DMVPN Issue

Unanswered Question
Jul 14th, 2009
User Badges:

Hi,

There are 3 weeks ago since we switched the WAN Links of our Data Network to DMVPN technology.


There is a HUB 3845 router in HQ and 2811 ISRs in all other 19 Branches. The 3845 router is connected to ISP MPLS cloud through 2 primary E1 lines and a secondary 24 Mbps ADSL line . Every branch router is connected to ISP MPLS cloud through a primary leased line and a secondary 2 Mbps ADSL.


There are 4 DMVPN Tunnels. Tunnel1 over the branch leased line to HUB E1. Tunnel2 over the branch ADSL line to HUB E1. Tunnel 5 over the branch leased line to HUB ADSL line and Tunnel 6 over the branch ADSL line to HUB ADSL line. EIGRP run in the whole network with default timers.


Everything seems work fine, but I have noticed the log messages bellow:


%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=192.168.192.30,dstadr=192.168.192.1,size=768,handle=0x6071


%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=192.168.192.19,dstadr=192.168.192.1,size=144,handle=0x67C1



I have also noticed the log messages from the deny entries from router WAN Access-lists related to fragmentation:


%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.70 -> 192.168.192.1 (11/1), 17 packets


%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.50 -> 192.168.192.1 (11/1), 1 packet

%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.30 -> 192.168.192.1 (11/1), 1 packet

%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.74 -> 192.168.192.1 (11/1), 1 packet


At the end, several times every day the EIGRP Adjacency in Tunnel1 & 5 is flapping without any specific reason.


In the 10.195.35.0 subnet belong the WAN links and in the subnet 192.168.192.0 belong the Tunnel1 IP Addresses.


Could anybody please write if there is any issue related to these log messages and to EIGRP behavior.


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
jgtheodor Tue, 07/14/2009 - 22:53
User Badges:

Hi,

Keep continuing from the previous message I am sending you the configuration files for the HUB and Branch router.


Any help would be appreciated!



Attachment: 
Giuseppe Larosa Wed, 07/15/2009 - 05:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,

your configurations look like fine.


I've searched bug toolkit and there are several bugs for DMVPN in 12.4(22)T like


CSCsv43385

and others


I would give a try to another release on the hub router:

tunnel1 and tunnel5 are related to the same hub router.


An idea could be also to try a release like 12.4(15)T9 and one as 12.4.(22)Tx


x>1


Hope to help

Giuseppe


jgtheodor Wed, 07/15/2009 - 21:45
User Badges:

Hi Giuseppe,

I think you have right. I checked the Tunnel Interfaces in every branch router and there is no any dropped packet in contrast with Tunnels in Hub router which have some dropped packets. I will proceed with an IOS upgrade in 3845 router and I will let you know for the results.


Actions

This Discussion