- A Site Core router (CCR-1036) acts as a PE for the EIT VRF with 1 peer (CCR-1016). A second BGP instance is configured to facilitate the route advertisement from the CE, that instance is a member of the EIT vrf and is sending default information (if exists)
- The site router is configured to redistribute all connected routes
- A Cisco 7600 PE is sending a default route for the EIT vrf
- The site router and the Cisco 7600 are using a mikrotik CCR-1016 as a route reflector and the route reflector is configured for vpnv4 address families
- Route advertisement is functioning as expected and connectivity for end user subnets at the CE are functioning (with odd impacts)
- Affected TCP flow to port 80 or 443 (other ports are untested)
Remote management to some destination IP addresses do not function, even though pings work. The following is the troubleshooting I have conducted and have come up with more questions than answers. The only thing I have identified as a common thread is all reported impacted destinations have IP addresses X.X.255.X and are using (formally) BOGON 22.214.171.124/8. Please note that all of these addresses are internal use only.
This feels like an ACL drop, however, I do not see any ACLs that could/would impact the flow. It appears to be silent drop within the mikrotik. I have set up numerous ACLs to track the connection and I see counts increase on input, prerouting, forward and postrouting rules and no counts on output. I have set up logging that shows that the correct interface is selected for outbound, however capture shows 0 packets. I even thought that perhaps this is an issue with the capture, and ran a capture on the radio directly connected to the outbound interface and validated no packets shown.
Just to be clear there are no blocking rules in the firewall, but (again for clarity) there is no packets counted on any blocking rule. ICMP packets are working as expected, other devices within the same subnet without the third octet of 255 are functioning completely. HTTP and HTTPS are disabled on all mikrotiks