(no subject)

From: xiongxiaogang (xiongxg@msn.com)
Date: Fri Jan 11 2008 - 16:15:08 ARST

Hi All,

Actually I have not set tunnel keepalive when that problem is found, even without setting tunnel keepalive , still have the same issue, so it must be other places to fix it.

Regards
steven

----------------------------------------
> Date: Fri, 11 Jan 2008 13:44:06 +0300
> From: farrukhharoon@gmail.com
> To: luan.m.nguyen@gmail.com
> Subject: Re:
> CC: xiongxg@msn.com; jagrinya@microaccess.com; ccielab@groupstudy.com; security@groupstudy.com
>
> Yup Luan, Thanks for that information :)
>
> It is mentioned on the following doc:
>
> http://www-search.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039493
>
> "GRE tunnel keepalives (that is, the *keepalive* command under a GRE
> interface) are not supported on point-to-point or multipoint GRE tunnels in
> a DMVPN Network."
>
> Regards
>
> Farrukh
>
>
>
> On Jan 11, 2008 7:06 AM, Luan Nguyen wrote:
>
>> I would remove the keepalive 100 3 on your spoke.
>> DMVPN doesn't support keep alive.
>> Incidentally, 100 3 is also about 5 minutes :)
>>
>> -lmn
>>
>> On Jan 10, 2008 8:22 PM, xiongxiaogang wrote:
>>
>>>
>>> Hi Julius and luan,
>>> please refer to the below config and my test result.
>>> *******SPOKE CONFIG***************
>>> crypto isakmp policy 10
>>> encr 3des
>>> authentication pre-share
>>> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
>>> crypto isakmp keepalive 10 3
>>> !
>>> !
>>> crypto ipsec transform-set myset esp-3des esp-md5-hmac
>>> mode transport
>>> !
>>> crypto ipsec profile dmvpnprof
>>> set transform-set myset
>>>
>>> interface Loopback10
>>> ip address 192.168.5.5 255.255.255.0
>>> !
>>> interface Tunnel0
>>> bandwidth 1000
>>> ip address 172.16.1.5 255.255.255.0
>>> no ip redirects
>>> ip mtu 1400
>>> ip nhrp authentication dmvpn
>>> ip nhrp map 172.16.1.4 201.1.0.4
>>> ip nhrp map multicast 201.1.0.4
>>> ip nhrp network-id 1000
>>> ip nhrp holdtime 300
>>> ip nhrp nhs 172.16.1.4
>>> no ip route-cache
>>> ip tcp adjust-mss 1360
>>> no ip mroute-cache
>>> delay 1000
>>> keepalive 100 3
>>> tunnel source Serial1/1
>>> tunnel mode gre multipoint
>>> tunnel key 12345
>>> tunnel protection ipsec profile dmvpnprof
>>>
>>> router eigrp 200
>>> network 172.16.1.0 0.0.0.255
>>> network 192.168.5.0
>>> no auto-summary
>>>
>>> ********HUB CONFIG*****************
>>>
>>> crypto isakmp policy 10
>>> encr 3des
>>> authentication pre-share
>>> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
>>> !
>>> !
>>> crypto ipsec transform-set myset esp-3des esp-md5-hmac
>>> mode transport
>>> !
>>> crypto ipsec profile dmvpnprof
>>> set transform-set myset
>>>
>>> interface Loopback10
>>> ip address 192.168.4.4 255.255.255.0
>>> !
>>> interface Tunnel0
>>> bandwidth 1000
>>> ip address 172.16.1.4 255.255.255.0
>>> ip mtu 1400
>>> ip nhrp authentication dmvpn
>>> ip nhrp map multicast dynamic
>>> ip nhrp network-id 1000
>>> ip nhrp holdtime 300
>>> no ip route-cache
>>> no ip split-horizon eigrp 200
>>> ip tcp adjust-mss 1360
>>> no ip mroute-cache
>>> delay 1000
>>> tunnel source Serial1/1
>>> tunnel mode gre multipoint
>>> tunnel key 12345
>>> tunnel protection ipsec profile dmvpnprof
>>>
>>> router eigrp 200
>>> network 172.16.1.0 0.0.0.255
>>> network 192.168.4.0
>>> no auto-summary
>>>
>>> ***********RESULT CAPTURED FROM HUB***********
>>> after tunnel is up, ping from spoke1 to hub, get the following result,
>>> r4#sh ip nhrp
>>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:04:02
>>> Type: dynamic, Flags: authoritative unique registered
>>> NBMA address: 201.1.20.2
>>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:16, expire 00:03:44
>>> Type: dynamic, Flags: authoritative unique registered
>>> NBMA address: 201.1.0.5
>>> 192.168.4.0/24 via 192.168.4.4, Tunnel0 created 00:04:50, expire
>> 00:00:09
>>> Type: dynamic, Flags: router authoritative unique local
>>> NBMA address: 201.1.0.4
>>> 192.168.5.0/24 via 192.168.5.5, Tunnel0 created 00:04:50, expire
>> 00:00:09
>>> Type: dynamic, Flags: router unique
>>> NBMA address: 201.1.0.5
>>>
>>> after 5 minutes(equal to the nhrp holdtime settings), tunnel is down,
>> and
