This discussion is locked

ASK THE EXPERT - DYNAMIC MULTICAST VPN

Unanswered Question
Jan 19th, 2010
User Badges:
  • Gold, 750 points or more

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on configuration and troubleshooting of Multi Point GRE and Dynamic VPN tunnels on Cisco routers with Cisco expert Srinivas Mallu. Srinivas is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). He has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS. Srinivas also trains people on his team on security technologies.


Remember to use the rating system to let Srinivas know if you have received an adequate response.


Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 29, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
zeeshan2007 Tue, 01/19/2010 - 22:27
User Badges:

Hi All,


I would like to ask you a question .i am using solarwind monitoring tool for bandwith monioring.


I would like to know which interface we should use for monitoring ? Physical interface or tunnel interface .

I am using GRE tunnel in each of my remote locations.

and in some locations when i compare my physical interface graph and tunnel interface graph ,there is always hugh difference ,tunnel interface always has high utilization.  but for some sides physical interface and tunnel interface graph are same .


please do let me know which is the best for monitoing .

zvondovec Wed, 01/20/2010 - 02:03
User Badges:

Hi,

Do you have bandwith command in configuration of tunnel interface?

Should be the same as bandwith of physical line.

Without this command, there is bandwith 9kbit (I hope) be default.

So this could be problem in graphs.


bye

smallu Thu, 01/21/2010 - 16:40
User Badges:
  • Bronze, 100 points or more

Yes. You can define a bandwidth command under the tunnel interface.

Here is an example;


interface Tunnel0
qos pre-classify
tunnel bandwidth transmit 1544
tunnel bandwidth receive 1544
service-policy output TUNNEL_QOS

policy-map VOICE
class VOICE
  priority 480

  bandwidth 200

policy-map TUNNEL_QOS
class class-default
  shape peak 15440000
service-policy VOICE

You can do it using the tunnel bandwidth command or by using the service-policy.

Hope this helps!

Thanks,

Srinivas.

smallu Thu, 01/21/2010 - 16:32
User Badges:
  • Bronze, 100 points or more

Hi There,


You'll get the best usage data by monitoring the physical interface. GRE is a logical interface, any data that is sent through there has to still traverse the Physical interface.


Sure, in certain cases, where the GRE is extensively used or maybe the only default route for the traffic, you may see the same statistics for the bandwidth monitoring on both the physical and GRE, but is not an accurate measure.


Hope this helps!


Thanks,

Srinivas.

tarnhundal Fri, 01/22/2010 - 08:16
User Badges:

Hi,

             I have to implement IPSEC over GRE according to our customer requirements .Actually we are at CE end having MPLS service. One core location is connecting to other 20 sites but its not like as hub and spoke because each site connected to other site without going to core. Now we are having P2P links from our core to all other sites . All MPLS and P2P links running BGP.In each condition , each site should have reachability with all other sites without depending on core.I m thinking to implement DMVPN but i m not sure about it. So plz let me know about it and help me to sort out this issue.


Thanx and Regards,

Taran

smallu Mon, 01/25/2010 - 11:58
User Badges:
  • Bronze, 100 points or more

Taran,


Yes, you can setup MPLS VPN over DMVPN.


DMVPN provides two key advantages for extending MPLS VPNs to the branches, bulk encryption and,

more importantly, a scalable overlay model. Since the assumption here is that the branches in this

deployment are connected to the hub through a Layer 3 SP service, a tunneled model using GRE is

needed to extend MPLS to the branches. Coupled with the fact that there is large number of existing

DMVPN deployments, this solution becomes an attractive deployment option.


Here is a good document on this with some sample configurations:


http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwanempls.pdf


Hope this helps!


Srinivas.

dmitry Fri, 01/22/2010 - 14:59
User Badges:

Hi,

Are there any plans to implement some type of signalling for the QOS to address the issue of the DMVPN spoke-spoke traffic flow, not long ago (IOS 12.4.22T) Cisco implemented a nice QOS feature where the DMVPN spokes can tell the HUBs via NHRP(?) group which QOS policy the HUB should apply on the dynamic tunnel in the outbound direction towards that spoke, so the HUB can shape the traffic based on the available BW at the spoke. This works fine as long as the DMVPN traffic flows spoke->HUB->spoke. If the spokes can establish a direct tunnel, this QOS approach won't work very well since the HUB would not know if the spoke is also receiving some traffic from the other spoke, which can lead to inbound congestion at the first spoke.


Thanks

smallu Mon, 01/25/2010 - 12:07
User Badges:
  • Bronze, 100 points or more

Hi There,


Simple answer to your question. No, we don't have this feature available yet. We understand the issue, and we have received requests for this feature. This is currently under discussion. So, we are working on this.


In general, we recommend using DSCP bits to mark traffic so that the ISP can do QoS on the last physical hop to the spoke.

Hope this helps!


Thanks,

Srinivas.

bertalamares1 Mon, 01/25/2010 - 01:51
User Badges:

hi good day,,, i am using dsl card for internet connection account. I make  configuration of my cisco router model 877w series, but the problem is if i am now browsing the internet explorer there is no display but the PPP vpn led is ok but there is no internet coming. Then if i use my lnksys cisco router there is no problem i can browse my internet explorer. What should i do about this problem in cisco router 877 thank you i hope that you can help me. i attach my SDM configuration for reference porpuse.by the way im using only automatic ip address.

smallu Mon, 01/25/2010 - 15:44
User Badges:
  • Bronze, 100 points or more

Hi There,


I looked at the config, and it looks good. It is hard to say what the problem is without looking at the debugs and doing some further troubleshooting in your network. I would suggest that you open a TAC case and go from there.


Srinivas.

tiago.ramires Wed, 01/27/2010 - 08:26
User Badges:

Hi,


i have a big problem but probably for you the resolution is simple.


In my company almost all users are facing problems with the VPN Client - Version 5.0.00.0340.


When we try to open the application the error 56 appears saying that the service could not start and if i try to start another error message appears.


i tried to uninstall (removing all traces of the app) and install again the application but not works.


Do you know whats happened, or better, what can i do to fix it?


Thanks


Tiago Branco

Support Analyst

smallu Wed, 01/27/2010 - 15:59
User Badges:
  • Bronze, 100 points or more

Tiago,


Is this on Windows Vista? Can you check if you have already done the following;


-          Verified that no other VPN client is installed on the desktop
-          Disabled all firewalls/ antivirus on the system before installing the client

-          Restart the windows services?


Also, Can you verify if the version of windows you are running, is a clean version and not

an upgrade from a previous version?

Can you also try turning off UAC and update the Windows Defender signatures, 
also switch to Advanced Membership for Windows Defender SpyNet.
 If it still doesn't work after a reboot, send us the MSINFO.txt and we'll see what 
might be conflicting.
Hope this helps!
Thanks,
Srinivas.
smallu Wed, 01/27/2010 - 16:01
User Badges:
  • Bronze, 100 points or more

Tiago,


Is this on Windows Vista? Can you check if you have already done the following;

- verified that no other VPN client is installed on the desktop
- Disabled all firewalls/ antivirus on the system before installing the client
- Restart the windows services?


Also, Can you verify if the version of windows you are running, is a clean version and not
an upgrade from a previous version?


Can you also try turning off UAC and update the Windows Defender signatures, also switch to Advanced Membership for Windows Defender SpyNet.  If it still doesn't work after a reboot, send us the MSINFO.txt and we'll see what might be conflicting.


Hope this helps!


Thanks,
Srinivas.

ryansharpe Wed, 01/27/2010 - 19:32
User Badges:

Hello,

It seems I am having an issue getting my probes to work properly. I have attached relevent config. The probe is just a generic ping, however I have any evidence that the ping is actually being performed. The ICMP is displayed in the "sh ip slb conns":


mrkmccswi11#sh ip slb conns

vserver         prot client                real                  state     nat
-------------------------------------------------------------------------------
TEST-ESP        ICMP 10.13.104.226:34      10.13.104.232         ESTAB     none
TEST-ESP        ICMP 10.13.104.226:35      10.13.104.232         ESTAB     none

However if I debug ICMP on 10.13.104.232 it doesn't show anything, if I run the ping manually it works just fine, and the debug on the "real" DMVPN router shows the ICMP traffic working.


mrkmccswi11#ping vrf vrfs 10.13.104.232 so 10.13.104.226

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.13.104.232, timeout is 2 seconds:
Packet sent with a source address of 10.13.104.226
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


