DMVPN HUB-SPOKE - HUB SSH access through vpn

Daniel Krueger · ‎01-30-2016

Hello everybody,

just seeting up a new DMVPN HUB, everything works so far but I have got an issue when I try to connect the HUB ssh server through DMVPN tunnel from a location.

Only ssh connections over the external (internet side) interface are possible. Ping through tunnel to the internal interface ip works fine but it's not possible to connect to ssh or snmp server.

I try to connect to ssh or snmp from local host 10.0.1.8 to gateway 20.0.0.1 through vpn. All internet related traffic of other hosts are forwarded to 20.0.0.254 which is my firewall.

This is my config:

interface GigabitEthernet0/1
description LAN side
ip address 20.0.0.1 255.255.255.0
ip flow ingress
ip flow egress
duplex auto
speed auto

interface GigabitEthernet0/0
description WAN Side
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 100 in
ip flow ingress
ip flow egress
ip inspect INTERNET out
duplex auto
speed auto
service-policy output DSCP-Out

interface Tunnel0
description mGRE Tunnel
ip address 192.168.240.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip flow ingress
ip flow egress
ip nhrp authentication xxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1350
ip policy route-map fw
tunnel source xx.xx.xx.xx
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre-tunnel

ip local policy route-map fw

ip access-list extended fw
permit ip 10.0.1.0 0.0.0.255 any

ip access-list extended lo
permit ip host 10.0.1.8 any

route-map fw permit 10
match ip address lo
!
route-map fw permit 20
match ip address fw
set ip next-hop 20.0.0.254

For testing, I removed the route policy from Tunnel 0 but it doesn't makes any difference.

Any hint?

Thx,

Daniel

Daniel Krueger · ‎01-31-2016

Update:

removing ip local policy route-map fw resolves the problem partly.

Access works "a bit". When I connect to ssh or open an snmp session through the tunnel, then the vpn tunnel breaks every minute.

Log:

*Jan 31 17:41:11.275: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.240.1 (Tunnel0) is down: holding time expired
*Jan 31 17:41:29.627: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.240.1 (Tunnel0) is up: new adjacency
*Jan 31 17:41:30.327: EIGRP-IPv4(1): Processing incoming UPDATE packet
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): 192.168.240.0/24 - do advertise out Tunnel0
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): Int 192.168.240.0/24 metric 26880000 - 25600000 1280000
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): 10.0.1.0/24 - do advertise out Tunnel0
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): Int 10.0.1.0/24 metric 28160 - 25600 2560
*Jan 31 17:41:30.371: EIGRP-IPv4(1): Processing incoming UPDATE packet
*Jan 31 17:41:30.371: EIGRP-IPv4(1): Int 192.168.240.0/24 M 28160000 - 25600000 2560000 SM 26880000 - 25600000 1280000
*Jan 31 17:41:30.371: EIGRP-IPv4(1): table(default): 192.168.240.0/24 routing table not updated thru 192.168.240.1
*Jan 31 17:41:30.375: EIGRP-IPv4(1): Int 20.0.0.0/24 M 26880256 - 25600000 1280256 SM 2816 - 2560 256
*Jan 31 17:41:30.375: EIGRP-IPv4(1): table(default): route installed for 20.0.0.0/24 (90/26880256) origin(192.168.240.1)
*Jan 31 17:41:30.391: EIGRP-IPv4(1): table(default): 20.0.0.0/24 - do advertise out Tunnel0
*Jan 31 17:41:30.391: EIGRP-IPv4(1): table(default): Int 20.0.0.0/24 metric 26880256 - 25600000 1280256
*Jan 31 17:41:30.415: EIGRP-IPv4(1): Processing incoming UPDATE packet
*Jan 31 17:41:30.415: EIGRP-IPv4(1): Int 10.0.1.0/24 M 28162560 - 25600000 2562560 SM 26882560 - 25600000 1282560
*Jan 31 17:41:30.415: EIGRP-IPv4(1): table(default): 10.0.1.0/24 routing table not updated thru 192.168.240.4

What can I do to fix this behaviour?

Daniel Krueger · ‎01-31-2016

.

Daniel Krueger · ‎01-31-2016

.

