From: xiongxiaogang (xiongxg@msn.com)
Date: Thu Jan 10 2008 - 23:22:21 ARST
Hi Julius and luan,
please refer to the below config and my test result.
*******SPOKE CONFIG***************
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile dmvpnprof
set transform-set myset
interface Loopback10
ip address 192.168.5.5 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.5 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map 172.16.1.4 201.1.0.4
ip nhrp map multicast 201.1.0.4
ip nhrp network-id 1000
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.4
no ip route-cache
ip tcp adjust-mss 1360
no ip mroute-cache
delay 1000
keepalive 100 3
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile dmvpnprof
router eigrp 200
network 172.16.1.0 0.0.0.255
network 192.168.5.0
no auto-summary
********HUB CONFIG*****************
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile dmvpnprof
set transform-set myset
interface Loopback10
ip address 192.168.4.4 255.255.255.0
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.4 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp network-id 1000
ip nhrp holdtime 300
no ip route-cache
no ip split-horizon eigrp 200
ip tcp adjust-mss 1360
no ip mroute-cache
delay 1000
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile dmvpnprof
router eigrp 200
network 172.16.1.0 0.0.0.255
network 192.168.4.0
no auto-summary
***********RESULT CAPTURED FROM HUB***********
after tunnel is up, ping from spoke1 to hub, get the following result,
r4#sh ip nhrp
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:04:02
Type: dynamic, Flags: authoritative unique registered
NBMA address: 201.1.20.2
172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:16, expire 00:03:44
Type: dynamic, Flags: authoritative unique registered
NBMA address: 201.1.0.5
192.168.4.0/24 via 192.168.4.4, Tunnel0 created 00:04:50, expire 00:00:09
Type: dynamic, Flags: router authoritative unique local
NBMA address: 201.1.0.4
192.168.5.0/24 via 192.168.5.5, Tunnel0 created 00:04:50, expire 00:00:09
Type: dynamic, Flags: router unique
NBMA address: 201.1.0.5
after 5 minutes(equal to the nhrp holdtime settings), tunnel is down, and
get the following output, eigrp neighbor disappear.
r4#sh ip nhrp
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:52
Type: dynamic, Flags: authoritative unique registered
NBMA address: 201.1.20.2
172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:26, expire 00:03:34
Type: dynamic, Flags: authoritative unique registered
NBMA address: 201.1.0.5
r4#
r4#
*Mar 2 16:23:33.261: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
(ip) vrf/dest_addr= /201.1.0.4, src_addr= 201.1.0.5, prot= 47
r4#sh ip nhrp
172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:45
Type: dynamic, Flags: authoritative unique registered
NBMA address: 201.1.20.2
172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:33, expire 00:03:27
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 201.1.0.5
r4#
*Mar 2 16:23:43.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor
172.16.1.5 (Tunnel0) is down: holding time expired
*Mar 2 16:23:43.721: destroy peer: 172.16.1.5
r4#sh ip ei
r4#sh ip eigrp nei
r4#sh ip eigrp neighbors
IP-EIGRP neighbors for process 200
----------------------------------------
> From: jagrinya@fzxmedia.com
> To: xiongxg@msn.com
> Subject: Re:
> Date: Thu, 10 Jan 2008 20:52:54 +0100
>
> Hello Xiongxiaogang......,
>
> Can you paste your config's for the hub and spokes here for us to view...?
> Could get some clue from the configs.....
> do u have "no ip split-horizon eigrp ...." on your hub ...?
>
> Agrinya Julius Agrinya Jr.
> Senior Manager Networks
> Microaccess Limited
> Abuja-Nigeria.
> Phone +234-9-4612607-8 ext 113
> Mobile +2348023854717
> ----- Original Message -----
> From: "xiongxiaogang"
> To: ;
> Sent: Thursday, January 10, 2008 7:31 PM
>
>
>> Hi,
>> I configure dmvpn between one hub and two spokes, the tunnels of
>> spoke-to-spoke and spoke-to-hub both work, but I found there is a weired
>> problem, that is if I only ping from one spoke to the other spoke, it
>> works normally, but meanwhile if I also ping a spoke to the hub, although
>> tunnel is up normally, but the tunnel cannot keep up always, it becoming
>> down when ip nhrp expires, and the worse is eigrp neighbor between hub and
>> spoke is affected by the disconnect tunnel, when ip nhrp expires, eigrp
>> neighbor between hub and spoke is down with the error message "*Jan 5
>> 17:32:02.743: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC
>> packet. (ip) vrf/dest_addr= /105.1.2.5, src_addr= 105.1.50.2, prot= 47..."
>> when the eigrp neigbhor is down, even if you ping from spoke to hub,
>> cannot enable tunnel up. so I have to go to spoke and shut/no shut tunnel
>> interface to resolve it. but I do not think
>> it is a good solution, considering in the real world, cannot always let
>> the router administrator to login to the spoke router and shut/no shut
>> tunnel interface to let the traffic between spokes and hub to go through,
>> and in the lab exam, considering proctor maybe see the error message if he
>> have ever ping from spoke to hub and provided you set the ip nhrp holdtime
>> to 300 seconds, it is expected that the proctor will see the error message
>> after 5 minutes and he know the eigrp neighbor is down.
>>
>> so I doubt the solution could be improved in some place, but I read a lot
>> of dmvpn documents, including the long thread discuss about the dmvpn in
>> the forum, but have no idea now, I am wondering who can throw me a light
>> for it, I am very appreciate of it.
>>
>> Regards
>> Steven
>> _________________________________________________________________
>> MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
>> http://im.live.cn/emoticons/?ID=18
>>
>
>
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST