RE: DMVPN - Tunnel issue from Anthony Driver on 2009-09-18 (Ccielab archives 09/2009)

From: Anthony Driver <nthndriver6_at_gmail.com>
Date: Fri, 18 Sep 2009 15:58:39 -0700

Check this doc about GRE:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080
093f1f.shtml

-----Original Message-----
From: Cristian Matei [mailto:cristian.matei_at_datanets.ro]
Sent: Friday, September 18, 2009 3:11 PM
To: 'Anthony Driver'; 'Joseph L. Brunner'; 'Donald Virgil'; 'Cisco
certification'
Subject: RE: DMVPN - Tunnel issue

Ip tcp adjust-mss has NOTHING to do with his problem (is for traffic
traversing the router and anyway ISAKMP is udp).
MTU seems to be the issue, I believe it's either bug, either HW something.
Did you try changing the interface?

Regards,
Cristian.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Anthony Driver
Sent: Saturday, September 19, 2009 1:02 AM
To: 'Joseph L. Brunner'; 'Donald Virgil'; 'Cisco certification'
Subject: RE: DMVPN - Tunnel issue

Try adding these:

ip mtu 1400
ip tcp adjust-mss 1360

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Joseph L. Brunner
Sent: Friday, September 18, 2009 1:56 PM
To: Donald Virgil; Cisco certification
Subject: RE: DMVPN - Tunnel issue

What is the time on the routers?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Donald Virgil
Sent: Friday, September 18, 2009 1:11 PM
To: Cisco certification
Subject: DMVPN - Tunnel issue

I am running a DMVPN with 30+ nodes using PKI as the auth mechanism.

29 Sites work great, however, 1 of the sites does not get passed phase 1
negotiations. What's strage is on the hub end I see it going QM_IDLE on the
other end i see:

ISAKMP:(7004): phase 1 packet is a duplicate of a previous packet.
ISAKMP:(7004): retransmitting due to retransmit phase 1
ISAKMP:(7004): retransmitting phase 1 MM_KEY_EXCH...
ISAKMP (7004): incrementing error counter on sa, attempt 2 of 5: retransmit
phase 1

When I test with a pre-shared key for auth, it comes up and exchanges
routes. I've tried re-creating the trust point, multiple times. Changing
the hostname, removing the host cert from the CA, regenerating the RSA keys,
and Cisco TAC looked at it and said it's probably an ISP issue on the spoke
end. I just tried upgrading to 12.4.24T on the spoke side; 12.4.25b
mainline doesnt seem to support the HWIC-1ADSL card i have in the spoke
router.

Has anyone seen this issue? I havent been able to find anything specific to
this.

Thanks.

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 18 2009 - 15:58:39 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART