отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

DMVPN, рвется связь между HUb и Spoke

Коллеги, прошу помощи.

Время от времени рвется связь между HUb и Spoke. (в течении одного двух часов)

Но не у всех, некоторые туннели и днями стоят.  

Топология DMVPN phase 3, между собой  Spoke to Spoke обмениваются. 

иосы на роутерах менял.

Ошибки на HUBe

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.255.224.2, prot=50, spi=0xC61187A5(3323037605), srcaddr=10.255.224.230, input interface=GigabitEthernet0/0/1

%DMVPN-3-DMVPN_NHRP_ERROR: Tunnel100: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.255.216.1 NBMA: 10.255.224.2)
178715: Dec 21 09:40:47.409 MSK: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel100: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.255.216.1 NBMA: 10.255.224.2)
178716: Dec 21 09:40:47.593 MSK: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel100: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.255.216.1 NBMA: 10.255.224.2)

%DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.255.216.43 (Tunnel100) is down: Interface PEER-TERMINATION received
178726: Dec 21 09:41:32.109 MSK: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.255.216.43 (Tunnel100) is up: new adjacency

HUB

Cisco IOS XE Software, Version 03.16.01a.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S1a, RELEASE SOFTWARE (fc1)

crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5


crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic

crypto keyring DMVPN
local-address GigabitEthernet0/0/1
pre-shared-key address 0.0.0.0 0.0.0.0 key


crypto isakmp profile DMVPN
keyring DMVPN
match identity address 0.0.0.0
local-address GigabitEthernet0/0/1


crypto ipsec security-association replay window-size 1024

crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
mode tunnel


crypto ipsec profile DMVPN
set transform-set DMVPN
set isakmp-profile DMVPN

interface Tunnel100
description ==DMVPN==
bandwidth 100000
ip address 10.255.216.1 255.255.240.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip bandwidth-percent eigrp 10 100
ip hello-interval eigrp 10 15
ip hold-time eigrp 10 45
no ip split-horizon eigrp 10
ip nhrp authentication 100
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 65500
ip nhrp max-send 60000 every 10
ip nhrp registration timeout 30
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
nhrp map group spoke_2M service-policy output spoke_2M
nhrp map group spoke_5M service-policy output spoke_5M
nhrp map group spoke_10M service-policy output spoke_10M
nhrp map group spoke_20M service-policy output spoke_20M
nhrp map group spoke_50M service-policy output spoke_50M
qos pre-classify
cdp enable
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel key 100100
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN 

Ошибки на споке

21 08:31:18.527 MSK: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.255.216.1 (Tunnel100) is up: new adjacency
Dec 21 08:32:06.238 MSK: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=9, sequence number=21176

Dec 21 08:34:28.533 MSK: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.255.224.106 failed its sanity check or is malformed
Dec 21 08:34:44.906 MSK: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=9, sequence number=93015

Dec 21 08:37:06.293 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reached its maximum threshold 16
Dec 21 08:38:02.056 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reach

Dec 21 09:23:17.732 MSK: %NHRP-3-PAKERROR: Received Error Indication from 10.255.216.129, code: insufficient resources(5), (trigger src: UNKNOWN (nbma: ) dst: UNKNOWN), offset: 34228, data: 80 07 00 07 00 00 00 01 31 30 30 00 09 00 00 80
Dec 21 09:23:23.028 MSK: %NHRP-3-PAKERROR: Received Error Indication from 10.255.216.129, code: insufficient resources(5), (trigger src: UNKNOWN (nbma: ) dst: UNKNOWN), offset: 34228, data: 80 07 00 07 00 00 00 01 31 30 30 00 09 00 00 80
Dec 21 09:23:29.584 MSK: %NHRP-3-PAKERROR: Received Error Indication from 10.255.216.129, code: insufficient resources(5), (trigger src: UNKNOWN (nbma: ) dst: UNKNOWN), offset: 34228, data: 80 07 00 07 00 00 00 01 31 30 30 00 09 00 00 80
Dec 21 09:23:39.317 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reached its maximum threshold 16
Dec 21 09:23:39.441 MSK: %NHRP-3-PAKERROR: Received Error Indication from 10.255.216.129, code: insufficient resources(5), (trigger src: UNKNOWN (nbma: ) dst: UNKNOWN), offset: 34228, data: 80 07 00 07 00 00 00 01 31 30 30 00 09 00 00 80
Dec 21 09:23:45.329 MSK: %NHRP-3-PAKERROR: Received Error Indication from 10.255.216.129, code: insufficient resources(5), (trigger src: UNKNOWN (nbma: ) dst: UNKNOWN), offset: 34228, data: 80 07 00 07 00 00 00 01 31 30 30 00 09 00 00 80
Dec 21 09:24:11.406 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reached its maximum threshold 16
Dec 21 09:24:54.060 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reached its maximum threshold 16
Dec 21 09:25:20.349 MSK: %IP_VFR-3-OVERLAP_FRAGMENTS: Tunnel100: from the host 10.11.1.10 destined to 10.63.1.71
Dec 21 09:25:46.786 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reached its maximum threshold 16
Dec 21 09:26:16.807 MSK: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Tunnel100: the fragment table has reached its maximum threshold 16

SPOKE

 CISCO881-PCI-K9 Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.4(3), RELEASE SOFTWARE (fc1)

crypto keyring DMVPN
local-address FastEthernet4
pre-shared-key address 0.0.0.0 0.0.0.0 key XXX
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5

crypto isakmp fragmentation
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile DMVPN

keyring DMVPN
match identity address 0.0.0.0
local-address FastEthernet4

crypto ipsec transform-set DMVPN esp-3des esp-sha-hmac
mode tunnel

crypto ipsec profile DMVPN
set transform-set DMVPN
set isakmp-profile DMVPN

interface Tunnel100
description ==DMVPN==
bandwidth 10000
ip address 10.255.216.14 255.255.240.0
no ip redirects
ip mtu 1400
ip bandwidth-percent eigrp 10 100
ip hello-interval eigrp 10 15
ip hold-time eigrp 10 45
ip nhrp authentication 100
ip nhrp group spoke_14M
ip nhrp map 10.255.216.1 10.255.224.2
ip nhrp map multicast 10.255.224.2
ip nhrp network-id 100
ip nhrp holdtime 65500
ip nhrp nhs 10.255.216.1
ip nhrp registration no-unique
ip nhrp registration timeout 30
ip nhrp shortcut
ip nhrp redirect
ip virtual-reassembly in
ip tcp adjust-mss 1360
qos pre-classify
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 100100
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN

#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.255.224.170 10.255.224.198 QM_IDLE 2073 ACTIVE
10.255.224.198 10.255.224.206 QM_IDLE 2010 ACTIVE
10.255.224.198 10.255.225.118 QM_IDLE 2059 ACTIVE
10.255.224.198 10.255.224.134 QM_IDLE 2040 ACTIVE
10.255.224.218 10.255.224.198 QM_IDLE 2149 ACTIVE
10.255.224.198 10.255.224.118 QM_IDLE 2037 ACTIVE
10.255.225.234 10.255.224.198 QM_IDLE 2191 ACTIVE
10.255.224.198 10.255.224.214 QM_IDLE 2140 ACTIVE
10.255.225.198 10.255.224.198 QM_IDLE 2047 ACTIVE
10.255.224.198 10.255.225.138 QM_IDLE 2194 ACTIVE
10.255.224.202 10.255.224.198 QM_IDLE 2074 ACTIVE
10.255.225.50 10.255.224.198 QM_IDLE 2139 ACTIVE
10.255.225.118 10.255.224.198 QM_IDLE 2058 ACTIVE
10.255.225.146 10.255.224.198 QM_IDLE 2088 ACTIVE
10.255.224.198 10.255.225.154 MM_NO_STATE 2043 ACTIVE (deleted)
10.255.225.150 10.255.224.198 QM_IDLE 2050 ACTIVE
10.255.225.154 10.255.224.198 QM_IDLE 2044 ACTIVE
10.255.224.210 10.255.224.198 QM_IDLE 2094 ACTIVE
10.255.224.198 10.255.225.190 QM_IDLE 2197 ACTIVE
10.255.224.2 10.255.224.198 QM_IDLE 2085 ACTIVE
10.255.225.58 10.255.224.198 MM_NO_STATE 2042 ACTIVE (deleted)
10.255.224.238 10.255.224.198 QM_IDLE 2107 ACTIVE
10.255.225.174 10.255.224.198 QM_IDLE 2060 ACTIVE
10.255.224.198 10.255.225.166 QM_IDLE 2014 ACTIVE
10.255.225.134 10.255.224.198 QM_IDLE 2134 ACTIVE
10.255.224.198 10.255.225.58 MM_NO_STATE 2041 ACTIVE (deleted)
10.255.225.218 10.255.224.198 QM_IDLE 2055 ACTIVE
10.255.224.198 10.255.224.186 QM_IDLE 2180 ACTIVE
10.255.224.198 10.255.225.142 MM_NO_STATE 2036 ACTIVE (deleted)
10.255.225.142 10.255.224.198 MM_NO_STATE 2035 ACTIVE (deleted)
10.255.224.198 10.255.224.102 QM_IDLE 2186 ACTIVE
10.255.224.198 10.255.225.130 QM_IDLE 2061 ACTIVE
10.255.224.162 10.255.224.198 QM_IDLE 2049 ACTIVE
10.255.224.162 10.255.224.198 MM_NO_STATE 2008 ACTIVE (deleted)
10.255.225.170 10.255.224.198 QM_IDLE 2022 ACTIVE
10.255.224.158 10.255.224.198 QM_IDLE 2034 ACTIVE
10.255.225.42 10.255.224.198 QM_IDLE 2057 ACTIVE
10.255.225.42 10.255.224.198 MM_NO_STATE 2027 ACTIVE (deleted)
10.255.225.238 10.255.224.198 QM_IDLE 2015 ACTIVE
10.255.224.198 10.255.225.150 QM_IDLE 2051 ACTIVE
10.255.225.178 10.255.224.198 QM_IDLE 2141 ACTIVE
10.255.224.198 10.255.225.38 QM_IDLE 2009 ACTIVE
10.255.224.246 10.255.224.198 QM_IDLE 2096 ACTIVE
10.255.224.234 10.255.224.198 QM_IDLE 2176 ACTIVE
10.255.224.198 10.255.224.218 QM_IDLE 2150 ACTIVE
10.255.225.214 10.255.224.198 QM_IDLE 2018 ACTIVE
10.255.224.198 10.255.225.122 QM_IDLE 2056 ACTIVE
10.255.224.198 10.255.225.122 MM_NO_STATE 2026 ACTIVE (deleted)
10.255.224.198 10.255.225.230 QM_IDLE 2065 ACTIVE
10.255.224.198 10.255.224.114 QM_IDLE 2048 ACTIVE
10.255.224.198 10.255.224.114 MM_NO_STATE 2025 ACTIVE (deleted)
10.255.224.102 10.255.224.198 QM_IDLE 2185 ACTIVE
10.255.224.226 10.255.224.198 QM_IDLE 2108 ACTIVE
10.255.224.198 10.255.224.190 QM_IDLE 2053 ACTIVE
10.255.224.94 10.255.224.198 QM_IDLE 2046 ACTIVE
10.255.224.198 10.255.224.222 QM_IDLE 2039 ACTIVE
10.255.224.250 10.255.224.198 QM_IDLE 2038 ACTIVE
10.255.224.198 10.255.224.106 QM_IDLE 2187 ACTIVE
10.255.224.198 10.255.225.126 QM_IDLE 2156 ACTIVE
10.255.224.190 10.255.224.198 QM_IDLE 2052 ACTIVE
10.255.224.198 10.255.225.74 QM_IDLE 2033 ACTIVE
10.255.224.66 10.255.224.198 QM_IDLE 2190 ACTIVE
10.255.224.198 10.255.224.110 QM_IDLE 2100 ACTIVE
10.255.224.198 10.255.224.238 QM_IDLE 2106 ACTIVE
10.255.224.198 10.255.225.238 QM_IDLE 2013 ACTIVE
10.255.224.90 10.255.224.198 QM_IDLE 2023 ACTIVE
10.255.224.198 10.255.225.210 QM_IDLE 2167 ACTIVE
10.255.224.198 10.255.225.202 QM_IDLE 2083 ACTIVE
10.255.225.162 10.255.224.198 QM_IDLE 2114 ACTIVE
10.255.224.198 10.255.224.94 QM_IDLE 2045 ACTIVE
10.255.224.198 10.255.225.50 QM_IDLE 2138 ACTIVE
10.255.224.198 10.255.224.230 QM_IDLE 2012 ACTIVE
10.255.224.178 10.255.224.198 QM_IDLE 2170 ACTIVE
10.255.225.202 10.255.224.198 QM_IDLE 2084 ACTIVE
10.255.224.186 10.255.224.198 QM_IDLE 2184 ACTIVE
10.255.225.62 10.255.224.198 QM_IDLE 2029 ACTIVE
10.255.224.198 10.255.225.170 QM_IDLE 2021 ACTIVE
10.255.225.126 10.255.224.198 QM_IDLE 2155 ACTIVE
10.255.224.198 10.255.224.158 MM_NO_STATE 2032 ACTIVE (deleted)
10.255.225.54 10.255.224.198 QM_IDLE 2020 ACTIVE
10.255.224.198 10.255.225.218 QM_IDLE 2054 ACTIVE

1 ОТВЕТ

Начните с простого, настройте

Начните с простого, настройте ip sla монитор и проверьте качество канала связи. неплохо было бы ещё посмотреть что там у вас с eigrp настроено.

73
Просмотры
0
Полезный материал
1
Ответы