***dmvp with EZvpn and eigrp through firewall

Unanswered Question
May 27th, 2008
User Badges:

Greeting all

I hope someone has a few ideas here, I have configured dmvpn with ezvpn run running eigrp as the routing protocol running via the created tunnel.

This works as expected when the routers at either end of the tunnels do not pass through a ASA firewall.

As soon as I introduce the firewall between dmvpn peers with the appropriate rules to allow gre, udp500 and esp, it works but the eigrp peering only stays up for 1min 20 sec, it then bounces and continues to do this so the eigrp never really converges.

The following is the log report:

*May 27 11:16:56.134: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 29: Neighbor (Tunnel29) is down: retry limit exceeded

*May 27 11:16:56.346: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 29: Neighbor (Tunnel29) is up: new adjacency

It seems this has something to do with eigrp, the peering comes up but show ip eigrp neig detail reveals :

R1(config-if)#do sh ip eig neig det

IP-EIGRP neighbors for process 29

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 Tu29 11 00:00:31 1 5000 1 0

Last startup serial 6

Version 12.2/1.2, Retrans: 7, Retries: 7, Waiting for Init, Waiting for Init Ack

Expecting no reply for queries

UPDATE seq 54 ser 2-6 Sent 31068 Init Sequenced

Indicating that it is not really communicating properly with its peer????

I get the same result if I turn encryption on or off, no difference.

What could the firewall be doing to cause this ??? PS the firewall is not blocking any traffic I am monitoring it.

Any ideas would be most welcome

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Mon, 06/02/2008 - 10:30
User Badges:
  • Silver, 250 points or more

"%DUAL-5-NBRCHANGE: IPX-EIGRP 2047: Neighbor x.y (Serial1/1/0.1) is down:Retry limit exceeded" --- reason for this error is - The local router sent an update, query, or reply, but did not receive an acknowledgment. Check Layer 1 (L1) and Layer 2 (L2) connectivity

"%DUAL-5-NBRCHANGE: IPX-EIGRP 2047: Neighbor x.y (Serial1/1/0.4) is up: new adjacency" --- reason for this error is --- A hello has been received from an adjoining router, and the router is viewing this neighbor as brand new, although it may have known about it previously.

Refer the following link for more information on the error messages:


Amadou TOURE Mon, 06/02/2008 - 10:59
User Badges:


Could you post a sample of your tunnel configuration for one spoke (behind a ASA) and for the server ?


Farrukh Haroon Mon, 06/02/2008 - 11:37
User Badges:
  • Red, 2250 points or more

smahbub, this query was resolved on another forum (GroupStudy). The nhs server command was entered using the 'public' IP address, instead of the private IP address (tunnel interface of the hub). This causes EIGRP to flap.




This Discussion