core 3845 HSEC adv IP services 12.4(3e)

Branches 2801/11 adv security 12.4(3H)

Core Router:

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key ni135 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set NI_Sec_DMVPN esp-3des esp-md5-hmac

!

crypto ipsec profile NI_DMVPN

set security-association lifetime seconds 120

set transform-set NI_Sec_DMVPN

!

interface Tunnel0

ip address 172.30.0.1 255.255.240.0

no ip redirects

ip ospf mtu-ignore

ip mtu 1400

ip nhrp authentication ni135

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip ospf network broadcast

tunnel source 192.168.220.146

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile NI_DMVPN

router ospf 1

network 10.200.0.0 0.0.3.255 area 0

network 172.30.0.0 0.0.15.255 area 2

area 2 stub no-summary

Branch Router

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key ni135 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set NI_Sec_DMVPN esp-3des esp-md5-hmac

!

crypto ipsec profile NI_DMVPN

set security-association lifetime seconds 120

set transform-set NI_Sec_DMVPN

!

interface Tunnel0

ip address 172.30.3.224 255.255.240.0

no ip redirects

ip ospf mtu-ignore

ip mtu 1400

ip nhrp authentication ni135

ip nhrp map multicast dynamic

ip nhrp map 172.30.0.1 192.168.220.146

ip nhrp map multicast 192.168.220.146

ip nhrp network-id 1

ip nhrp nhs 172.30.0.1

ip ospf network broadcast

tunnel source 192.168.220.198

tunnel destination 192.168.220.146

tunnel key 0

tunnel protection ipsec profile NI_DMVPN

router ospf 1

network 10.203.224.0 0.0.3.255 area 2

network 172.30.0.0 0.0.15.255 area 2

area 2 stub no-summary

distribute-list prefix filter_all_except_default in

ip prefix-list filter_all_except_default seq 5 deny 0.0.0.0/1 le 32

ip prefix-list filter_all_except_default seq 10 permit 0.0.0.0/0

Atif:

If you want to continue troubleshooting on this MTU track, you can try this:

Try applying the ip tcp adjust-mss 1436 command under the GRE interface at both ends. What this does is allow each side to advertise (not negotiate) the maximum size of the data portion of the TCP segment that each will accept.

And then configure the ip mtu setting under the GRE interface at both ends to 1500.

These numbers aren't arbitrary. If you add the TCP header of 20 bytes and the IP header of 20 bytes, plus the GRE header overhead of 24 bytes to the TCP segment size of 1436, the resulting IP datagram will be 1500 bytes in length.

Apply these numbers and come back and tell us if the problem has gotten any better.

HTH

Victor

Thank victor

One or two thing i like to add before apply the setting

you didn't take account of IPsec overhead.

Further one more info, when the branches are under 50 every thing is normal but when i add more branches like i take it to 65 branches branches get stuck.

Regards

Atif

Hi

I think as per cisco recomendation the number of routers in an area should not be more than 50.

Thanks

Mahmood

Atif:

You're right.

The size of the IPSec header will differ, depending on whether you deploy AH or ESP and whether you use IPSec Tunnel mode or Transport mode. Transport mode is commonly used is GRE over IPSec implementations because the tunnel endpoints are also the same as the IPSec encrytpion endpoints, and transport mode saves about 20 bytes.

So, make the adjustments to the tcp mass accordingly.

Thanks

Victor

Atif:

Forgot to address your second issue.

"Further one more info, when the branches are under 50 every thing is normal but when i add more branches like i take it to 65 branches branches get stuck."

If you have 50 routers working and they are all configured in the same manner (MTU, mass, etc), then I would guess that the 7 or 8 stragglers are having a different issue.

You're going to have to investigate the memory and processor capabilities of your hub router and whether your design is feasible.

HTH

Victor

attached is the debug output

Dear Atif, i am facing the same issue, did you find the solution to your problem ?

kindly let me know