Giuseppe Larosa · ‎02-01-2016

Hello Daniel,

I see from the logs below that the EIGRP neighborship is flapping over the tunnel.

>>

*Jan 31 17:41:11.275: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.240.1 (Tunnel0) is down: holding time expired
*Jan 31 17:41:29.627: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.240.1 (Tunnel0) is up: new adjacency
*Jan 31 17:41:30.327: EIGRP-IPv4(1): Processing incoming UPDATE packet
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): 192.168.240.0/24 - do advertise out Tunnel0
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): Int 192.168.240.0/24 metric 26880000 - 25600000 1280000
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): 10.0.1.0/24 - do advertise out Tunnel0
*Jan 31 17:41:30.339: EIGRP-IPv4(1): table(default): Int 10.0.1.0/24 metric 28160 - 25600 2560
*Jan 31 17:41:30.371: EIGRP-IPv4(1): Processing incoming UPDATE packet
*Jan 31 17:41:30.371: EIGRP-IPv4(1): Int 192.168.240.0/24 M 28160000 - 25600000 2560000 SM 26880000 - 25600000 1280000
*Jan 31 17:41:30.371: EIGRP-IPv4(1): table(default): 192.168.240.0/24 routing table not updated thru 192.168.240.1
*Jan 31 17:41:30.375: EIGRP-IPv4(1): Int 20.0.0.0/24 M 26880256 - 25600000 1280256 SM 2816 - 2560 256
*Jan 31 17:41:30.375: EIGRP-IPv4(1): table(default): route installed for 20.0.0.0/24 (90/26880256) origin(192.168.240.1)
*Jan 31 17:41:30.391: EIGRP-IPv4(1): table(default): 20.0.0.0/24 - do advertise out Tunnel0
*Jan 31 17:41:30.391: EIGRP-IPv4(1): table(default): Int 20.0.0.0/24 metric 26880256 - 25600000 1280256
*Jan 31 17:41:30.415: EIGRP-IPv4(1): Processing incoming UPDATE packet
*Jan 31 17:41:30.415: EIGRP-IPv4(1): Int 10.0.1.0/24 M 28162560 - 25600000 2562560 SM 26882560 - 25600000 1282560
*Jan 31 17:41:30.415: EIGRP-IPv4(1): table(default): 10.0.1.0/24 routing table not updated thru 192.168.240.4

>>>

You have a routing issue, for some reasons when you start the SSH session the DMVPN scenario is broken. I cannot see why from your attached configuration.

Hope to help

Giuseppe

Daniel Krueger · ‎02-01-2016

Hi Giuseppe,

I could fix it when I removed the eigrp net 20.0.0.0. Since this, the tunnel is stable.

Thanks,

Daniel

Giuseppe Larosa · ‎02-01-2016

Hello Daniel,

this error is called recurisive routing and makes tunnel instable.

Hope to help

Giuseppe

Daniel Krueger · ‎02-01-2016

Hi Giuseppe,

good to know but to be honest, I don't understand why this causes the problem.

The eigrp config part defines the all nets which will be seen by the partners/SPOKES.

Net one is the tunnel network which is in eigrp config on all HUB and SPOKES and then on each SPOKE it's own "LANS".

From this point, the net 20.0.0.0 in HUBS eigrp config looks not wrong to me.

Is the LAN on a HUB published in a different way then LANS on SPOKES?

Best regards,

Daniel

Giuseppe Larosa · ‎02-02-2016

Hello Daniel,

recursive routing should happen only when we publish the public ip addresses of the MGRE tunnel inside the IGP running into the tunnel itself. This should be the only scenario where we cause instability.

As you have noted IPv4 subnet 20.0.0.0/24 can be advertised over the EIGRP running over the DMVPN mGRE tunnel without any problems.

So the answer to your question is not, no special configuration for internal LAN subnets on hub router is necessary.

I wonder what is the usage of the PBR with the following route-map:

route-map fw permit 10
match ip address lo
!
route-map fw permit 20
match ip address fw
set ip next-hop 20.0.0.254

Because this makes the scenario more complex.

And what you actually do when you access in SSH from HUB.

Hope to help

Giuseppe