From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Jan 12 2008 - 03:27:30 ARST
Actually when I was labbing DMVPN up, I remember I would get more entries in
the NHRP table sometimes.
AFAIR this would depend on the status of 'ip cef' enablement globally. Do
you have CEF enabled on the hub? What about the spokes?
Regards
Farrukh
On 1/12/08, Luan Nguyen <luan.m.nguyen@gmail.com> wrote:
>
> Your show ip nhrp output looks funny.
> The spoke should only have one entry. Yours must be the hub side. The
> two loopbacks in there are bogus...shouldn't be there.
> Check your ios and search for bug on nhrp. Or just upgrade to the latest
> possible and see what's up.
>
> -lmn
>
> 2008/1/11 xiongxiaogang <xiongxg@msn.com>:
>
> >
> > Hi All,
> >
> > Actually I have not set tunnel keepalive when that problem is found,
> > even without setting tunnel keepalive , still have the same issue, so it
> > must be other places to fix it.
> >
> >
> > Regards
> > steven
> >
> > ----------------------------------------
> > > Date: Fri, 11 Jan 2008 13:44:06 +0300
> > > From: farrukhharoon@gmail.com
> > > To: luan.m.nguyen@gmail.com
> > > Subject: Re:
> > > CC: xiongxg@msn.com; jagrinya@microaccess.com; ccielab@groupstudy.com;
> > security@groupstudy.com
> > >
> > > Yup Luan, Thanks for that information :)
> > >
> > > It is mentioned on the following doc:
> > >
> > > http://www-search.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039493
> >
> > >
> > > "GRE tunnel keepalives (that is, the *keepalive* command under a GRE
> > > interface) are not supported on point-to-point or multipoint GRE
> > tunnels in
> > > a DMVPN Network."
> > >
> > > Regards
> > >
> > > Farrukh
> > >
> > >
> > >
> >
> > > On Jan 11, 2008 7:06 AM, Luan Nguyen wrote:
> > >
> > >> I would remove the keepalive 100 3 on your spoke.
> > >> DMVPN doesn't support keep alive.
> > >> Incidentally, 100 3 is also about 5 minutes :)
> > >>
> > >> -lmn
> > >>
> >
> > >> On Jan 10, 2008 8:22 PM, xiongxiaogang wrote:
> > >>
> > >>>
> > >>> Hi Julius and luan,
> > >>> please refer to the below config and my test result.
> > >>> *******SPOKE CONFIG***************
> > >>> crypto isakmp policy 10
> > >>> encr 3des
> > >>> authentication pre-share
> > >>> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> > >>> crypto isakmp keepalive 10 3
> > >>> !
> > >>> !
> > >>> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> > >>> mode transport
> > >>> !
> > >>> crypto ipsec profile dmvpnprof
> > >>> set transform-set myset
> > >>>
> > >>> interface Loopback10
> > >>> ip address 192.168.5.5 255.255.255.0
> > >>> !
> > >>> interface Tunnel0
> > >>> bandwidth 1000
> > >>> ip address 172.16.1.5 255.255.255.0
> > >>> no ip redirects
> > >>> ip mtu 1400
> > >>> ip nhrp authentication dmvpn
> > >>> ip nhrp map 172.16.1.4 201.1.0.4
> > >>> ip nhrp map multicast 201.1.0.4
> > >>> ip nhrp network-id 1000
> > >>> ip nhrp holdtime 300
> > >>> ip nhrp nhs 172.16.1.4
> > >>> no ip route-cache
> > >>> ip tcp adjust-mss 1360
> > >>> no ip mroute-cache
> > >>> delay 1000
> > >>> keepalive 100 3
> > >>> tunnel source Serial1/1
> > >>> tunnel mode gre multipoint
> > >>> tunnel key 12345
> > >>> tunnel protection ipsec profile dmvpnprof
> > >>>
> > >>> router eigrp 200
> > >>> network 172.16.1.0 0.0.0.255
> > >>> network 192.168.5.0
> > >>> no auto-summary
> > >>>
> > >>> ********HUB CONFIG*****************
> > >>>
> > >>> crypto isakmp policy 10
> > >>> encr 3des
> > >>> authentication pre-share
> > >>> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> > >>> !
