(no subject)

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Jan 11 2008 - 08:44:06 ARST

Yup Luan, Thanks for that information :)

It is mentioned on the following doc:

http://www-search.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039493

"GRE tunnel keepalives (that is, the *keepalive* command under a GRE
interface) are not supported on point-to-point or multipoint GRE tunnels in
a DMVPN Network."

Regards

Farrukh

On Jan 11, 2008 7:06 AM, Luan Nguyen <luan.m.nguyen@gmail.com> wrote:

> I would remove the keepalive 100 3 on your spoke.
> DMVPN doesn't support keep alive.
> Incidentally, 100 3 is also about 5 minutes :)
>
> -lmn
>
> On Jan 10, 2008 8:22 PM, xiongxiaogang <xiongxg@msn.com> wrote:
>
> >
> > Hi Julius and luan,
> > please refer to the below config and my test result.
> > *******SPOKE CONFIG***************
> > crypto isakmp policy 10
> > encr 3des
> > authentication pre-share
> > crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> > crypto isakmp keepalive 10 3
> > !
> > !
> > crypto ipsec transform-set myset esp-3des esp-md5-hmac
> > mode transport
> > !
> > crypto ipsec profile dmvpnprof
> > set transform-set myset
> >
> > interface Loopback10
> > ip address 192.168.5.5 255.255.255.0
> > !
> > interface Tunnel0
> > bandwidth 1000
> > ip address 172.16.1.5 255.255.255.0
> > no ip redirects
> > ip mtu 1400
> > ip nhrp authentication dmvpn
> > ip nhrp map 172.16.1.4 201.1.0.4
> > ip nhrp map multicast 201.1.0.4
> > ip nhrp network-id 1000
> > ip nhrp holdtime 300
> > ip nhrp nhs 172.16.1.4
> > no ip route-cache
> > ip tcp adjust-mss 1360
> > no ip mroute-cache
> > delay 1000
> > keepalive 100 3
> > tunnel source Serial1/1
> > tunnel mode gre multipoint
> > tunnel key 12345
> > tunnel protection ipsec profile dmvpnprof
> >
> > router eigrp 200
> > network 172.16.1.0 0.0.0.255
> > network 192.168.5.0
> > no auto-summary
> >
> > ********HUB CONFIG*****************
> >
> > crypto isakmp policy 10
> > encr 3des
> > authentication pre-share
> > crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> > !
> > !
> > crypto ipsec transform-set myset esp-3des esp-md5-hmac
> > mode transport
> > !
> > crypto ipsec profile dmvpnprof
> > set transform-set myset
> >
> > interface Loopback10
> > ip address 192.168.4.4 255.255.255.0
> > !
> > interface Tunnel0
> > bandwidth 1000
> > ip address 172.16.1.4 255.255.255.0
> > ip mtu 1400
> > ip nhrp authentication dmvpn
> > ip nhrp map multicast dynamic
> > ip nhrp network-id 1000
> > ip nhrp holdtime 300
> > no ip route-cache
> > no ip split-horizon eigrp 200
> > ip tcp adjust-mss 1360
> > no ip mroute-cache
> > delay 1000
> > tunnel source Serial1/1
> > tunnel mode gre multipoint
> > tunnel key 12345
> > tunnel protection ipsec profile dmvpnprof
> >
> > router eigrp 200
> > network 172.16.1.0 0.0.0.255
> > network 192.168.4.0
> > no auto-summary
> >
> > ***********RESULT CAPTURED FROM HUB***********
> > after tunnel is up, ping from spoke1 to hub, get the following result,
> > r4#sh ip nhrp
> > 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:04:02
> > Type: dynamic, Flags: authoritative unique registered
> > NBMA address: 201.1.20.2
> > 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:16, expire 00:03:44
> > Type: dynamic, Flags: authoritative unique registered
> > NBMA address: 201.1.0.5
> > 192.168.4.0/24 via 192.168.4.4, Tunnel0 created 00:04:50, expire
> 00:00:09
> > Type: dynamic, Flags: router authoritative unique local
> > NBMA address: 201.1.0.4
> > 192.168.5.0/24 via 192.168.5.5, Tunnel0 created 00:04:50, expire
> 00:00:09
> > Type: dynamic, Flags: router unique
> > NBMA address: 201.1.0.5
> >
> > after 5 minutes(equal to the nhrp holdtime settings), tunnel is down,
> and
> > get the following output, eigrp neighbor disappear.
> > r4#sh ip nhrp
> > 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:52
> > Type: dynamic, Flags: authoritative unique registered
> > NBMA address: 201.1.20.2
> > 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:26, expire 00:03:34