>>> get the following output, eigrp neighbor disappear.
>>> r4#sh ip nhrp
>>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:52
>>> Type: dynamic, Flags: authoritative unique registered
>>> NBMA address: 201.1.20.2
>>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:26, expire 00:03:34
>>> Type: dynamic, Flags: authoritative unique registered
>>> NBMA address: 201.1.0.5
>>> r4#
>>> r4#
>>> *Mar 2 16:23:33.261: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
>>> IPSEC packet.
>>> (ip) vrf/dest_addr= /201.1.0.4, src_addr= 201.1.0.5, prot= 47
>>> r4#sh ip nhrp
>>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:45
>>> Type: dynamic, Flags: authoritative unique registered
>>> NBMA address: 201.1.20.2
>>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:33, expire 00:03:27
>>> Type: dynamic, Flags: authoritative unique registered used
>>> NBMA address: 201.1.0.5
>>> r4#
>>> *Mar 2 16:23:43.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor
>>> 172.16.1.5 (Tunnel0) is down: holding time expired
>>> *Mar 2 16:23:43.721: destroy peer: 172.16.1.5
>>> r4#sh ip ei
>>> r4#sh ip eigrp nei
>>> r4#sh ip eigrp neighbors
>>> IP-EIGRP neighbors for process 200
>>> ----------------------------------------
>>>> From: jagrinya@fzxmedia.com
>>>> To: xiongxg@msn.com
>>>> Subject: Re:
>>>> Date: Thu, 10 Jan 2008 20:52:54 +0100
>>>>
>>>> Hello Xiongxiaogang......,
>>>>
>>>> Can you paste your config's for the hub and spokes here for us to
>>> view...?
>>>> Could get some clue from the configs.....
>>>> do u have "no ip split-horizon eigrp ...." on your hub ...?
>>>>
>>>> Agrinya Julius Agrinya Jr.
>>>> Senior Manager Networks
>>>> Microaccess Limited
>>>> Abuja-Nigeria.
>>>> Phone +234-9-4612607-8 ext 113
>>>> Mobile +2348023854717
>>>> ----- Original Message -----
>>>> From: "xiongxiaogang"
>>>> To: ;
>>>> Sent: Thursday, January 10, 2008 7:31 PM
>>>>
>>>>
>>>>> Hi,
>>>>> I configure dmvpn between one hub and two spokes, the tunnels of
>>>>> spoke-to-spoke and spoke-to-hub both work, but I found there is a
>>> weired
>>>>> problem, that is if I only ping from one spoke to the other spoke, it
>>>>> works normally, but meanwhile if I also ping a spoke to the hub,
>>> although
>>>>> tunnel is up normally, but the tunnel cannot keep up always, it
>>> becoming
>>>>> down when ip nhrp expires, and the worse is eigrp neighbor between
>> hub
>>> and
>>>>> spoke is affected by the disconnect tunnel, when ip nhrp expires,
>> eigrp
>>>>> neighbor between hub and spoke is down with the error message "*Jan 5
>>>>> 17:32:02.743: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
>> IPSEC
>>>>> packet. (ip) vrf/dest_addr= /105.1.2.5, src_addr= 105.1.50.2, prot=
>>> 47..."
>>>>> when the eigrp neigbhor is down, even if you ping from spoke to hub,
>>>>> cannot enable tunnel up. so I have to go to spoke and shut/no shut
>>> tunnel
>>>>> interface to resolve it. but I do not think
>>>>> it is a good solution, considering in the real world, cannot always
>> let
>>>>> the router administrator to login to the spoke router and shut/no
>> shut
>>>>> tunnel interface to let the traffic between spokes and hub to go
>>> through,
>>>>> and in the lab exam, considering proctor maybe see the error message
>> if
>>> he
>>>>> have ever ping from spoke to hub and provided you set the ip nhrp
>>> holdtime
>>>>> to 300 seconds, it is expected that the proctor will see the error
>>> message
>>>>> after 5 minutes and he know the eigrp neighbor is down.
>>>>>
>>>>> so I doubt the solution could be improved in some place, but I read a
>>> lot
>>>>> of dmvpn documents, including the long thread discuss about the dmvpn
>>> in
>>>>> the forum, but have no idea now, I am wondering who can throw me a
>>> light
>>>>> for it, I am very appreciate of it.
>>>>>
>>>>> Regards
>>>>> Steven
>>>>> _________________________________________________________________
>>>>> MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
>>>>> http://im.live.cn/emoticons/?ID=18
>>>>>
>>>>
>>>>
>>>
>>> _________________________________________________________________
>>> JV;zR2D\IO MSN ADLlAK#,?l@4JTJT0I#!
>>> http://mobile.msn.com.cn/
>

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:59 ARST