(no subject)

From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Fri Jan 11 2008 - 02:06:51 ARST

• Next message: Chan Hong: "OT: Cisco IOS End of software maintenance release date"
• Previous message: Rik Guyler: "Re: CCIE #19769"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I would remove the keepalive 100 3 on your spoke.
DMVPN doesn't support keep alive.
Incidentally, 100 3 is also about 5 minutes :)

-lmn

On Jan 10, 2008 8:22 PM, xiongxiaogang <xiongxg@msn.com> wrote:

>
> Hi Julius and luan,
> please refer to the below config and my test result.
> *******SPOKE CONFIG***************
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> crypto isakmp keepalive 10 3
> !
> !
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> mode transport
> !
> crypto ipsec profile dmvpnprof
> set transform-set myset
>
> interface Loopback10
> ip address 192.168.5.5 255.255.255.0
> !
> interface Tunnel0
> bandwidth 1000
> ip address 172.16.1.5 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication dmvpn
> ip nhrp map 172.16.1.4 201.1.0.4
> ip nhrp map multicast 201.1.0.4
> ip nhrp network-id 1000
> ip nhrp holdtime 300
> ip nhrp nhs 172.16.1.4
> no ip route-cache
> ip tcp adjust-mss 1360
> no ip mroute-cache
> delay 1000
> keepalive 100 3
> tunnel source Serial1/1
> tunnel mode gre multipoint
> tunnel key 12345
> tunnel protection ipsec profile dmvpnprof
>
> router eigrp 200
> network 172.16.1.0 0.0.0.255
> network 192.168.5.0
> no auto-summary
>
> ********HUB CONFIG*****************
>
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> mode transport
> !
> crypto ipsec profile dmvpnprof
> set transform-set myset
>
> interface Loopback10
> ip address 192.168.4.4 255.255.255.0
> !
> interface Tunnel0
> bandwidth 1000
> ip address 172.16.1.4 255.255.255.0
> ip mtu 1400
> ip nhrp authentication dmvpn
> ip nhrp map multicast dynamic
> ip nhrp network-id 1000
> ip nhrp holdtime 300
> no ip route-cache
> no ip split-horizon eigrp 200
> ip tcp adjust-mss 1360
> no ip mroute-cache
> delay 1000
> tunnel source Serial1/1
> tunnel mode gre multipoint
> tunnel key 12345
> tunnel protection ipsec profile dmvpnprof
>
> router eigrp 200
> network 172.16.1.0 0.0.0.255
> network 192.168.4.0
> no auto-summary
>
> ***********RESULT CAPTURED FROM HUB***********
> after tunnel is up, ping from spoke1 to hub, get the following result,
> r4#sh ip nhrp
> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:04:02
> Type: dynamic, Flags: authoritative unique registered
> NBMA address: 201.1.20.2
> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:16, expire 00:03:44
> Type: dynamic, Flags: authoritative unique registered
> NBMA address: 201.1.0.5
> 192.168.4.0/24 via 192.168.4.4, Tunnel0 created 00:04:50, expire 00:00:09
> Type: dynamic, Flags: router authoritative unique local
> NBMA address: 201.1.0.4
> 192.168.5.0/24 via 192.168.5.5, Tunnel0 created 00:04:50, expire 00:00:09
> Type: dynamic, Flags: router unique
> NBMA address: 201.1.0.5
>
> after 5 minutes(equal to the nhrp holdtime settings), tunnel is down, and
> get the following output, eigrp neighbor disappear.
> r4#sh ip nhrp
> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:52
> Type: dynamic, Flags: authoritative unique registered
> NBMA address: 201.1.20.2
> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:26, expire 00:03:34
> Type: dynamic, Flags: authoritative unique registered
> NBMA address: 201.1.0.5
> r4#
> r4#
> *Mar 2 16:23:33.261: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC packet.
> (ip) vrf/dest_addr= /201.1.0.4, src_addr= 201.1.0.5, prot= 47
> r4#sh ip nhrp
> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:45
> Type: dynamic, Flags: authoritative unique registered
> NBMA address: 201.1.20.2
> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:33, expire 00:03:27
> Type: dynamic, Flags: authoritative unique registered used
> NBMA address: 201.1.0.5
> r4#
> *Mar 2 16:23:43.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor
> 172.16.1.5 (Tunnel0) is down: holding time expired
> *Mar 2 16:23:43.721: destroy peer: 172.16.1.5
> r4#sh ip ei
> r4#sh ip eigrp nei
> r4#sh ip eigrp neighbors
> IP-EIGRP neighbors for process 200
> ----------------------------------------
> > From: jagrinya@fzxmedia.com
> > To: xiongxg@msn.com
> > Subject: Re:
> > Date: Thu, 10 Jan 2008 20:52:54 +0100
> >
> > Hello Xiongxiaogang......,
> >
> > Can you paste your config's for the hub and spokes here for us to
> view...?
> > Could get some clue from the configs.....
> > do u have "no ip split-horizon eigrp ...." on your hub ...?
> >
> > Agrinya Julius Agrinya Jr.
> > Senior Manager Networks
> > Microaccess Limited
> > Abuja-Nigeria.
> > Phone +234-9-4612607-8 ext 113
> > Mobile +2348023854717
> > ----- Original Message -----
> > From: "xiongxiaogang"
> > To: ;
> > Sent: Thursday, January 10, 2008 7:31 PM
> >
> >
> >> Hi,
> >> I configure dmvpn between one hub and two spokes, the tunnels of
> >> spoke-to-spoke and spoke-to-hub both work, but I found there is a
> weired
> >> problem, that is if I only ping from one spoke to the other spoke, it
> >> works normally, but meanwhile if I also ping a spoke to the hub,
> although
> >> tunnel is up normally, but the tunnel cannot keep up always, it
> becoming
> >> down when ip nhrp expires, and the worse is eigrp neighbor between hub
> and
> >> spoke is affected by the disconnect tunnel, when ip nhrp expires, eigrp
> >> neighbor between hub and spoke is down with the error message "*Jan 5
> >> 17:32:02.743: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC
> >> packet. (ip) vrf/dest_addr= /105.1.2.5, src_addr= 105.1.50.2, prot=
> 47..."
> >> when the eigrp neigbhor is down, even if you ping from spoke to hub,
> >> cannot enable tunnel up. so I have to go to spoke and shut/no shut
> tunnel
> >> interface to resolve it. but I do not think
> >> it is a good solution, considering in the real world, cannot always let
> >> the router administrator to login to the spoke router and shut/no shut
> >> tunnel interface to let the traffic between spokes and hub to go
> through,
> >> and in the lab exam, considering proctor maybe see the error message if
> he
> >> have ever ping from spoke to hub and provided you set the ip nhrp
> holdtime
> >> to 300 seconds, it is expected that the proctor will see the error
> message
> >> after 5 minutes and he know the eigrp neighbor is down.
> >>
> >> so I doubt the solution could be improved in some place, but I read a
> lot
> >> of dmvpn documents, including the long thread discuss about the dmvpn
> in
> >> the forum, but have no idea now, I am wondering who can throw me a
> light
> >> for it, I am very appreciate of it.
> >>
> >> Regards
> >> Steven
> >> _________________________________________________________________
> >> MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
> >> http://im.live.cn/emoticons/?ID=18
> >>
> >
> >
>
> _________________________________________________________________
> JV;zR2D\IO MSN ADLlAK#,?l@4JTJT0I#!
> http://mobile.msn.com.cn/

• Next message: Chan Hong: "OT: Cisco IOS End of software maintenance release date"
• Previous message: Rik Guyler: "Re: CCIE #19769"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST