Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
5
Helpful
5
Replies

OSPF with ipsec VTI interface goes down before dead timer.

paul amaral
Level 4
Level 4

‎09-22-2014 07:13 AM - edited ‎03-04-2019 11:48 PM

I have a strange issue that OSPF will initially start working, hellos are exchanged both ways but then after about 3 – 6 hellos one of the sides stops getting them and the ipsec VTI tunnel drops on router A even before the dead timer reaches 0. Is this default behavior, when OSPF is over a VTI interface if it doesn’t receive hellos is drops the tunnel?

 

I’m at a loss as to what is going on since it looks like only one neighbor stops receiving hellos, router A, for a brief period of time. This VTI tunnel is going over another provider’s FW and they have assured me the tunnel destination/source ips are wide open they also sent me the ACL and I can verify this. The weird thing is if I enable EIGRP it works great with no issues. On router B I am using the same source/ip unnumbered  interface on multiple VTI tunnels to to other destinations but this shouldn’t cause any issues I don’t think. I have never had an issue like this and from what I can tell the router A just stops briefly getting hellos after 3 – 6 initial hellos and drops the protocol on the VTI interface. If I set the dead timer on router A long enough it will stop receiving hellos but stay up and then after a while you get “LOADING to FULL” as the hellos start coming in again.  Again the tunnel goes over a cisco 800 which I have no control over it and a potential FW before that but I saw the ACL and ip is being allowed. I was thinking this could be a trolling issue on the FW but it doesn’t explain why EIGRP works.  FYI I was having a recursive routing issue before but I have since fixed that and the issue still continues.

 

 

********  it turns out that i was using the same source ip on multiple tunnels. IPsec would get confused with packets coming in and would deliver packets to the wrong tunnel interface. This was solved but using the key command with a different key number on each set of tunnels with the shared profile command

"If more than one mGRE tunnel is configured on a router that use the same tunnel source address, the shared keyword must be added to the tunnel protection command on all such tunnel interfaces. Each mGRE tunnel interface still requires a unique tunnel key, NHRP network-ID, and IP subnet address. This is common on a branch router when a dual DMVPN cloud topology is deployed. "

 

 

 

 

Router A:

 

router ospf 1

router-id 10.213.22.2

passive-interface default

network x.x.97.26 0.0.0.0 area 0

 

interface Tunnel1

ip unnumbered GigabitEthernet0/1

ip virtual-reassembly in

ip tcp adjust-mss 1398

ip ospf network point-to-point

load-interval 30

tunnel source GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel destination x.x.173.109

tunnel path-mtu-discovery

tunnel protection ipsec profile VTI-to-NB

 

 

router B:

 

router ospf 1

router-id 172.17.2.6

priority 1

redistribute static subnets route-map Lan-static-RM

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel4

no passive-interface Tunnel5

network x.x.173.109 0.0.0.0 area 0

network 172.17.2.6 0.0.0.0 area 0

network 192.168.1.47 0.0.0.0 area 0

 

interface Tunnel4

 

ip unnumbered GigabitEthernet0/2

ip virtual-reassembly in

ip tcp adjust-mss 1398

ip ospf network point-to-point

load-interval 30

tunnel source GigabitEthernet0/2

tunnel mode ipsec ipv4

tunnel destination x.x.97.26

tunnel path-mtu-discovery

tunnel protection ipsec profile VTI_NB_to_dorrance_prv

end

 

 

thanks P

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Vasilii Mikhailovskii
Level 7
Level 7

‎09-29-2014 09:33 AM

Hello.

What IOS version do you run (on both sides)?

Do you observe the same issue if you run continuous ping over the tunnel?

Could you try to configure static ip mtu on tunnel interfaces and remove path-mtu-discovery?

Could you provide debug ip ospf hello and debug ip ospf adj output from both peers?

Please provide "show ip ospf int tu4" and "show ip ospf traffic tu4".

Thanks.

PS: what ACLs are you talking about?

0 Helpful

paul amaral
Level 4
Level 4
In response to Vasilii Mikhailovskii

‎09-29-2014 10:08 AM

Vasilii, thanks for your reply.

 

for now i have used static routing I am observing the tunnel drop at least a few times a day and have notice packet loss, although its not very significant loss between the tunnel endpoints.

 

11614 packets transmitted, 11585 received, 0% packet loss, time 11612418ms

 

Not sure if this is the reason that OSPF wont stay up, seems weird that the side having issues will initially get hellos then just drop after receiving 3/4 hellos initial hellos. there is a FW between the tunnels that i dont control so not sure if its that. Im in the process of moving the tunnels through another path and will post what i find once thats done. the new path for the tunnels will bypass tjhe FW in question. Also EIGRP while initially was working did give me issues where routes would disappear from the topology table although the tunnel was always up and so where eigrp neighbors.

 

 

 

thanks, P

 

 

 

 

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to paul amaral

‎09-29-2014 10:26 AM

Hello.

Looks like you are not investigating the issue any more.

But I would say, that EIGRP is a really good protocol, so whatever issue you had in the past might had any kind of root cause.

So, if you migrate, I would suggest to review EIGRP option as well.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-29-2014 10:15 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I haven't studied your config, but I can tell you I have production environment using OSPF across VTI  (and GRE, and GRE/IPSec and DMVPN) tunnels without issue.  I.e. so OSPF can be okay with VTI tunnels.

0 Helpful

paul amaral
Level 4
Level 4

‎12-05-2014 07:11 AM

 it turns out that i was using the same source ip on multiple tunnels. IPsec would get confused with packets coming in and would deliver packets to the wrong tunnel interface. This was solved but using the key command with a different key number on each set of tunnels with the shared profile command

"If more than one mGRE tunnel is configured on a router that use the same tunnel source address, the shared keyword must be added to the tunnel protection command on all such tunnel interfaces. Each mGRE tunnel interface still requires a unique tunnel key, NHRP network-ID, and IP subnet address. This is common on a branch router when a dual DMVPN cloud topology is deployed. "

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card