Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Problem with NHRP and mGRE from a VRF

james-worley
Level 1
Level 1

‎09-09-2010 03:07 AM - edited ‎03-04-2019 09:42 AM

Hi

I have been using p2p GRE tunnels to connect remote sites to head office for some time. These have allowed us to run OSPF and Multicast. I've started to get a little fed up of having to configure new tunnel interfaces every time we add a new site - and the need for fixed IP addresses. So I've been doing some testing with DMVPN using NHRP and mGRE.

I'm having a problem with the hub sending and receiving NHRP. For troubleshooting I have taken off all the crypto stuff.

HUB

!
interface Tunnel248
description *** DMVPN over mGRE - Cloud 1 ***
ip address 172.16.248.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip pim query-interval 10
ip pim sparse-dense-mode
ip nhrp authentication secret
ip nhrp map multicast dynamic
ip nhrp network-id 123456
ip nhrp holdtime 600
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf hello-interval 3
ip ospf priority 254
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel vrf INTERNET
!

!
interface FastEthernet0/0
description *** UPSTREAM PROVIDER - ASxxxxx ***
ip vrf forwarding INTERNET
ip address 192.0.2.1 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
no cdp enable
max-reserved-bandwidth 90
end

The import thing to note is that these mGRE tunnels are sourced from a VRF interface.

The spoke sites do not run any form of MPLS/VRFs and are configured:

!
interface Tunnel248
description *** DMVPN over mGRE - Cloud 1 ***
ip address 172.16.248.3 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip pim query-interval 10
ip pim sparse-dense-mode
ip nhrp authentication secret
ip nhrp map multicast 172.16.248.254
ip nhrp map 172.16.248.254 192.0.2.1
ip nhrp network-id 123456
ip nhrp nhs 172.16.248.254
ip nhrp holdtime 600
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf priority 0
qos pre-classify
tunnel source Dialer1
tunnel destination 192.0.2.1
tunnel path-mtu-discovery
!

The spoke sites can ping the hub tunnel address of 172.16.248.254 and a show of the nhrp shows a static entry for the hub.

The problem is the hub site can not ping any of the hosts and there are no dynamic nhrp entries. I have tried to debug nhrp and get the following encapsulation errors:

Sep  9 2010 10:54:51.957 BST: NHRP: Encapsulation failed for destination 172.16.248.3 out Tunnel248
Sep  9 2010 10:54:52.649 BST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel248 netid-out 123456
Sep  9 2010 10:54:52.649 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep  9 2010 10:54:52.649 BST: NHRP: No node found.
Sep  9 2010 10:54:54.649 BST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel248 netid-out 123456
Sep  9 2010 10:54:54.649 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep  9 2010 10:54:54.649 BST: NHRP: No node found.
Sep  9 2010 10:54:58.029 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep  9 2010 10:54:58.029 BST: NHRP: No node found.
Sep  9 2010 10:54:58.029 BST: NHRP: Attempting to send packet via DEST 172.16.248.3
Sep  9 2010 10:54:58.029 BST: NHRP: Send Resolution Request via Tunnel248 vrf 0, packet size: 88
Sep  9 2010 10:54:58.029 BST:  src: 172.16.248.254, dst: 172.16.248.3
Sep  9 2010 10:54:58.029 BST:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Sep  9 2010 10:54:58.029 BST:      shtl: 4(NSAP), sstl: 0(NSAP)
Sep  9 2010 10:54:58.029 BST:  (M) flags: "router auth src-stable nat ", reqid: 5
Sep  9 2010 10:54:58.029 BST:      src NBMA: 192.0.2.1
Sep  9 2010 10:54:58.029 BST:      src protocol: 172.16.248.254, dst protocol: 172.16.248.3
Sep  9 2010 10:54:58.029 BST:  (C-1) code: no error(0)
Sep  9 2010 10:54:58.029 BST:        prefix: 0, mtu: 1514, hd_time: 600
Sep  9 2010 10:54:58.029 BST:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
Sep  9 2010 10:54:58.029 BST: Responder Address Extension(3):
Sep  9 2010 10:54:58.029 BST: Forward Transit NHS Record Extension(4):
Sep  9 2010 10:54:58.029 BST: Reverse Transit NHS Record Extension(5):
Sep  9 2010 10:54:58.029 BST: Authentication Extension(7):
Sep  9 2010 10:54:58.029 BST:   type:Cleartext(1), data:secret
Sep  9 2010 10:54:58.029 BST: NAT address Extension(9):

I had problems with IKE when setting up the p2p GRE not being sourced from the VRF interface and I had to change my crypto config to allow for this. I suspect I am having a similar problem here and the nhrp packets are being encapsulated from the global not the VRF.

I have read a lot of documentation of this working with the tunnel interface in a VRF being sourced from a global IP interface. I can not find any documentation of this working from a VRF interface.

Does anyone know if there is a way to tell nhrp with VRF to source the packets from?

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic