Re: DMVPN - Tunnel issue from Donald Virgil on 2009-09-18 (Ccielab archives 09/2009)

From: Donald Virgil <d.virgil88_at_gmail.com>
Date: Fri, 18 Sep 2009 17:44:57 -0400

Yes, didnt make a difference.

Do i need to do anything other than crypto isakmp fragmentation in global
config on both sides?

On Fri, Sep 18, 2009 at 5:43 PM, Cristian Matei
<cristian.matei_at_datanets.ro>wrote:

> Did u try the "crypto isakmp fragmentation" ?
>
> Cristian.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Donald Virgil
> Sent: Saturday, September 19, 2009 12:38 AM
> To: Joseph L. Brunner
> Cc: Cisco certification
> Subject: Re: DMVPN - Tunnel issue
>
> Fixed it. Not sure why the solutions works. Hope someone can shed some
> light.
>
>
> I set the MTU on the Internet facing interface, the one that is used as the
> tunnel source to *1499* on both sides, and the tunnel came up no problems.
>
>
> W.T.F ????
>
>
>
>
>
> On Fri, Sep 18, 2009 at 4:55 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com>wrote:
>
> > What is the time on the routers?
> >
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Donald Virgil
> > Sent: Friday, September 18, 2009 1:11 PM
> > To: Cisco certification
> > Subject: DMVPN - Tunnel issue
> >
> > I am running a DMVPN with 30+ nodes using PKI as the auth mechanism.
> >
> > 29 Sites work great, however, 1 of the sites does not get passed phase 1
> > negotiations. What's strage is on the hub end I see it going QM_IDLE on
> > the
> > other end i see:
> >
> > ISAKMP:(7004): phase 1 packet is a duplicate of a previous packet.
> > ISAKMP:(7004): retransmitting due to retransmit phase 1
> > ISAKMP:(7004): retransmitting phase 1 MM_KEY_EXCH...
> > ISAKMP (7004): incrementing error counter on sa, attempt 2 of 5:
> retransmit
> > phase 1
> >
> > When I test with a pre-shared key for auth, it comes up and exchanges
> > routes. I've tried re-creating the trust point, multiple times.
> Changing
> > the hostname, removing the host cert from the CA, regenerating the RSA
> > keys,
> > and Cisco TAC looked at it and said it's probably an ISP issue on the
> spoke
> > end. I just tried upgrading to 12.4.24T on the spoke side; 12.4.25b
> > mainline doesnt seem to support the HWIC-1ADSL card i have in the spoke
> > router.
> >
> > Has anyone seen this issue? I havent been able to find anything specific
> > to
> > this.
> >
> > Thanks.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 18 2009 - 17:44:57 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART