Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF Exstart/Exchange Stuck

Hi

i am having problem with OSPF.

I have a network of 150 Branch router.

all these branches are available thorugh my fast ethernet interface (my media is MPLS).

i am migrating my network to DMVPN with OSPF, before this i was using GRE tunnel with static routes.

I have migrated 60 routers on it.

all of the are in area 1

when i see show ip ospf nei

I see 7-8 neighbour routers are stuck in exstart state.

i couldn't under stand whats the problem

i have also put ip ospf mtu-ignore.

set the mtu to 1400 on tunnel interface.

Can anybody please help.

Regards

Atif

10 REPLIES
New Member

Re: OSPF Exstart/Exchange Stuck

Can u pls. provide a sho run for OS config on core & edge routers?

Thx.

Mo

New Member

Re: OSPF Exstart/Exchange Stuck

core 3845 HSEC adv IP services 12.4(3e)

Branches 2801/11 adv security 12.4(3H)

Core Router:

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key ni135 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set NI_Sec_DMVPN esp-3des esp-md5-hmac

!

crypto ipsec profile NI_DMVPN

set security-association lifetime seconds 120

set transform-set NI_Sec_DMVPN

!

interface Tunnel0

ip address 172.30.0.1 255.255.240.0

no ip redirects

ip ospf mtu-ignore

ip mtu 1400

ip nhrp authentication ni135

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip ospf network broadcast

tunnel source 192.168.220.146

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile NI_DMVPN

router ospf 1

network 10.200.0.0 0.0.3.255 area 0

network 172.30.0.0 0.0.15.255 area 2

area 2 stub no-summary

Branch Router

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key ni135 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set NI_Sec_DMVPN esp-3des esp-md5-hmac

!

crypto ipsec profile NI_DMVPN

set security-association lifetime seconds 120

set transform-set NI_Sec_DMVPN

!

interface Tunnel0

ip address 172.30.3.224 255.255.240.0

no ip redirects

ip ospf mtu-ignore

ip mtu 1400

ip nhrp authentication ni135

ip nhrp map multicast dynamic

ip nhrp map 172.30.0.1 192.168.220.146

ip nhrp map multicast 192.168.220.146

ip nhrp network-id 1

ip nhrp nhs 172.30.0.1

ip ospf network broadcast

tunnel source 192.168.220.198

tunnel destination 192.168.220.146

tunnel key 0

tunnel protection ipsec profile NI_DMVPN

router ospf 1

network 10.203.224.0 0.0.3.255 area 2

network 172.30.0.0 0.0.15.255 area 2

area 2 stub no-summary

distribute-list prefix filter_all_except_default in

ip prefix-list filter_all_except_default seq 5 deny 0.0.0.0/1 le 32

ip prefix-list filter_all_except_default seq 10 permit 0.0.0.0/0

Silver

Re: OSPF Exstart/Exchange Stuck

Did you try 'debug ip ospf adj'.

Thanks.

Blue

Re: OSPF Exstart/Exchange Stuck

Atif:

If you want to continue troubleshooting on this MTU track, you can try this:

Try applying the ip tcp adjust-mss 1436 command under the GRE interface at both ends. What this does is allow each side to advertise (not negotiate) the maximum size of the data portion of the TCP segment that each will accept.

And then configure the ip mtu setting under the GRE interface at both ends to 1500.

These numbers aren't arbitrary. If you add the TCP header of 20 bytes and the IP header of 20 bytes, plus the GRE header overhead of 24 bytes to the TCP segment size of 1436, the resulting IP datagram will be 1500 bytes in length.

Apply these numbers and come back and tell us if the problem has gotten any better.

HTH

Victor

New Member

Re: OSPF Exstart/Exchange Stuck

Thank victor

One or two thing i like to add before apply the setting

you didn't take account of IPsec overhead.

Further one more info, when the branches are under 50 every thing is normal but when i add more branches like i take it to 65 branches branches get stuck.

Regards

Atif

Re: OSPF Exstart/Exchange Stuck

Hi

I think as per cisco recomendation the number of routers in an area should not be more than 50.

Thanks

Mahmood

Blue

Re: OSPF Exstart/Exchange Stuck

Atif:

You're right.

The size of the IPSec header will differ, depending on whether you deploy AH or ESP and whether you use IPSec Tunnel mode or Transport mode. Transport mode is commonly used is GRE over IPSec implementations because the tunnel endpoints are also the same as the IPSec encrytpion endpoints, and transport mode saves about 20 bytes.

So, make the adjustments to the tcp mass accordingly.

Thanks

Victor

Blue

Re: OSPF Exstart/Exchange Stuck

Atif:

Forgot to address your second issue.

"Further one more info, when the branches are under 50 every thing is normal but when i add more branches like i take it to 65 branches branches get stuck."

If you have 50 routers working and they are all configured in the same manner (MTU, mass, etc), then I would guess that the 7 or 8 stragglers are having a different issue.

You're going to have to investigate the memory and processor capabilities of your hub router and whether your design is feasible.

HTH

Victor

New Member

Re: OSPF Exstart/Exchange Stuck

attached is the debug output

New Member

Re: OSPF Exstart/Exchange Stuck

Dear Atif, i am facing the same issue, did you find the solution to your problem ?

kindly let me know

1422
Views
0
Helpful
10
Replies
CreatePlease to create content