Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
2
Replies

ISAKMP not negotiated

avorobyev
Level 1
Level 1

‎07-12-2016 01:46 AM

Hi!

I've got one branch Cisco 881 with 2 ISPs on it (on Fa4 and Vlan100)

There are 2 IPSEc/GRE channels on both ISPs to diferent Hubs

Default route to 1st ISP, static to 2nd HUB via 2nd ISP

The problem is:

IPSec won't negotiate on 2nd channel in normal situation.

But when I stop 1st ISP and default route goes to 2nd ISP (ip sla, track), then in several minutes, ISAKMP negotiates and 2nd GRE channel goes up.

Moreover, in this situation channel stays up even after ISP1 goes back and during 1-2 days (while ISAKMP is not expired).

If I turn off IPSec on the tunnel, then it immediately goes up.

What could be wrong and what debugs to show? 

!
track 1 ip sla 1 reachability
 delay down 30 up 60
!
track 2 ip sla 2 reachability
 delay down 70 up 40
!
 
crypto isakmp policy 100
 encr aes 256
 authentication pre-share
 group 15
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxx address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 10
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set DmvpnSet esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile ISP1
 set transform-set DmvpnSet
!
crypto ipsec profile ISP2
 set transform-set DmvpnSet
!
interface Tunnel0
 description Sec - Sec
 ip address 10.0.204.2 255.255.255.252
 ip mtu 1400
 ip flow ingress
 ip flow egress
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
 delay 10000
 tunnel source Dialer0
 tunnel destination HUB2
 tunnel path-mtu-discovery
 tunnel protection ipsec profile ISP2 shared
!
interface Tunnel1001
 description DMVPN Cloud 1 Spoke
 bandwidth 100
 ip address 10.255.1.204 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nat inside
 ip nhrp authentication dmvpn1
 ip nhrp map multicast HUB1
 ip nhrp map 10.255.1.1 HUB1
 ip nhrp network-id 1001
 ip nhrp holdtime 600
 ip nhrp nhs 10.255.1.1
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
 tunnel source Vlan100
 tunnel mode gre multipoint
 tunnel key 1001
 tunnel path-mtu-discovery
 tunnel protection ipsec profile ISP1 shared
!
interface FastEthernet0
switchport access vlan 100
 no ip address
!
interface FastEthernet4
ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 description $LAN$
 ip address 192.168.204.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan100
 description WAN ISP1
 ip address ISP1ip.101 255.255.255.192
ip nat outside
 ip virtual-reassembly in
!
interface Dialer0
 description WAN ISP2
 ip address negotiated
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1436
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxx
no cdp enable
!
!
!
ip nat inside source route-map DSL interface FastEthernet4 overload
ip nat inside source route-map RTKM interface Vlan100 overload
ip nat inside source route-map RTKM-pppoe interface Dialer0 overload
 
ip route 0.0.0.0 0.0.0.0 ISP1ip.65 5 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 6 track 2
ip route 0.0.0.0 0.0.0.0 ISP1ip.65 10
ip route 0.0.0.0 0.0.0.0 Dialer0 11
ip route 8.8.4.4 255.255.255.255 Dialer0 permanent
ip route 8.8.8.8 255.255.255.255 ISP1ip.65 permanent
ip route HUB2 255.255.255.255 Dialer0
ip route HUB1 255.255.255.255 ISP1ip.65 permanent
ip tacacs source-interface Vlan1
!
ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8 source-interface Vlan100
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 8.8.4.4 source-interface Dialer0
frequency 30
ip sla schedule 2 life forever start-time now
dialer-list 1 protocol ip permit
!
route-map RTKM permit 10
 match ip address 105
 match interface Vlan100
!
route-map RTKM-pppoe permit 10
 match ip address 105
 match interface Dialer0
!
route-map DSL permit 10
 match ip address 101
 match interface FastEthernet4
!
!

Labels:
0 Helpful
2 Replies 2

Peter Koltl
Level 7
Level 7

‎07-17-2016 12:32 PM

Migrate to IWAN concept:

Use fvrf1 and fvrf2 for either ISP direction and tunnel vrf command to attach the tunnels to the distinct vrf's. You will benefit an independent tunnel carrier routing table in each vrf.

0 Helpful

avorobyev
Level 1
Level 1
In response to Peter Koltl

‎07-20-2016 05:52 AM

Hi! I know this concept and approaching it but now i'm trying to troubleshoot this configuration. It works on other 50 routers but this.

BTW, won't there be performance issues with VRFs on 880 series routers? They're not so powerful and i'm afraid off 1,5-2x performance cut there.

0 Helpful
Customers Also Viewed These Support Documents