If I exmain the output of sh slb ip probe and sh ip slb probe detail it doesn't help me very much, but the one question is does raise is around target. The target is actually the VIP, see below:


mrkmccswi11#sh ip slb probe

Server:Port           Target:Port           State       Outages  Current  Cumulative
------------------------------------------------------------------------------------
10.13.104.232:0       10.13.104.69:0        TESTING     0        never    00:00:00
10.13.104.232:500     10.13.104.69:0        TESTING     0        never    00:00:00
mrkmccswi11#sh ip slb probe detail
PINGHUB, ping, address = 0.0.0.0, interval = 1, faildetect = 2
  HUBS, type = server
TEST-PROBE, ping, address = 0.0.0.0, interval = 1, faildetect = 2
  TESTHUBS, type = server
    target = 10.13.104.69:0, real = 10.13.104.232:0, virtual = 10.13.104.69:0 ESP
      state = TESTING, status = 0, operation id = 6
      outages = 0, failures = 758, successes = 0, tests = 760
      current = never, cumulative = 00:00:00
    target = 10.13.104.69:0, real = 10.13.104.232:0, virtual = 10.13.104.69:500 UDP
      state = TESTING, status = 0, operation id = 7
      outages = 0, failures = 758, successes = 0, tests = 760
      current = never, cumulative = 00:00:00


Any and all help is appreciated, thanks!


Platform Info: Cat6500 w/WS-SUP720-3B

IOS Versoin: s72033-adventerprisek9_wan-mz.122-33.SXH5

smallu Thu, 01/28/2010 - 16:50
User Badges:
  • Bronze, 100 points or more

Hi There,


A rough text sketch of your topology would be really helpful here, to get a better picture.


From what I understand, manual ICMP pings work fine, however the probes sent to the VIP fail, is that correct?

The ICMP probes and the ICMP pings should not be any different. What would really help is packet captures/debugs here.

Is the DMVPN up? The SLB config looks good. Which VRF are you sending the icmp pings in? We need to do a little bit more indepth troubleshooting here to determine the root cause. Is this a new setup, or has it ever worked?


Thanks,

Srinivas.

ryansharpe Fri, 01/29/2010 - 09:22
User Badges:

Hello,

Please find attached the rough text sketch, several debugs from different devices involved, as well as a couple of packet captures. If you are looking for a specific debug please let me know.


You are correct in your statement about the ICMP pings.

There are no IPsec tunnels established. All communication is within one VRF, vrfs, we aren't jumping between them. This is a new setup, however it was testing and was working in the test, I am doing some trialing then putting the solution into production.


A couple of notes/observations in regards to the packet captures.

Spoke Tunnel.pcap was a capture from the cloud facing interface of the 6500 filtering on traffic from 10.229.0.42 the WAN IP address of the spoke router.

ICMP Probe to DMVPN Hub.pcap is a capture from 6500 on the interface facing the DMVPN hub filtering on traffic from 10.13.104.226. The noteably thing here is the IP address of the destination, it is the IP of the VIP (10.13.104.69) and not the IP of "real" server (10.13.104.232) which is stated in the serverfarm config.


I hope this helps. I look forward to your response.


Thanks,

Ryan

smallu Fri, 01/29/2010 - 11:30
User Badges:
  • Bronze, 100 points or more

Hi Ryan,


In looking at your debugs, I see why your icmp pings may be going through and not the SLB probes. Pings are sent through regular routing, and they work fine. However, with the way you have configured your VRFs( I cannot confirm because I don't have the complete IPSec VRF config, but I have a strong feeling), it requires the IPSec tunnel to be up for this to go through fine. So, the real problem is, the IPSec tunnel is not coming, hence your probes are failing.


IPSec Phase I is failing, and here are some possibilities;( packet traces appear encrypted because of ipsec, can't tell what the problem is)


* UDP port 500 could be blocked somewhere in the path, by an ACL or something because I see we are sending Phase I packets and get nothing back.

* NAT not properly configured, at either ends

* Check the path, and see where the packets could be getting dropped.


Also, double check to make sure, the configs are ok. If you still have problems, I would recommend opening a TAC case, so that we can dig into this further.


Hope this helps!

Thanks,

Srinivas.

Actions

This Discussion