> > >>> !
> > >>> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> > >>> mode transport
> > >>> !
> > >>> crypto ipsec profile dmvpnprof
> > >>> set transform-set myset
> > >>>
> > >>> interface Loopback10
> > >>> ip address 192.168.4.4 255.255.255.0
> > >>> !
> > >>> interface Tunnel0
> > >>> bandwidth 1000
> > >>> ip address 172.16.1.4 255.255.255.0
> > >>> ip mtu 1400
> > >>> ip nhrp authentication dmvpn
> > >>> ip nhrp map multicast dynamic
> > >>> ip nhrp network-id 1000
> > >>> ip nhrp holdtime 300
> > >>> no ip route-cache
> > >>> no ip split-horizon eigrp 200
> > >>> ip tcp adjust-mss 1360
> > >>> no ip mroute-cache
> > >>> delay 1000
> > >>> tunnel source Serial1/1
> > >>> tunnel mode gre multipoint
> > >>> tunnel key 12345
> > >>> tunnel protection ipsec profile dmvpnprof
> > >>>
> > >>> router eigrp 200
> > >>> network 172.16.1.0 0.0.0.255
> > >>> network 192.168.4.0
> > >>> no auto-summary
> > >>>
> > >>> ***********RESULT CAPTURED FROM HUB***********
> > >>> after tunnel is up, ping from spoke1 to hub, get the following
> > result,
> > >>> r4#sh ip nhrp
> > >>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:04:02
> > >>> Type: dynamic, Flags: authoritative unique registered
> > >>> NBMA address: 201.1.20.2
> > >>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:16, expire
> > 00:03:44
> > >>> Type: dynamic, Flags: authoritative unique registered
> > >>> NBMA address: 201.1.0.5
> > >>> 192.168.4.0/24 via 192.168.4.4, Tunnel0 created 00:04:50, expire
> > >> 00:00:09
> > >>> Type: dynamic, Flags: router authoritative unique local
> > >>> NBMA address: 201.1.0.4
> > >>> 192.168.5.0/24 via 192.168.5.5, Tunnel0 created 00:04:50, expire
> > >> 00:00:09
> > >>> Type: dynamic, Flags: router unique
> > >>> NBMA address: 201.1.0.5
> > >>>
> > >>> after 5 minutes(equal to the nhrp holdtime settings), tunnel is
> > down,
> > >> and
> > >>> get the following output, eigrp neighbor disappear.
> > >>> r4#sh ip nhrp
> > >>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:52
> > >>> Type: dynamic, Flags: authoritative unique registered
> > >>> NBMA address: 201.1.20.2
> > >>> 172.16.1.5/32 via 172.16.1.5 , Tunnel0 created 00:12:26, expire
> > 00:03:34
> > >>> Type: dynamic, Flags: authoritative unique registered
> > >>> NBMA address: 201.1.0.5
> > >>> r4#
> > >>> r4#
> > >>> *Mar 2 16:23:33.261: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet
> > not an
> > >>> IPSEC packet.
> > >>> (ip) vrf/dest_addr= /201.1.0.4, src_addr= 201.1.0.5, prot= 47
> > >>> r4#sh ip nhrp
> > >>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:45
> >
> > >>> Type: dynamic, Flags: authoritative unique registered
> > >>> NBMA address: 201.1.20.2
> > >>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:33, expire
> > 00:03:27
> > >>> Type: dynamic, Flags: authoritative unique registered used
> > >>> NBMA address: 201.1.0.5
> > >>> r4#
> > >>> *Mar 2 16:23:43.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor
> > >>> 172.16.1.5 (Tunnel0) is down: holding time expired
> > >>> *Mar 2 16:23:43.721: destroy peer: 172.16.1.5
> > >>> r4#sh ip ei
> > >>> r4#sh ip eigrp nei
> > >>> r4#sh ip eigrp neighbors
> > >>> IP-EIGRP neighbors for process 200
> > >>> ----------------------------------------
> > >>>> From: jagrinya@fzxmedia.com
> > >>>> To: xiongxg@msn.com
> > >>>> Subject: Re:
> > >>>> Date: Thu, 10 Jan 2008 20:52:54 +0100
> > >>>>
> > >>>> Hello Xiongxiaogang......,
> > >>>>
> > >>>> Can you paste your config's for the hub and spokes here for us to
> > >>> view...?
