(no subject)

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Jan 12 2008 - 05:25:43 ARST

• Next message: Gary Duncanson: "Re: Google Technical Interview"
• Previous message: Joseph Brunner: "RE: MTU"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes AFAIR I was running 12.2(15)T also when I faced this issue. Could be the
IOS....

I rememeber having another 12.3 spoke not suffering from this..I just reset
the NHRP timer to a greater value on the affected router.

Regads

Farrukh

On 1/12/08, xiongxiaogang <xiongxg@msn.com> wrote:
>
>
>
>
>
> I know the show ip nhrp should return one entry of nhrp, but from my lab,
> there is so much which including the loopback address, and I use 12.2-15T,
> because it is used in lab, of course, I can upgrade to latest IOS to resolve
> the issue easily, but only 12.2-15T is test in lab, I have to focus on
> exam. I enalbe/disable cef in hub, get the same result, and of course the
> cef is disabled in spoke, I am wondering if it is the bug of 12.2-15T, and
> only spoke-to-spoke traffic is available.
>
> Regards
> Steven
>
>
> ________________________________
> > Date: Sat, 12 Jan 2008 08:27:30 +0300
> > From: farrukhharoon@gmail.com
> > To: luan.m.nguyen@gmail.com
> > Subject: Re:
> > CC: xiongxg@msn.com; jagrinya@microaccess.com; ccielab@groupstudy.com;
> security@groupstudy.com
> >
> > Actually when I was labbing DMVPN up, I remember I would get more
> entries in the NHRP table sometimes.
> >
> > AFAIR this would depend on the status of 'ip cef' enablement globally.
> Do you have CEF enabled on the hub? What about the spokes?
> >
> > Regards
> >
> > Farrukh
> >
> >
> > On 1/12/08, Luan Nguyen <luan.m.nguyen@gmail.com> wrote:
> > Your show ip nhrp output looks funny.
> > The spoke should only have one entry. Yours must be the hub side. The
> two loopbacks in there are bogus...shouldn't be there.
> > Check your ios and search for bug on nhrp. Or just upgrade to the
> latest possible and see what's up.
> >
> > -lmn
> >
> > 2008/1/11 xiongxiaogang <xiongxg@msn.com>:
> >
> >
> > Hi All,
> >
> > Actually I have not set tunnel keepalive when that problem is found,
> even without setting tunnel keepalive , still have the same issue, so it
> must be other places to fix it.
> >
> >
> > Regards
> > steven
> >
> > ----------------------------------------
> >> Date: Fri, 11 Jan 2008 13:44:06 +0300
> >> From: farrukhharoon@gmail.com
> >> To: luan.m.nguyen@gmail.com
> >> Subject: Re:
> >> CC: xiongxg@msn.com; jagrinya@microaccess.com; ccielab@groupstudy.com;
> security@groupstudy.com
> >>
> >> Yup Luan, Thanks for that information :)
> >>
> >> It is mentioned on the following doc:
> >>
> >>
> http://www-search.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039493
> >>
> >> "GRE tunnel keepalives (that is, the *keepalive* command under a GRE
> >> interface) are not supported on point-to-point or multipoint GRE
> tunnels in
> >> a DMVPN Network."
> >>
> >> Regards
> >>
> >> Farrukh
> >>
> >>
> >>
> >
> >> On Jan 11, 2008 7:06 AM, Luan Nguyen wrote:
> >>
> >>> I would remove the keepalive 100 3 on your spoke.
> >>> DMVPN doesn't support keep alive.
> >>> Incidentally, 100 3 is also about 5 minutes :)
> >>>
> >>> -lmn
> >>>
> >
> >>> On Jan 10, 2008 8:22 PM, xiongxiaogang wrote:
> >>>
> >>>>
> >>>> Hi Julius and luan,
> >>>> please refer to the below config and my test result.
> >>>> *******SPOKE CONFIG***************
> >>>> crypto isakmp policy 10
> >>>> encr 3des
> >>>> authentication pre-share
> >>>> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> >>>> crypto isakmp keepalive 10 3
> >>>> !
> >>>> !
> >>>> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> >>>> mode transport
> >>>> !
> >>>> crypto ipsec profile dmvpnprof
> >>>> set transform-set myset
> >>>>
> >>>> interface Loopback10
> >>>> ip address 192.168.5.5 255.255.255.0
> >>>> !
> >>>> interface Tunnel0
