Re: DMVPN - Tunnel issue from Donald Virgil on 2009-09-18 (Ccielab archives 09/2009)

From: Donald Virgil <d.virgil88_at_gmail.com>
Date: Fri, 18 Sep 2009 17:43:01 -0400

Note: I've tested leaving the default MTU on both sides one at a time, and
tunnel does not come up, only when both sides are set to 1499 or less.

On Fri, Sep 18, 2009 at 5:38 PM, Donald Virgil <d.virgil88_at_gmail.com> wrote:

> Fixed it. Not sure why the solutions works. Hope someone can shed some
> light.
>
>
> I set the MTU on the Internet facing interface, the one that is used as the
> tunnel source to *1499* on both sides, and the tunnel came up no problems.
>
>
> W.T.F ????
>
>
>
>
>
> On Fri, Sep 18, 2009 at 4:55 PM, Joseph L. Brunner <
> joe_at_affirmedsystems.com> wrote:
>
>> What is the time on the routers?
>>
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Donald Virgil
>> Sent: Friday, September 18, 2009 1:11 PM
>> To: Cisco certification
>> Subject: DMVPN - Tunnel issue
>>
>> I am running a DMVPN with 30+ nodes using PKI as the auth mechanism.
>>
>> 29 Sites work great, however, 1 of the sites does not get passed phase 1
>> negotiations. What's strage is on the hub end I see it going QM_IDLE on
>> the
>> other end i see:
>>
>> ISAKMP:(7004): phase 1 packet is a duplicate of a previous packet.
>> ISAKMP:(7004): retransmitting due to retransmit phase 1
>> ISAKMP:(7004): retransmitting phase 1 MM_KEY_EXCH...
>> ISAKMP (7004): incrementing error counter on sa, attempt 2 of 5:
>> retransmit
>> phase 1
>>
>> When I test with a pre-shared key for auth, it comes up and exchanges
>> routes. I've tried re-creating the trust point, multiple times. Changing
>> the hostname, removing the host cert from the CA, regenerating the RSA
>> keys,
>> and Cisco TAC looked at it and said it's probably an ISP issue on the
>> spoke
>> end. I just tried upgrading to 12.4.24T on the spoke side; 12.4.25b
>> mainline doesnt seem to support the HWIC-1ADSL card i have in the spoke
>> router.
>>
>> Has anyone seen this issue? I havent been able to find anything specific
>> to
>> this.
>>
>> Thanks.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 18 2009 - 17:43:01 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART