Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
639
Views
0
Helpful
5
Replies

Cannot create EIGRP adjacency over Dynamic Multipoin IPSec VPN

artur.b01
Level 1
Level 1

‎09-29-2021 12:18 AM

Hello,

 

I have Cisco 2811 (Spoke) and cisco ISR4431/K9 (DMVPN Hub). I cannot create EIGRP adjacency between hub and spoke.

 

Spoke Configuration:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ******* address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 3 periodic
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong  

 

interface Tunnel0
description GRE/IPSEC Tunnel to HUB
ip address 192.168.250.69 255.255.255.0
no ip redirects
ip mtu 1400
ip bandwidth-percent eigrp 1 100
ip hello-interval eigrp 1 30
ip hold-time eigrp 1 90
ip nhrp authentication black
ip nhrp responder FastEthernet0/1
ip nhrp map 192.168.250.1 xx.xx.xx.xx
ip nhrp map multicast xx.xx.xx.xx
ip nhrp network-id 101
ip nhrp nhs 192.168.250.1
ip nhrp registration timeout 30
ip tcp adjust-mss 1360
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 150
tunnel protection ipsec profile cisco shared

 

 

 

HUB configuration:

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ******** address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 3 periodic
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set security-association lifetime seconds 900
set transform-set strong
!

 

 

interface Tunnel2
bandwidth 10000000
ip address 192.168.250.1 255.255.255.0
no ip redirects
ip mtu 1400
ip bandwidth-percent eigrp 1 100
ip hello-interval eigrp 1 30
ip hold-time eigrp 1 90
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication black
ip nhrp network-id 101
ip summary-address eigrp 1 192.168.0.0 255.255.0.0
ip tcp adjust-mss 1360
ip policy route-map Deli_1
tunnel source GigabitEthernet0/0/2
tunnel mode gre multipoint
tunnel key 150
tunnel protection ipsec profile cisco shared

 

 

I think the configuration is right, becaues router creates an adjacency then falls with error:

 

Sep 29 12:56:44: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.250.69 (Tunnel2) is down: holding time expired

Sep 29 12:58:55: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000045356196197805 %IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error, DP Handle 148, src_addr 118.175.32.229, dest_addr 88.204.160.210, SPI 0x16bf4f54 

 

Please help

 

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎09-29-2021 12:59 AM

Hello,

 

you could try and configure the below on both routers:

 

crypto ipsec security-association replay window-size 1024

0 Helpful

artur.b01
Level 1
Level 1
In response to Georg Pauwen

‎09-29-2021 02:04 AM

Thank you Georg for your feedback

 

I configured crypto ipsec security-association replay window-size 1024 on both router and nothing changed

 

Log on the hub: 

Sep 29 14:59:22: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.250.69 (Tunnel2) is down: Interface PEER-TERMINATION received
Sep 29 15:00:14: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=88.204.160.210, prot=50, spi=0x80274BA(134378682), srcaddr=178.135.10.88, input interface=Tunnel2
Sep 29 15:00:19: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.250.69 (Tunnel2) is up: new adjacency
Sep 29 15:01:14: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=88.204.160.210, prot=50, spi=0x80374BA(134444218), srcaddr=178.135.10.88, input interface=Tunnel2
floor0-GR2-4431#show ip ei
floor0-GR2-4431#show ip eigrp ne
floor0-GR2-4431#show ip eigrp neighbors | inc 192.168.250.69
floor0-GR2-4431#

 

 

Now Hub doesn't have EIGRP adjaceny with remote site

0 Helpful

Georg Pauwen
VIP
VIP
In response to artur.b01

‎09-29-2021 03:39 AM

Hello,

 

on the ISR, try and remove the invalid spi recovery:

 

no crypto isakmp invalid-spi-recovery

0 Helpful

artur.b01
Level 1
Level 1
In response to Georg Pauwen

‎09-29-2021 02:59 AM

It feels like the router stops receiving hello messages after a while

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-29-2021 03:35 AM

Is the Tunnel up between Hub and spoke ? Can you post Eigrp config also ?

 

You need to config eigrp no spli horizon config.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents