DMVPN on 6509\SUP32 MSFC

Unanswered Question
Oct 13th, 2009


I am trying to use our 6509 chassis with a Sup32 Supervisor as a DMVPN hub.

The MSFC card has 2 Vlans configured (for simplicity) - One public facing (tunnel endpoint) and one internal.

I can initiate the Tunnel and it comes up fine. I can ping the remote router from the MSFC with the internal vlan as a source address and get a reply.

However, if I try and ping the remote router from a PC on the inernal lan, there is no reply.

I am seeing these errors on the remote router:-

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /E.E.E.E, src_addr= e.e.e.e, prot= 47...

E = external address of remote router

e = external address on MSFC

From my reading, I think this is all down to intervlan routing being carried out by the MSFC\6509.

Has anybody had this issue and resolved it?

Any tips on how I can get this setup to work?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Tue, 10/13/2009 - 03:33

Seems like a major configuration problem, review DMVPN documentation and correct your configuration accordingly.

asadnaqui Tue, 10/13/2009 - 03:40

I am happy that the DMVPN side is fine.

The hub config is same as my existing hub. I can see routes being advertised over the tunnel. And I can ping both ends of the tunnel over the routers.

The 6509 is currently running hybrid OS.

Do I need to look into using VRF?

Paolo Bevilacqua Tue, 10/13/2009 - 04:13

How are you doing encryption on the catalyst ?

If not using a service module, you would be better using a regular ISR for dmvpn.

asadnaqui Tue, 10/13/2009 - 06:17

The Supervisor 32 module is doing the encryption (on the MSFC).

We currently are using a 3745 as the DMVPN hub, with around 10 spokes. However, the CPU usage is maxing out, causing some drops. The plan was to use the Sup32 (and greater processing power) as the hub and replace the 3745 altogther.

The other alternative is to purchase a 3845, but this will cost in the region of £7000

Paolo Bevilacqua Tue, 10/13/2009 - 06:28

I think you will find that MSFC has less processing power than the 3745, and I wasn't even aware that it supported software encryption. In fact, the remote router is complaining that is not encrypting anything.

Any ISR router has onboard crypto HW and most likely you will not need a a 3845. I've had excellent results with just 1841s as hub device.

asadnaqui Tue, 10/13/2009 - 06:44

The MSFC is running advipservices which does support DMVPNs. The tunnel is up, with cryto sessions active, so it is encrypting. As I said, I can ping over the tunnel. What's not being encrypted is traffic from different VLANs, hence my question regarding VRF etc.

As you werent even aware that it supported software encryption, can you show me where it says that a Sup32 has LESS processing power than a 3745?

You state a 1841 would be fine, but if a 3745 is struggling, how would a 1841 cope any better? In any case, a 1841 would not suit us as we requre at least 6 interfaces on the router.

Paolo Bevilacqua Tue, 10/13/2009 - 06:48

Because it has hardware crypto acceleration on-board by default, that's the point you are missing.

Neither 3745 nor MSFC has that, making them poor choices for IPsec.

asadnaqui Tue, 10/13/2009 - 06:59

Being unable to get 6 interfaces on a 1841 means its not an option. In addition to this, I cannot find a rating of its performance. This router needs to be able to route to our MPLS cloud (34M) and the internet (20M) so needs to be able to handle high throughput (1841 is geared for branch offices)

The 3745 is currently at the edge of its power with our 10 spokes. the newer 3845 with its faster processor etc should be able to handle the tunnels with ease.

All I am trying to do is see if I can use our existing equipment to act as the hub.

The tunnel is up so I know it can do DMVPN. I just need to work out a way to route other VLANS through the tunnel, rather that it switching.

Paolo Bevilacqua Tue, 10/13/2009 - 07:07

I did not imply that you have to get a 1841, I was just making an example. However, from marketing material it can hande up to 45 mbps of encrypted traffic, meeting or exceeding your requirements.

You can also see that the only rating for 6500 switches is when equipped with optional VPN modules. I've never heard of anyone running IPSEC on the MSFC in a production environment.

If your objective is reusing existing hardware that is all good with me, but do not expect to get good results also.

asadnaqui Tue, 10/13/2009 - 07:13

The plan is to try and get this working and see what results we get.

If indeed, I cannot get the throughput required, or the 6509 too maxxes out on the CPU then the next step would be to get a 3845 with a VPN module etc.

Paolo Bevilacqua Tue, 10/13/2009 - 07:18

Again, you do not need a VPN module with ISR routers. The onboard one is perfectly adequate for most uses.

Joseph W. Doherty Tue, 10/13/2009 - 09:26

From reading the posts . . .

If your 3745 doesn't have a crypto module, have you considered obtaining one? (e.g. AIM-VPN/HP II

asadnaqui Tue, 10/13/2009 - 23:12

The crypto module costs in the region of £2500. The 3745 is 7 years old so buying a module for it seems a bit unnecessary.

If I cant get this to work through the 6509, I will just get the 3845

Paolo Bevilacqua Wed, 10/14/2009 - 01:57

Actually looking on the leading auctions site, this module can be bought for $50. Of course it is not worth to be bought new.

There are also reputable refurbished hardware dealer very helpful to those looking budget first.

Josephs suggestion is indeed a very valid one.

asadnaqui Wed, 10/14/2009 - 02:07

Thanks for your suggestions.

Money is not an issue here. I am asking this question to see if I can get this working on a 6509.

Going to ebay to buy a part for our core router is not exactly something that I would do.

Paolo Bevilacqua Wed, 10/14/2009 - 02:15

Actually from your posts above it seemed clear that money is an issue for you.

As I mentioned already, if you don't trust ebay (your loss doing that), there are reputable hardware vendors for professional service.

Basically, everything will be better than having a machine doing something it was not designed for - that will put a real risk on your core infrastructure.

asadnaqui Wed, 10/14/2009 - 02:22

Seriously, this post is relating to getting the 6509 as a DMVPN hub.

Thanks for telling me that money IS an issue :S the reason i stated the cost of the card above is to illustrate the fact that rather than spend £2500 on a card, I would much rather spend £7000 on the 3845 and upgrade a 7 year old router in the process.

If this is coming accross rude, its becuase rather than concentrate on my question, you are telling me what is and isnt and issue for me.

If we stick to the point in hand - DMVPN on 6509 - then we can progess. Considering you didnt even know you could get a tunnel up on the 6509/Sup32, I think I can safely assume you will not be able to contribute to this topic with respect to the original question.

Paolo Bevilacqua Wed, 10/14/2009 - 02:39

No, sorry we cannot progress on this with an attitude like your.

You have been told that you are attempting something wrong in principle, and refuse to acknowledge that. If you do not believe me (sorry I have only 20 years of networking experience, 10 of these spent at cisco), ask any certified engineer managing designs similar to your.

Specifically, ask if it is a good a idea to run IPSEC in software on an MSFC whereas a 3745 (also software) was struggling.

I will await you reporting on this, although that will require some humbleness you have not shown so far.

You have also been told that parts can be bought at a lesser price that new, to enable something that should been done since the beginning on your old router - again you refuse to acknowledge this simple truth by which millions of companie have enable their networking with a competitive advantage.

I have seen attitudes like yours many times in the past, most often from junior engineers with little grasp on reality of cisco networking that can be summed: "always use the right box for the right box". Their only focus was to put in practice whatever smart theory they had come up with. Of course the results were a sure fail all the times.

So my last comment on this can only be, keep going in rounds if you wish - good luck.

One last regarding my supposed inability to help fixing your configuration from remote without having seen anything - a psychic reader can help you better if that is your approach to networking.

asadnaqui Wed, 10/14/2009 - 02:56

This is a discussion forum, where I have asked a general question.

You have posted some points, its only fair I should respond.

Firstly, the 3745 has been doing the job fine for over 2 years, only recently reaching its limit. The idea is the 6509, with its greater CPU power will be able to alleiviate the CPU bottle neck. Surely this is just logical?

With regards to the module - there were no DMVPN tunnels when the router was bought new, so no, it should not have been bought then. The router was fine with 10 VPN tunnels, so no it should not have been bought then. now, when the router is 7 years old, is it wrong to not want to spend a vast sum when the router has gone End of Life? As for buying refurbished etc, you are missing the point. There is no need or want for us to spend money on essentially out of date equipment. so any comment you make about auction sites or cheap parts is moot.

As for attitude, i have seen many like yours too. Your first few statements indicated that you did not even know what the 6509 is capable of, stating "and I wasn't even aware that it supported software encryption". Instead of realising this is over you head (yes it is possible you do not have 100% cisco knowledge) you continue to push down a path which I have not reached yet (purchase a router).

So please dont assume to know my position or level, when you yourself outlined yours from the very start, but not even realising that I could do what I had done! Yes we have all come acrross the "old guy in IT for 50 years and no one can tell him whats what".

I know I am tackling a complex configuration, but that is part of how we learn.

Yes I do believe this is possible, I mean, why incorporate an image that is capable of DMVPN functionality on the 6509?

Thats what I aim to find out.

Paolo Bevilacqua Wed, 10/14/2009 - 04:02

Good luck my friend!

Let us know when you MSFC (assuming MSFC-1) CPU melts.

It has an R5000 CPU at 200Mhz, where the 3745 has R7000 CPU at 350Mhz.

The "vaste sum" of $19 would have saved you from this ordeal, but OMG, it would have to be bought from Evil Ebay. Sorry, what a "moot comment" mine was.

You must be right, what do I know after all, have been in networking too long, luckily new creative engineers like you shall take my place soon. These 1,169 "solved marks" that I got on NetPro must have been given due to commiseration for my old age.

I just hope I will not depend by your networking when that happens :)

asadnaqui Wed, 10/14/2009 - 04:26

MSFC-2a - so R7000 @ 300Mhz. finally something that makes a valid point.

again, cost has never been an issue. Aquiring critical equipment off ebay when the funds are available to buy new from Cisco is not something we do.

Thanks for that.

asadnaqui Wed, 10/14/2009 - 05:31

Its a MSFC-2a so R7000 also.

looking at specs for the 3845, that has a R7000 @ 350Mhz

Paolo Bevilacqua Wed, 10/14/2009 - 06:31

And again for the third or fourth time

you fail understand the functionality of an Hardware VPN accelerator, that is embedded with ISR routers including of course, the 3845 - to offload the CPU from heavy cryptographic calculations


This Discussion