> >>>> bandwidth 1000
> >>>> ip address 172.16.1.5 255.255.255.0
> >>>> no ip redirects
> >>>> ip mtu 1400
> >>>> ip nhrp authentication dmvpn
> >>>> ip nhrp map 172.16.1.4 201.1.0.4
> >>>> ip nhrp map multicast 201.1.0.4
> >>>> ip nhrp network-id 1000
> >>>> ip nhrp holdtime 300
> >>>> ip nhrp nhs 172.16.1.4
> >>>> no ip route-cache
> >>>> ip tcp adjust-mss 1360
> >>>> no ip mroute-cache
> >>>> delay 1000
> >>>> keepalive 100 3
> >>>> tunnel source Serial1/1
> >>>> tunnel mode gre multipoint
> >>>> tunnel key 12345
> >>>> tunnel protection ipsec profile dmvpnprof
> >>>>
> >>>> router eigrp 200
> >>>> network 172.16.1.0 0.0.0.255
> >>>> network 192.168.5.0
> >>>> no auto-summary
> >>>>
> >>>> ********HUB CONFIG*****************
> >>>>
> >>>> crypto isakmp policy 10
> >>>> encr 3des
> >>>> authentication pre-share
> >>>> crypto isakmp key dmvpnkey address 0.0.0.0 0.0.0.0
> >>>> !
> >>>> !
> >>>> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> >>>> mode transport
> >>>> !
> >>>> crypto ipsec profile dmvpnprof
> >>>> set transform-set myset
> >>>>
> >>>> interface Loopback10
> >>>> ip address 192.168.4.4 255.255.255.0
> >>>> !
> >>>> interface Tunnel0
> >>>> bandwidth 1000
> >>>> ip address 172.16.1.4 255.255.255.0
> >>>> ip mtu 1400
> >>>> ip nhrp authentication dmvpn
> >>>> ip nhrp map multicast dynamic
> >>>> ip nhrp network-id 1000
> >>>> ip nhrp holdtime 300
> >>>> no ip route-cache
> >>>> no ip split-horizon eigrp 200
> >>>> ip tcp adjust-mss 1360
> >>>> no ip mroute-cache
> >>>> delay 1000
> >>>> tunnel source Serial1/1
> >>>> tunnel mode gre multipoint
> >>>> tunnel key 12345
> >>>> tunnel protection ipsec profile dmvpnprof
> >>>>
> >>>> router eigrp 200
> >>>> network 172.16.1.0 0.0.0.255
> >>>> network 192.168.4.0
> >>>> no auto-summary
> >>>>
> >>>> ***********RESULT CAPTURED FROM HUB***********
> >>>> after tunnel is up, ping from spoke1 to hub, get the following
> result,
> >>>> r4#sh ip nhrp
> >>>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:04:02
> >>>> Type: dynamic, Flags: authoritative unique registered
> >>>> NBMA address: 201.1.20.2
> >>>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:16, expire
> 00:03:44
> >>>> Type: dynamic, Flags: authoritative unique registered
> >>>> NBMA address: 201.1.0.5
> >>>> 192.168.4.0/24 via 192.168.4.4, Tunnel0 created 00:04:50, expire
> >>> 00:00:09
> >>>> Type: dynamic, Flags: router authoritative unique local
> >>>> NBMA address: 201.1.0.4
> >>>> 192.168.5.0/24 via 192.168.5.5, Tunnel0 created 00:04:50, expire
> >>> 00:00:09
> >>>> Type: dynamic, Flags: router unique
> >>>> NBMA address: 201.1.0.5
> >>>>
> >>>> after 5 minutes(equal to the nhrp holdtime settings), tunnel is down,
> >>> and
> >>>> get the following output, eigrp neighbor disappear.
> >>>> r4#sh ip nhrp
> >>>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:52
> >>>> Type: dynamic, Flags: authoritative unique registered
> >>>> NBMA address: 201.1.20.2
> >>>> 172.16.1.5/32 via 172.16.1.5 , Tunnel0 created 00:12:26, expire
> 00:03:34
> >>>> Type: dynamic, Flags: authoritative unique registered
> >>>> NBMA address: 201.1.0.5
> >>>> r4#
> >>>> r4#
> >>>> *Mar 2 16:23:33.261 : %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet
> not an
> >>>> IPSEC packet.
> >>>> (ip) vrf/dest_addr= /201.1.0.4, src_addr= 201.1.0.5, prot= 47
> >>>> r4#sh ip nhrp
> >>>> 172.16.1.2/32 via 172.16.1.2, Tunnel0 created 1d06h, expire 00:03:45
> >>>> Type: dynamic, Flags: authoritative unique registered
> >>>> NBMA address: 201.1.20.2
> >>>> 172.16.1.5/32 via 172.16.1.5, Tunnel0 created 00:12:33, expire
> 00:03:27
> >>>> Type: dynamic, Flags: authoritative unique registered used
> >>>> NBMA address: 201.1.0.5
> >>>> r4#
> >>>> *Mar 2 16:23:43.721: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor
> >>>> 172.16.1.5 (Tunnel0) is down: holding time expired
> >>>> *Mar 2 16:23:43.721: destroy peer: 172.16.1.5
> >>>> r4#sh ip ei
> >>>> r4#sh ip eigrp nei
> >>>> r4#sh ip eigrp neighbors
> >>>> IP-EIGRP neighbors for process 200
> >>>> ----------------------------------------
> >>>>> From: jagrinya@fzxmedia.com
> >>>>> To: xiongxg@msn.com
> >>>>> Subject: Re:
> >>>>> Date: Thu, 10 Jan 2008 20:52:54 +0100
> >>>>>
> >>>>> Hello Xiongxiaogang......,
> >>>>>
> >>>>> Can you paste your config's for the hub and spokes here for us to
> >>>> view...?
> >>>>> Could get some clue from the configs.....
> >>>>> do u have "no ip split-horizon eigrp ...." on your hub ...?
> >>>>>
> >>>>> Agrinya Julius Agrinya Jr.
> >>>>> Senior Manager Networks
> >>>>> Microaccess Limited
> >>>>> Abuja-Nigeria.
> >>>>> Phone +234-9-4612607-8 ext 113
> >>>>> Mobile +2348023854717
> >>>>> ----- Original Message -----
> >>>>> From: "xiongxiaogang"
> >>>>> To: ;
> >>>>> Sent: Thursday, January 10, 2008 7:31 PM
> >>>>>
> >>>>>
> >>>>>> Hi,
> >>>>>> I configure dmvpn between one hub and two spokes, the tunnels of
> >>>>>> spoke-to-spoke and spoke-to-hub both work, but I found there is a
> >>>> weired
> >>>>>> problem, that is if I only ping from one spoke to the other spoke,
> it
> >>>>>> works normally, but meanwhile if I also ping a spoke to the hub,
> >>>> although
> >>>>>> tunnel is up normally, but the tunnel cannot keep up always, it
> >>>> becoming
> >>>>>> down when ip nhrp expires, and the worse is eigrp neighbor between
> >>> hub
> >>>> and
> >>>>>> spoke is affected by the disconnect tunnel, when ip nhrp expires,
> >>> eigrp
> >>>>>> neighbor between hub and spoke is down with the error message "*Jan
> 5
> >>>>>> 17:32:02.743: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> >>> IPSEC
> >>>>>> packet. (ip) vrf/dest_addr= /105.1.2.5, src_addr= 105.1.50.2, prot=
> >>>> 47..."
> >>>>>> when the eigrp neigbhor is down, even if you ping from spoke to
> hub,
> >>>>>> cannot enable tunnel up. so I have to go to spoke and shut/no shut
> >>>> tunnel
> >>>>>> interface to resolve it. but I do not think
> >>>>>> it is a good solution, considering in the real world, cannot always
> >>> let
> >>>>>> the router administrator to login to the spoke router and shut/no
> >>> shut
> >>>>>> tunnel interface to let the traffic between spokes and hub to go
> >>>> through,
> >>>>>> and in the lab exam, considering proctor maybe see the error
> message
> >>> if
> >>>> he
> >>>>>> have ever ping from spoke to hub and provided you set the ip nhrp
> >>>> holdtime
> >>>>>> to 300 seconds, it is expected that the proctor will see the error
> >>>> message
> >>>>>> after 5 minutes and he know the eigrp neighbor is down.
> >>>>>>
> >>>>>> so I doubt the solution could be improved in some place, but I read
> a
> >>>> lot
> >>>>>> of dmvpn documents, including the long thread discuss about the
> dmvpn
> >>>> in
> >>>>>> the forum, but have no idea now, I am wondering who can throw me a
> >>>> light
> >>>>>> for it, I am very appreciate of it.
> >>>>>>
> >>>>>> Regards
> >>>>>> Steven
> >>>>>> _________________________________________________________________
> >>>>>> MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
> >>>>>> http://im.live.cn/emoticons/?ID=18
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> _________________________________________________________________
> >>>> JV;zR2D\IO MSN ADLlAK#,?l@4JTJT0I#!
> >>>> http://mobile.msn.com.cn/
> >>
> >
> >
> > _________________________________________________________________
> > MSNJ%5.@qNo;pHH5G3!#,Cb7Q7"7EVP#,?l@4AlH!0I#!
> > http://im.live.cn/emoticons/?ID=18
>
> _________________________________________________________________
> LlA9AK#,LmRBAK#,PD6/AK#,"F_<~"AK
> http://get.live.cn

• Next message: Gary Duncanson: "Re: Google Technical Interview"
• Previous message: Joseph Brunner: "RE: MTU"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:59 ARST