> > Type: dynamic, Flags: authoritative unique registered
> > NBMA address: 201.1.0.5
> > r4#
> > r4#
> > *Mar 2 16:23:33.261: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> > IPSEC packet.
> > (ip) vrf/dest_addr= /201.1.0.4, src_addr= 201.1.0.5, prot= 47
> > r4#sh ip nhrp
> > 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:45
> > Type: dynamic, Flags: authoritative unique registered
> > NBMA address: 201.1.20.2
> > 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:33, expire 00:03:27
> > Type: dynamic, Flags: authoritative unique registered used
> > NBMA address: 201.1.0.5
> > r4#
> > *Mar 2 16:23:43.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor
> > 172.16.1.5 (Tunnel0) is down: holding time expired
> > *Mar 2 16:23:43.721: destroy peer: 172.16.1.5
> > r4#sh ip ei
> > r4#sh ip eigrp nei
> > r4#sh ip eigrp neighbors
> > IP-EIGRP neighbors for process 200
> > ----------------------------------------
> > > From: jagrinya@fzxmedia.com
> > > To: xiongxg@msn.com
> > > Subject: Re:
> > > Date: Thu, 10 Jan 2008 20:52:54 +0100
> > >
> > > Hello Xiongxiaogang......,
> > >
> > > Can you paste your config's for the hub and spokes here for us to
> > view...?
> > > Could get some clue from the configs.....
> > > do u have "no ip split-horizon eigrp ...." on your hub ...?
> > >
> > > Agrinya Julius Agrinya Jr.
> > > Senior Manager Networks
> > > Microaccess Limited
> > > Abuja-Nigeria.
> > > Phone +234-9-4612607-8 ext 113
> > > Mobile +2348023854717
> > > ----- Original Message -----
> > > From: "xiongxiaogang"
> > > To: ;
> > > Sent: Thursday, January 10, 2008 7:31 PM
> > >
> > >
> > >> Hi,
> > >> I configure dmvpn between one hub and two spokes, the tunnels of
> > >> spoke-to-spoke and spoke-to-hub both work, but I found there is a
> > weired
> > >> problem, that is if I only ping from one spoke to the other spoke, it
> > >> works normally, but meanwhile if I also ping a spoke to the hub,
> > although
> > >> tunnel is up normally, but the tunnel cannot keep up always, it
> > becoming
> > >> down when ip nhrp expires, and the worse is eigrp neighbor between
> hub
> > and
> > >> spoke is affected by the disconnect tunnel, when ip nhrp expires,
> eigrp
> > >> neighbor between hub and spoke is down with the error message "*Jan 5
> > >> 17:32:02.743: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC
> > >> packet. (ip) vrf/dest_addr= /105.1.2.5, src_addr= 105.1.50.2, prot=
> > 47..."
> > >> when the eigrp neigbhor is down, even if you ping from spoke to hub,
> > >> cannot enable tunnel up. so I have to go to spoke and shut/no shut
> > tunnel
> > >> interface to resolve it. but I do not think
> > >> it is a good solution, considering in the real world, cannot always
> let
> > >> the router administrator to login to the spoke router and shut/no
> shut
> > >> tunnel interface to let the traffic between spokes and hub to go
> > through,
> > >> and in the lab exam, considering proctor maybe see the error message
> if
> > he
> > >> have ever ping from spoke to hub and provided you set the ip nhrp
> > holdtime
> > >> to 300 seconds, it is expected that the proctor will see the error
> > message
> > >> after 5 minutes and he know the eigrp neighbor is down.
> > >>
> > >> so I doubt the solution could be improved in some place, but I read a
> > lot
> > >> of dmvpn documents, including the long thread discuss about the dmvpn
> > in
> > >> the forum, but have no idea now, I am wondering who can throw me a
> > light
> > >> for it, I am very appreciate of it.
> > >>
> > >> Regards
> > >> Steven
> > >> _________________________________________________________________
> > >> MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
> > >> http://im.live.cn/emoticons/?ID=18
> > >>
> > >
> > >
> >
> > _________________________________________________________________
> > JV;zR2D\IO MSN ADLlAK#,?l@4JTJT0I#!
> > http://mobile.msn.com.cn/

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST