Find below the config for both ends. The access-lists at both ends match.
Side A
======
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key HQ01BCC02TUNNEL address 192.x.y.74
!
!
crypto ipsec transform-set BCC02HEADOFFICE01 esp-des esp-md5-hmac
!
crypto map HQBCC_IPsec 1 ipsec-isakmp
set peer 192.x.y.74
set security-association lifetime seconds 86400
set transform-set BCC02HEADOFFICE01
set pfs group1
match address ABC-IPSec
!
!
!
!
interface Tunnel1
description TUNNEL CONNECTION TO BCC_IKEJA
bandwidth 100000
ip address 192.x.y.77 255.255.255.252
ip mtu 1400
ip bandwidth-percent eigrp 10 5
load-interval 30
tunnel source 192.x.y.73
tunnel destination 192.x.y.74
crypto map HQBCC_IPsec
interface GigabitEthernet4/22
ip address 192.x.y.73 255.255.255.252
crypto map ABC_IPsec
!
router eigrp 10
network 192.x.0.0
no auto-summary
!
ip access-list extended ABC-IPSec
permit gre host 192.x.y.73 host 192.x.y.74
Side B
======
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key HQ01BCC02TUNNEL address 192.x.y.73
!
!
crypto ipsec transform-set BCC02HEADOFFICE01 esp-des esp-md5-hmac
!
crypto map HQBCC_IPsec 1 ipsec-isakmp
set peer 192.x.y.73
set security-association lifetime seconds 86400
set transform-set BCC02HEADOFFICE01
set pfs group1
match address BCCHQ-IPSec
!
!
!
!
interface Tunnel1
bandwidth 100000
ip address 192.x.y.78 255.255.255.252
ip mtu 1400
ip bandwidth-percent eigrp 10 5
tunnel source 192.x.y.74
tunnel destination 192.x.y.73
crypto map ABC_IPsec
!
interface GigabitEthernet3/23
ip address 192.x.y.74 255.255.255.252
crypto map ABC_IPsec
!
!
router eigrp 10
network 192.z.0.0
network 192.x.0.0
no auto-summary
!
!
ip access-list extended BCCHQ-IPSec
permit gre host 192.x.y.74 host 192.x.y.73
Regards,
Mayokun
On Fri, Nov 27, 2009 at 4:35 PM, Vladimir Michalec <
vladimir.michalec_at_gmail.com> wrote:
> I would say that your problem is in the IPsec configuration. It seems that
> the multicast hello packets are correctly exchanged between the peers
> (adjacency is up) but the update packets sent as unicast never arrive, so
> the retry limit bring the adjacency back down. So maybe your crypto acl's
> are wrong.
>
> Vlado
>
> 2009/11/27 olumayokun fowowe <olumayokun_at_gmail.com>
>
> Hello Tony,
>>
>> The mtu was set on both sides of the tunnel
>>
>>
>> On Wed, Nov 25, 2009 at 2:47 AM, Tony Schaffran (GS) <
>> groupstudy_at_cconlinelabs.com> wrote:
>>
>> > Did you set the MTU to 1400 on both sides?
>> >
>> > Tony Schaffran
>> > Sr. Network Consultant
>> > CCIE #11071
>> > CCNP, CCNA, CCDA,
>> > NNCDS, NNCSS, CNE, MCSE
>> >
>> > CCOnlineLabs
>> > Your #1 choice for online Cisco rack rentals.
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > olumayokun fowowe
>> > Sent: Tuesday, November 24, 2009 7:15 AM
>> > To: Cisco certification
>> > Subject: OT: Flapping eigrp interface
>> >
>> > Hello all,
>> >
>> > I have a challenge which I am trying to resolve. Below is the output of
>> my
>> > 'show logg' and necessary config. What is the most likely cause for
>> this,
>> > and how do I resolve it.
>> >
>> > Nov 24 15:37:32: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is down: retry limit exceeded
>> > Nov 24 15:37:35: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is up: new adjacency
>> > Nov 24 15:38:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is down: retry limit exceeded
>> > Nov 24 15:38:55: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is up: new adjacency
>> > Nov 24 15:40:14: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is down: retry limit exceeded
>> > Nov 24 15:40:18: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is up: new adjacency
>> > Nov 24 15:41:38: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is down: retry limit exceeded
>> > Nov 24 15:41:41: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.x.y.78
>> > (Tunnel1) is up: new adjacency
>> >
>> > interface Tunnel100
>> > bandwidth 100000
>> > ip address 192.x.y.77 255.255.255.252
>> > ip mtu 1400
>> > ip bandwidth-percent eigrp 10 5
>> > load-interval 30
>> > tunnel source 192.x.y.73
>> > tunnel destination 172.x.y.74
>> > crypto map ABC_IPsec
>> >
>> > router eigrp 100
>> > net 192.x.0.0
>> > no auto
>> >
>> > Regards,
>> >
>> > Mayokun
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 27 2009 - 17:52:50 ART
This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:29 ART