.3(4)T	The session-id keyword was added.
12.3(8)T	The output was enhanced to display UDP tunneling.

Usage Guidelines

Use this command to find out information on MNs that are registered with their (home agent) HA via this FA. The FA updates the visitor table that contain a list of the MNs using a FA.

A session identifier is used to uniquely identify a Mobile IP flow. A Mobile IP flow is the set of {NAI, IP address}. The flow allows a single NAI to be associated with one or multiple IP addresses, for example, {NAI, ipaddr1}, {NAI, ipaddr2}, and so on. A single user can have multiple sessions for example, when logging through different devices such as a PDA, cellular phone, or laptop. If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from that MN.

Examples

The following is sample output from the show ip mobile visitor command:

Router# show ip mobile visitor

Mobile Visitor List:

Total 1

10.0.0.1:

 Interface Ethernet1/2, MAC addr 0060.837b.95ec

 IP src 20.0.0.1, dest 67.0.0.31, UDP src port 434

 HA addr 66.0.0.5, Identification B7510E60.64436B38

 Lifetime 08:20:00 (30000) Remaining 08:19:16

 Tunnel100 src 68.0.0.31, dest 66.0.0.5, reverse-allowed

 Routing Options - (T)Reverse-tunnel

If the mobile node has visited and is associated with a session identifier, then the visitor entry for the mobile node shows the session identifier as shown below:

Router# show ip mobile visitor 

Mobile Visitor List:

Total 1

 user01@cisco.com

 Home addr 100.100.100.17

  Interface Ethernet3/3, MAC addr 0004.6d25.b857

  IP src 0.0.0.0, dest 100.100.100.1, UDP src port 434

  HA addr 100.100.100.100, Identification BC189864.B2FE6CC4

  Lifetime 00:33:20 (2000) Remaining 00:33:06

  Tunnel0 src 70.70.70.2, dest 100.100.100.100, reverse-allowed

  Routing Options - (B)Broadcast

  Session identifier PD

The following sample output shows that the MN is registering with the HA (at the FA):

Router# show ip mobile visitor

Mobile Visitor List:

Total 1

10.99.100.2:

 Interface FastEthernet3/0, MAC addr 00ff.ff80.002b

 IP src 10.99.100.2, dest 30.5.3.5, UDP src port 434

 HA addr 200.1.1.1, Identification BCE7E391.A09E8720

 Lifetime 01:00:00 (3600) Remaining 00:30:09

 Tunnel1 src 200.1.1.5, dest 200.1.1.1, reverse-allowed

 Routing Options - (T)Reverse Tunneling

Table 5 describes the significant fields shown in the display.

Table 5 show ip mobile visitor Field Descriptions 

Field	Description
Total	Number of mobile nodes visiting the foreign agent.
10.0.0.1	Home IP address of a visitor. The NAI is displayed if configured.
Interface	Interface the FA received the MN's registration on.
MAC addr	MAC address of the visitor.
IP src	Source IP address of the registration request of a visitor.
IP dest	Destination IP address of the registration request of a visitor. A MN solicits an advertisement from the FA, and the FA uses the output interface's address (where it received the solicitation) as the source IP address in the advertisement. The MN picks up on this address and sends in a RRQ to it. This tells you which destination address the MN used when it sent in its registration request to the FA (typically the interface address). If it had sent the registration request to a broadcast or multicast address, or advertised address (not knowing the interface address), the FA will reply using the output interface address (typically the interface where it received the RRQ).
UDP src port	UDP src port used by the visiting mobile node in its registration request.
HA addr	Home agent IP address for that visiting mobile node.
Identification	Identification used in that registration by the mobile node.
Lifetime	The lifetime (in hh:mm:ss) granted to the mobile node for this registration.
Remaining	The time (in hh:mm:ss) remaining until the registration is expired. It has the same initial value as in the Lifetime field, and is counted down by the foreign agent.
Tunnel	The tunnel used by the mobile node is characterized by the source and destination addresses, and reverse-allowed or reverse-off for reverse tunnel. The options are IPIP, GRE, and UDP. The default is IPIP encapsulation.
Routing Options	Routing options list all foreign agent-accepted services, based on registration flags sent by the mobile node. Options are: •(S) Multi-binding (not supported on home agent) •(B) Broadcast •(D) Direct-to-mobile node •(M) MinIP (not supported on home agent) •(G) GRE •(T) Reverse-tunnel
Session identifier	Session identifier can be the device name or MAC address.

Related Commands

Command	Description
debug ip mobile	Displays IP mobility activities.
ip mobile foreign-agent nat traversal	Enables NAT UDP traversal support for MIP FAs.
ip mobile home-agent nat traversal	Enables NAT UDP traversal support for MIP HAs.
show ip mobile binding	Displays the mobility binding table.
show ip mobile globals	Displays global information about MIP HAs, FAs, and MNs.
show ip mobile tunnel	Displays information about UDP tunneling.

Glossary

care-of address—There are two types of care-of addresses: FA care-of addresses and collocated care-of addresses. An FA care-of address is a temporary, loaned IP address that an MN acquires from an FA agent advertisement. It is the exit point of the tunnel from the HA to the FA. A collocated care-of address is an address temporarily assigned to an MN interface that is assigned by DHCP or by manual configuration.

FA—foreign agent. An FA is a router on a foreign network that assists the MN in informing its HA of its current care-of address. The FA detunnels and delivers packets to the MN that were tunneled by the HA. The FA also acts as the default router for packets generated by the MN while it is connected to the foreign network.

forward tunnel—A tunnel that forwards packets toward the mobile node. It starts at the home agent and ends at the MN care-of address.

HA—home agent. An HA is a router on the home network of an MN that maintains an association between the home IP address of the MN and its care-of address, which is the current location of the MN on a foreign or visited network. The HA redirects packets by tunneling them to the MN while it is away from home.

MN—mobile node. An MN is a node, for example, a PDA, a laptop computer, or a data-ready cellular phone, that can change its point of attachment from one network or subnet to another. This node can maintain ongoing communications while using only its home IP address.

NAT—Network Address Translation. NAT is a mechanism for reducing the need for globally unique IP addresses. NAT allows an organization with addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable address space. Also known as Network Address Translator. Basic NAT is a block of external addresses are set aside for translating addresses of hosts in a private domain as they originate sessions to the external domain. For packets outbound from the private network, the source IP address and related fields such as IP, TCP, UDP, and ICMP header checksums are translated. For inbound packets, the destination IP address and the checksums as listed above are translated.

NAPT—Network Address Port Translation. NAPT translates transport identifier (for example, TCP and UDP port numbers, ICMP query identifiers). This allows the transport identifiers of a number of private hosts to be multiplexed into the transport identifiers of a single external address. NAPT allows a set of hosts to share a single external address. Note that NAPT can be combined with basic NAT so that a pool of external addresses are used in conjunction with port translation.

reverse tunnel—A tunnel that starts at the MN care-of address and terminates at the HA.

---

Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.

---

Copyright © 2004 Cisco Systems, Inc. All rights reserved.