RE: DMVPN - Tunnel issue from Cristian Matei on 2009-09-18 (Ccielab archives 09/2009)

From: Cristian Matei <cristian.matei_at_datanets.ro>
Date: Sat, 19 Sep 2009 00:43:14 +0300

Did u try the "crypto isakmp fragmentation" ?

Cristian.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Donald Virgil
Sent: Saturday, September 19, 2009 12:38 AM
To: Joseph L. Brunner
Cc: Cisco certification
Subject: Re: DMVPN - Tunnel issue

Fixed it. Not sure why the solutions works. Hope someone can shed some
light.

I set the MTU on the Internet facing interface, the one that is used as the
tunnel source to *1499* on both sides, and the tunnel came up no problems.

W.T.F ????

On Fri, Sep 18, 2009 at 4:55 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> What is the time on the routers?
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Donald Virgil
> Sent: Friday, September 18, 2009 1:11 PM
> To: Cisco certification
> Subject: DMVPN - Tunnel issue
>
> I am running a DMVPN with 30+ nodes using PKI as the auth mechanism.
>
> 29 Sites work great, however, 1 of the sites does not get passed phase 1
> negotiations. What's strage is on the hub end I see it going QM_IDLE on
> the
> other end i see:
>
> ISAKMP:(7004): phase 1 packet is a duplicate of a previous packet.
> ISAKMP:(7004): retransmitting due to retransmit phase 1
> ISAKMP:(7004): retransmitting phase 1 MM_KEY_EXCH...
> ISAKMP (7004): incrementing error counter on sa, attempt 2 of 5:
retransmit
> phase 1
>
> When I test with a pre-shared key for auth, it comes up and exchanges
> routes. I've tried re-creating the trust point, multiple times. Changing
> the hostname, removing the host cert from the CA, regenerating the RSA
> keys,
> and Cisco TAC looked at it and said it's probably an ISP issue on the
spoke
> end. I just tried upgrading to 12.4.24T on the spoke side; 12.4.25b
> mainline doesnt seem to support the HWIC-1ADSL card i have in the spoke
> router.
>
> Has anyone seen this issue? I havent been able to find anything specific
> to
> this.
>
> Thanks.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Sep 19 2009 - 00:43:14 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART