Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
4
Helpful
3
Replies

DMVPN Issue

jgtheodor
Level 1
Level 1

‎07-14-2009 09:51 AM - edited ‎03-04-2019 05:25 AM

Hi,

There are 3 weeks ago since we switched the WAN Links of our Data Network to DMVPN technology.

There is a HUB 3845 router in HQ and 2811 ISRs in all other 19 Branches. The 3845 router is connected to ISP MPLS cloud through 2 primary E1 lines and a secondary 24 Mbps ADSL line . Every branch router is connected to ISP MPLS cloud through a primary leased line and a secondary 2 Mbps ADSL.

There are 4 DMVPN Tunnels. Tunnel1 over the branch leased line to HUB E1. Tunnel2 over the branch ADSL line to HUB E1. Tunnel 5 over the branch leased line to HUB ADSL line and Tunnel 6 over the branch ADSL line to HUB ADSL line. EIGRP run in the whole network with default timers.

Everything seems work fine, but I have noticed the log messages bellow:

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=192.168.192.30,dstadr=192.168.192.1,size=768,handle=0x6071

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=192.168.192.19,dstadr=192.168.192.1,size=144,handle=0x67C1

I have also noticed the log messages from the deny entries from router WAN Access-lists related to fragmentation:

%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.70 -> 192.168.192.1 (11/1), 17 packets

%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.50 -> 192.168.192.1 (11/1), 1 packet

%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.30 -> 192.168.192.1 (11/1), 1 packet

%SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.74 -> 192.168.192.1 (11/1), 1 packet

At the end, several times every day the EIGRP Adjacency in Tunnel1 & 5 is flapping without any specific reason.

In the 10.195.35.0 subnet belong the WAN links and in the subnet 192.168.192.0 belong the Tunnel1 IP Addresses.

Could anybody please write if there is any issue related to these log messages and to EIGRP behavior.

Thanks in advance!

Labels:
0 Helpful
3 Replies 3

jgtheodor
Level 1
Level 1

‎07-14-2009 10:53 PM

Hi,

Keep continuing from the previous message I am sending you the configuration files for the HUB and Branch router.

Any help would be appreciated!

Preview file
15 KB
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to jgtheodor

‎07-15-2009 05:07 AM

Hello John,

your configurations look like fine.

I've searched bug toolkit and there are several bugs for DMVPN in 12.4(22)T like

CSCsv43385

and others

I would give a try to another release on the hub router:

tunnel1 and tunnel5 are related to the same hub router.

An idea could be also to try a release like 12.4(15)T9 and one as 12.4.(22)Tx

x>1

Hope to help

Giuseppe

jgtheodor
Level 1
Level 1
In response to Giuseppe Larosa

‎07-15-2009 09:45 PM

Hi Giuseppe,

I think you have right. I checked the Tunnel Interfaces in every branch router and there is no any dropped packet in contrast with Tunnels in Hub router which have some dropped packets. I will proceed with an IOS upgrade in 3845 router and I will let you know for the results.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card