Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
3
Replies

***dmvp with EZvpn and eigrp through firewall

gabrielbryson
Level 1
Level 1

‎05-27-2008 04:05 AM - edited ‎03-11-2019 05:50 AM

Greeting all

I hope someone has a few ideas here, I have configured dmvpn with ezvpn run running eigrp as the routing protocol running via the created tunnel.

This works as expected when the routers at either end of the tunnels do not pass through a ASA firewall.

As soon as I introduce the firewall between dmvpn peers with the appropriate rules to allow gre, udp500 and esp, it works but the eigrp peering only stays up for 1min 20 sec, it then bounces and continues to do this so the eigrp never really converges.

The following is the log report:

*May 27 11:16:56.134: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 29: Neighbor 29.0.0.9 (Tunnel29) is down: retry limit exceeded

*May 27 11:16:56.346: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 29: Neighbor 29.0.0.9 (Tunnel29) is up: new adjacency

It seems this has something to do with eigrp, the peering comes up but show ip eigrp neig detail reveals :

R1(config-if)#do sh ip eig neig det

IP-EIGRP neighbors for process 29

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 29.0.0.9 Tu29 11 00:00:31 1 5000 1 0

Last startup serial 6

Version 12.2/1.2, Retrans: 7, Retries: 7, Waiting for Init, Waiting for Init Ack

Expecting no reply for queries

UPDATE seq 54 ser 2-6 Sent 31068 Init Sequenced

Indicating that it is not really communicating properly with its peer????

I get the same result if I turn encryption on or off, no difference.

What could the firewall be doing to cause this ??? PS the firewall is not blocking any traffic I am monitoring it.

Any ideas would be most welcome

Labels:
0 Helpful
3 Replies 3

smahbub
Level 6
Level 6

‎06-02-2008 10:30 AM

"%DUAL-5-NBRCHANGE: IPX-EIGRP 2047: Neighbor x.y (Serial1/1/0.1) is down:Retry limit exceeded" --- reason for this error is - The local router sent an update, query, or reply, but did not receive an acknowledgment. Check Layer 1 (L1) and Layer 2 (L2) connectivity

"%DUAL-5-NBRCHANGE: IPX-EIGRP 2047: Neighbor x.y (Serial1/1/0.4) is up: new adjacency" --- reason for this error is --- A hello has been received from an adjoining router, and the router is viewing this neighbor as brand new, although it may have known about it previously.

Refer the following link for more information on the error messages:

http://www.cisco.com/en/US/tech/tk870/tk451/tk374/technologies_tech_note09186a00800947a5.shtml#tshootneighbor

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to smahbub

‎06-02-2008 10:59 AM

Hello,

Could you post a sample of your tunnel configuration for one spoke (behind a ASA) and for the server ?

Regards

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to smahbub

‎06-02-2008 11:37 AM

smahbub, this query was resolved on another forum (GroupStudy). The nhs server command was entered using the 'public' IP address, instead of the private IP address (tunnel interface of the hub). This causes EIGRP to flap.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card