> > >>>> Could get some clue from the configs.....
> > >>>> do u have "no ip split-horizon eigrp ...." on your hub ...?
> > >>>>
> > >>>> Agrinya Julius Agrinya Jr.
> > >>>> Senior Manager Networks
> > >>>> Microaccess Limited
> > >>>> Abuja-Nigeria.
> > >>>> Phone +234-9-4612607-8 ext 113
> > >>>> Mobile +2348023854717
> > >>>> ----- Original Message -----
> > >>>> From: "xiongxiaogang"
> > >>>> To: ;
> > >>>> Sent: Thursday, January 10, 2008 7:31 PM
> > >>>>
> > >>>>
> > >>>>> Hi,
> > >>>>> I configure dmvpn between one hub and two spokes, the tunnels of
> > >>>>> spoke-to-spoke and spoke-to-hub both work, but I found there is a
> > >>> weired
> > >>>>> problem, that is if I only ping from one spoke to the other spoke,
> > it
> > >>>>> works normally, but meanwhile if I also ping a spoke to the hub,
> > >>> although
> > >>>>> tunnel is up normally, but the tunnel cannot keep up always, it
> > >>> becoming
> > >>>>> down when ip nhrp expires, and the worse is eigrp neighbor between
> > >> hub
> > >>> and
> > >>>>> spoke is affected by the disconnect tunnel, when ip nhrp expires,
> > >> eigrp
> > >>>>> neighbor between hub and spoke is down with the error message
> > "*Jan 5
> > >>>>> 17:32:02.743: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> > >> IPSEC
> > >>>>> packet. (ip) vrf/dest_addr= /105.1.2.5, src_addr= 105.1.50.2,
> > prot=
> > >>> 47..."
> > >>>>> when the eigrp neigbhor is down, even if you ping from spoke to
> > hub,
> > >>>>> cannot enable tunnel up. so I have to go to spoke and shut/no shut
> >
> > >>> tunnel
> > >>>>> interface to resolve it. but I do not think
> > >>>>> it is a good solution, considering in the real world, cannot
> > always
> > >> let
> > >>>>> the router administrator to login to the spoke router and shut/no
> > >> shut
> > >>>>> tunnel interface to let the traffic between spokes and hub to go
> > >>> through,
> > >>>>> and in the lab exam, considering proctor maybe see the error
> > message
> > >> if
> > >>> he
> > >>>>> have ever ping from spoke to hub and provided you set the ip nhrp
> > >>> holdtime
> > >>>>> to 300 seconds, it is expected that the proctor will see the error
> >
> > >>> message
> > >>>>> after 5 minutes and he know the eigrp neighbor is down.
> > >>>>>
> > >>>>> so I doubt the solution could be improved in some place, but I
> > read a
> > >>> lot
> > >>>>> of dmvpn documents, including the long thread discuss about the
> > dmvpn
> > >>> in
> > >>>>> the forum, but have no idea now, I am wondering who can throw me a
> >
> > >>> light
> > >>>>> for it, I am very appreciate of it.
> > >>>>>
> > >>>>> Regards
> > >>>>> Steven
> > >>>>> _________________________________________________________________
> > >>>>> MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
> > >>>>> http://im.live.cn/emoticons/?ID=18
> > >>>>>
> > >>>>
> > >>>>
> > >>>
> > >>> _________________________________________________________________
> > >>> JV;zR2D\IO MSN ADLlAK#,?l@4JTJT0I#!
> > >>> http://mobile.msn.com.cn/
> > >
> >
> >
> > _________________________________________________________________
> > MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
> > http://im.live.cn/emoticons/?ID=18
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:59 ARST