Problem with NHRP and mGRE from a VRF

Unanswered Question
Sep 9th, 2010

Hi

I have been using p2p GRE tunnels to connect remote sites to head office for some time. These have allowed us to run OSPF and Multicast. I've started to get a little fed up of having to configure new tunnel interfaces every time we add a new site - and the need for fixed IP addresses. So I've been doing some testing with DMVPN using NHRP and mGRE.

I'm having a problem with the hub sending and receiving NHRP. For troubleshooting I have taken off all the crypto stuff.

HUB

!
interface Tunnel248
description *** DMVPN over mGRE - Cloud 1 ***
ip address 172.16.248.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip pim query-interval 10
ip pim sparse-dense-mode
ip nhrp authentication secret
ip nhrp map multicast dynamic
ip nhrp network-id 123456
ip nhrp holdtime 600
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf hello-interval 3
ip ospf priority 254
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel vrf INTERNET
!

!
interface FastEthernet0/0
description *** UPSTREAM PROVIDER - ASxxxxx ***
ip vrf forwarding INTERNET
ip address 192.0.2.1 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
no cdp enable
max-reserved-bandwidth 90
end

The import thing to note is that these mGRE tunnels are sourced from a VRF interface.

The spoke sites do not run any form of MPLS/VRFs and are configured:

!
interface Tunnel248
description *** DMVPN over mGRE - Cloud 1 ***
ip address 172.16.248.3 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip pim query-interval 10
ip pim sparse-dense-mode
ip nhrp authentication secret
ip nhrp map multicast 172.16.248.254
ip nhrp map 172.16.248.254 192.0.2.1
ip nhrp network-id 123456
ip nhrp nhs 172.16.248.254
ip nhrp holdtime 600
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf priority 0
qos pre-classify
tunnel source Dialer1
tunnel destination 192.0.2.1
tunnel path-mtu-discovery
!

The spoke sites can ping the hub tunnel address of 172.16.248.254 and a show of the nhrp shows a static entry for the hub.

The problem is the hub site can not ping any of the hosts and there are no dynamic nhrp entries. I have tried to debug nhrp and get the following encapsulation errors:

Sep  9 2010 10:54:51.957 BST: NHRP: Encapsulation failed for destination 172.16.248.3 out Tunnel248
Sep  9 2010 10:54:52.649 BST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel248 netid-out 123456
Sep  9 2010 10:54:52.649 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep  9 2010 10:54:52.649 BST: NHRP: No node found.
Sep  9 2010 10:54:54.649 BST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel248 netid-out 123456
Sep  9 2010 10:54:54.649 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep  9 2010 10:54:54.649 BST: NHRP: No node found.
Sep  9 2010 10:54:58.029 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep  9 2010 10:54:58.029 BST: NHRP: No node found.
Sep  9 2010 10:54:58.029 BST: NHRP: Attempting to send packet via DEST 172.16.248.3
Sep  9 2010 10:54:58.029 BST: NHRP: Send Resolution Request via Tunnel248 vrf 0, packet size: 88
Sep  9 2010 10:54:58.029 BST:  src: 172.16.248.254, dst: 172.16.248.3
Sep  9 2010 10:54:58.029 BST:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Sep  9 2010 10:54:58.029 BST:      shtl: 4(NSAP), sstl: 0(NSAP)
Sep  9 2010 10:54:58.029 BST:  (M) flags: "router auth src-stable nat ", reqid: 5
Sep  9 2010 10:54:58.029 BST:      src NBMA: 192.0.2.1
Sep  9 2010 10:54:58.029 BST:      src protocol: 172.16.248.254, dst protocol: 172.16.248.3
Sep  9 2010 10:54:58.029 BST:  (C-1) code: no error(0)
Sep  9 2010 10:54:58.029 BST:        prefix: 0, mtu: 1514, hd_time: 600
Sep  9 2010 10:54:58.029 BST:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
Sep  9 2010 10:54:58.029 BST: Responder Address Extension(3):
Sep  9 2010 10:54:58.029 BST: Forward Transit NHS Record Extension(4):
Sep  9 2010 10:54:58.029 BST: Reverse Transit NHS Record Extension(5):
Sep  9 2010 10:54:58.029 BST: Authentication Extension(7):
Sep  9 2010 10:54:58.029 BST:   type:Cleartext(1), data:secret
Sep  9 2010 10:54:58.029 BST: NAT address Extension(9):

I had problems with IKE when setting up the p2p GRE not being sourced from the VRF interface and I had to change my crypto config to allow for this. I suspect I am having a similar problem here and the nhrp packets are being encapsulated from the global not the VRF.

I have read a lot of documentation of this working with the tunnel interface in a VRF being sourced from a global IP interface. I can not find any documentation of this working from a VRF interface.

Does anyone know if there is a way to tell nhrp with VRF to source the packets from?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
james-worley Mon, 09/13/2010 - 02:55

I managed to fix this, contrary to the documentation stating:

Cisco IOS Software Releases 12.3(13)T, 12.3(11)T3, or later allow multiple mGRE interfaces on a single router to be configured without tunnel keys. Each mGRE interface

must reference a unique IP address as its tunnel source.

I added the tunnel key command and the tunnels came up.

Michael Sullenberger Thu, 09/16/2010 - 11:27

If Tunnel248 is the only tunnel on the router then you shouldn't need to configure a tunnel key,

But if there are any other tunnels (point-point or multipoint) that are using the same tunnel source

then you are going to have to use a tunnel key.

I have set this up (mGRE with tunnel key and tunnel in VRF 'tunnel vrf ...') in my lab a number of

times so that I know it will work.  There was a couple of IOS codes from about 2-3 years ago

where there was a bug in NHRP with VRFs but that was all fixed.

Note, there is nothing wrong with using a tunnel key.

Mike.

Actions

This Discussion

Related Content