08-03-2012 08:01 AM - edited 02-21-2020 06:14 PM
Hi experts,
I have a DMVPN Spoke behind PAT, which has 3 Tunnels to different DMVPN Hubs (3 different Headquarter locations). 2 tunnels are not running stable, althoug the crypto isakmp sa's stay active (QM_IDLE) all the time.
Router is a 1841 running c1841-advsecurityk9-mz.124-15.T10
Here's the related Spoke config:
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30
crypto isakmp nat keepalive 20
crypto ipsec transform-set set3des esp-3des esp-sha-hmac
mode transport
crypto ipsec profile prof3des
set transform-set set3des
interface Tunnel1
ip address 10.10.140.28 255.255.255.0
ip mtu 1400
ip nhrp authentication prof3des
ip nhrp map 10.10.140.1 123.123.123.123
ip nhrp network-id 1000140
ip nhrp holdtime 600
ip nhrp nhs 10.10.140.1
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source FastEthernet0/1
tunnel destination 123.123.123.123
tunnel key 1000140
tunnel protection ipsec profile prof3des shared
(Config of the other tunnels looks the same, instead of nhrp network-id, tunnel key and ip addresses)
Here
Spoke output of "show dmvpn" show both flapping tunnels during downtime with the state "NHRP", which means, there is some problem with NHRP:
Router#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 123.123.123.123 10.10.140.1 NHRP 00:11:37 S
Tunnel2, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 234.234.234.234 10.10.70.1 NHRP 00:44:12 S
Tunnel3, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 145.145.145.145 10.10.64.1 UP 5d19h S
Config of one of the Hub Routers:
interface Tunnel0
ip address 10.10.140.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication prof3des
ip nhrp map multicast dynamic
ip nhrp network-id 1000140
ip nhrp holdtime 600
ip virtual-reassembly
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1000140
tunnel protection ipsec profile prof3des shared
(ISAKMP / IPSec Config is similar to Spoke, the other 2 hubs have similar configs as well)
Do I need to consider anything in this setup? Is it possible at all?
The PAT device (some kind of SOHO ADSL Router) is out of my control.
Thanks for your help!
08-03-2012 08:09 AM
Hard to say without more information (debug nhrp pack, debug nhrp ext and debug nhrp err).
I'm assuming there is no overlap and shared keyword is set where it needs.
I would start by setting no-unique flag in NHRP on spoke.
Might be better to upen a case with TAC to have a better view.
08-03-2012 08:34 AM
Please see the requested debug attached (debug_nhrp.txt). This debug was done during a phase where 2 tunnels were "down" (forwarding no traffic).
Then suddenly out of nowhere, traffic is forwarded again:
Router#sh dmvp
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
Tunnel1, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 123.123.123.123 10.10.140.1 UP 00:00:54 S
Tunnel2, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 234.234.234.234 10.10.70.1 UP 00:01:13 S
Tunnel3, Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 145.145.145.145 10.10.64.1 UP 5d20h S
The attached file "debug_nhrp_working.txt" shows, what happens after the tunnels came "up" again. (In a few minutes, they will certainly be "down" again...)
Did I understand correctly - I should implement the following on all 3 Spoke Tunnel interfaces:
ip nhrp registration no-unique
What do you mean with "no overlap"? The PSK is set correctly on all involved routers. The temporary working connection proves, that the ISAKMP / IPSec config is OK an all routers.
(I replaced all public IPs in the debugs and the posted output. The LAN IP of Spoke is 192.168.0.244, which gets NATet to 199.199.199.199)
08-07-2012 04:59 AM
I configured the "ip nhrp registration no-unique" on one of the Tunnel interfaces, but this did not make any change.
As you can see in the debugs, NHRP is detecting a loop:
Aug 3 17:14:43.275 CEST: NHRP: Loop detected while parsing Reverse Transit NHS Record extension
Aug 3 17:14:43.275 CEST: NHRP: Send Error Indication via Tunnel2 vrf 0, packet size: 289
Aug 3 17:14:43.275 CEST: src: 10.10.70.228, dst: 10.10.70.1
Aug 3 17:14:43.275 CEST: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Aug 3 17:14:43.275 CEST: shtl: 4(NSAP), sstl: 0(NSAP)
Aug 3 17:14:43.275 CEST: (M) error code: loop detected(3), offset: 84
Aug 3 17:14:43.275 CEST: src NBMA: 192.168.0.244
Aug 3 17:14:43.275 CEST: src protocol: 10.10.70.228, dst protocol: 10.10.70.1
Aug 3 17:14:43.275 CEST: Contents of error packet:
Aug 3 17:14:43.275 CEST: 00 00 00 00 05 EA 01 2C 04 00 04 00 C0 A8 00 F4
Aug 3 17:14:43.275 CEST: 0A D2 46 E4 00 00 00 00 05 EA 02 58 04 00 04 00
Aug 3 17:14:43.275 CEST: C0 6D DE 24 0A D2 46 01 80 07 00 0B 00 00 00 01
Aug 3 17:14:43.275 CEST: 76 70 6E 63 75 73 74 00 09 00 28 00 20 00 00 05
Aug 3 17:14:43.275 CEST: EA 00 00 04 00 04 00 C0 6D DE 24 0A D2 46 01 00
Aug 3 17:14:43.275 CEST: Authentication Extension(7):
Aug 3 17:14:43.275 CEST: type:Cleartext(1), data:prof3des
Aug 3 17:14:43.275 CEST: NAT address Extension(9):
Does anybody know, what that means? How can I have a look in NHRP?
08-07-2012 05:08 AM
Sebastian,
I would look into routing and check where this NHRP request is looping and why (as obvious as it sounds).
What are you using for routing protocol?
If you need some help with this - run this by TAC, the guys can look at the big picture and narrow it down.
M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: