cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1411
Views
0
Helpful
23
Replies

DMVPN on 6509\SUP32 MSFC

asadnaqui
Level 1
Level 1

Hi,

I am trying to use our 6509 chassis with a Sup32 Supervisor as a DMVPN hub.

The MSFC card has 2 Vlans configured (for simplicity) - One public facing (tunnel endpoint) and one internal.

I can initiate the Tunnel and it comes up fine. I can ping the remote router from the MSFC with the internal vlan as a source address and get a reply.

However, if I try and ping the remote router from a PC on the inernal lan, there is no reply.

I am seeing these errors on the remote router:-

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /E.E.E.E, src_addr= e.e.e.e, prot= 47...

E = external address of remote router

e = external address on MSFC

From my reading, I think this is all down to intervlan routing being carried out by the MSFC\6509.

Has anybody had this issue and resolved it?

Any tips on how I can get this setup to work?

Thanks

Asad

23 Replies 23

Thanks for your suggestions.

Money is not an issue here. I am asking this question to see if I can get this working on a 6509.

Going to ebay to buy a part for our core router is not exactly something that I would do.

Actually from your posts above it seemed clear that money is an issue for you.

As I mentioned already, if you don't trust ebay (your loss doing that), there are reputable hardware vendors for professional service.

Basically, everything will be better than having a machine doing something it was not designed for - that will put a real risk on your core infrastructure.

Seriously, this post is relating to getting the 6509 as a DMVPN hub.

Thanks for telling me that money IS an issue :S the reason i stated the cost of the card above is to illustrate the fact that rather than spend £2500 on a card, I would much rather spend £7000 on the 3845 and upgrade a 7 year old router in the process.

If this is coming accross rude, its becuase rather than concentrate on my question, you are telling me what is and isnt and issue for me.

If we stick to the point in hand - DMVPN on 6509 - then we can progess. Considering you didnt even know you could get a tunnel up on the 6509/Sup32, I think I can safely assume you will not be able to contribute to this topic with respect to the original question.

No, sorry we cannot progress on this with an attitude like your.

You have been told that you are attempting something wrong in principle, and refuse to acknowledge that. If you do not believe me (sorry I have only 20 years of networking experience, 10 of these spent at cisco), ask any certified engineer managing designs similar to your.

Specifically, ask if it is a good a idea to run IPSEC in software on an MSFC whereas a 3745 (also software) was struggling.

I will await you reporting on this, although that will require some humbleness you have not shown so far.

You have also been told that parts can be bought at a lesser price that new, to enable something that should been done since the beginning on your old router - again you refuse to acknowledge this simple truth by which millions of companie have enable their networking with a competitive advantage.

I have seen attitudes like yours many times in the past, most often from junior engineers with little grasp on reality of cisco networking that can be summed: "always use the right box for the right box". Their only focus was to put in practice whatever smart theory they had come up with. Of course the results were a sure fail all the times.

So my last comment on this can only be, keep going in rounds if you wish - good luck.

One last regarding my supposed inability to help fixing your configuration from remote without having seen anything - a psychic reader can help you better if that is your approach to networking.

This is a discussion forum, where I have asked a general question.

You have posted some points, its only fair I should respond.

Firstly, the 3745 has been doing the job fine for over 2 years, only recently reaching its limit. The idea is the 6509, with its greater CPU power will be able to alleiviate the CPU bottle neck. Surely this is just logical?

With regards to the module - there were no DMVPN tunnels when the router was bought new, so no, it should not have been bought then. The router was fine with 10 VPN tunnels, so no it should not have been bought then. now, when the router is 7 years old, is it wrong to not want to spend a vast sum when the router has gone End of Life? As for buying refurbished etc, you are missing the point. There is no need or want for us to spend money on essentially out of date equipment. so any comment you make about auction sites or cheap parts is moot.

As for attitude, i have seen many like yours too. Your first few statements indicated that you did not even know what the 6509 is capable of, stating "and I wasn't even aware that it supported software encryption". Instead of realising this is over you head (yes it is possible you do not have 100% cisco knowledge) you continue to push down a path which I have not reached yet (purchase a router).

So please dont assume to know my position or level, when you yourself outlined yours from the very start, but not even realising that I could do what I had done! Yes we have all come acrross the "old guy in IT for 50 years and no one can tell him whats what".

I know I am tackling a complex configuration, but that is part of how we learn.

Yes I do believe this is possible, I mean, why incorporate an image that is capable of DMVPN functionality on the 6509?

Thats what I aim to find out.

Good luck my friend!

Let us know when you MSFC (assuming MSFC-1) CPU melts.

It has an R5000 CPU at 200Mhz, where the 3745 has R7000 CPU at 350Mhz.

The "vaste sum" of $19 would have saved you from this ordeal, but OMG, it would have to be bought from Evil Ebay. Sorry, what a "moot comment" mine was.

You must be right, what do I know after all, have been in networking too long, luckily new creative engineers like you shall take my place soon. These 1,169 "solved marks" that I got on NetPro must have been given due to commiseration for my old age.

I just hope I will not depend by your networking when that happens :)

MSFC-2a - so R7000 @ 300Mhz. finally something that makes a valid point.

again, cost has never been an issue. Aquiring critical equipment off ebay when the funds are available to buy new from Cisco is not something we do.

Thanks for that.

Its a MSFC-2a so R7000 also.

looking at specs for the 3845, that has a R7000 @ 350Mhz

And again for the third or fourth time

you fail understand the functionality of an Hardware VPN accelerator, that is embedded with ISR routers including of course, the 3845 - to offload the CPU from heavy cryptographic calculations

Review Cisco Networking for a $25 gift card