Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3187
Views
1
Helpful
2
Replies

Eigrp flapping on DMVPN tunnel.

asmlicense
Level 1
Level 1

‎09-09-2018 02:14 AM

Hi to all!

We have this problem for about 1 or 2 month.

It's flapping almost everytime, but not on all spokes. We have on HUB in HQ connected over MPLS vlan to other spokes. Here is config of HUB router:

___________________________________________________

vrf definition IWAN-PUBLIC-ASM
 description IWAN ASM
 !
 address-family ipv4
 exit-address-family
!
key chain LAN-KEY
 key 1
   key-string *****
!
!
!
!
!
crypto ikev2 keyring DMVPN_CRY_ASM
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key *****
 !
!
!
crypto ikev2 profile DMVPN_IKEVPR_ASM
 match fvrf IWAN-PUBLIC-ASM
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local DMVPN_CRY_ASM
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_CRYPR_ASM
 set transform-set AES256/SHA/TRANSPORT
 set ikev2-profile DMVPN_IKEVPR_ASM
!
interface Tunnel10
 bandwidth 200000
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication *****
 ip nhrp map multicast dynamic
 ip nhrp network-id 101
 ip nhrp holdtime 600
 ip nhrp redirect
 ip tcp adjust-mss 1360
 delay 100
 tunnel source GigabitEthernet0/0/3.1000
 tunnel mode gre multipoint
 tunnel key 101
 tunnel path-mtu-discovery
 tunnel vrf IWAN-PUBLIC-ASM
 tunnel protection ipsec profile DMVPN_CRYPR_ASM
!
!
interface GigabitEthernet0/0/3.1000
 description TO_BRANCHES
 encapsulation dot1Q 3029
 vrf forwarding IWAN-PUBLIC-ASM
 ip address 192.168.255.1 255.255.255.0
!
router eigrp IWAN-EIGRP
 !
 address-family ipv4 unicast autonomous-system 300
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel10
   authentication mode md5
   authentication key-chain LAN-KEY
   hello-interval 20
   hold-time 60
   no passive-interface
   no split-horizon
  exit-af-interface
  !
  topology base
   redistribute ospf 10 metric 10000 10 255 1 10000
  exit-af-topology
  network 192.168.0.1 0.0.0.0
  nsf
 exit-address-family
!
router ospf 10
 router-id 172.16.0.10
 redistribute eigrp 300 subnets
 network 172.16.0.10 0.0.0.0 area 0
!
ip route vrf IWAN-PUBLIC-ASM 0.0.0.0 0.0.0.0 192.168.255.3

__________________________________________________

 

and that is config of Spoke router:

__________________________________________________

vrf definition IWAN-TRANSPORT-2
 description IWAN-TRANSPORT-2
 !
 address-family ipv4
 exit-address-family
!
!
key chain LAN-KEY
 key 1
   key-string *****
!
crypto ikev2 proposal IK2-Proposal
 encryption aes-cbc-128
 integrity sha1 md5
 group 2 5
!
crypto ikev2 policy IK2-Policy
 match fvrf IWAN-TRANSPORT-2
 match address local 192.168.255.25
 proposal IK2-Proposal
!
crypto ikev2 keyring DMVPN_CRY_ASM
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key *****
 !
!
!
crypto ikev2 profile DMVPN_IKEVPR_ASM
 match fvrf IWAN-TRANSPORT-2
 match identity remote address 0.0.0.0
 authentication local pre-share
 authentication remote pre-share
 keyring local DMVPN_CRY_ASM
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile DMVPN_CRYPR_ASM
 set transform-set AES256/SHA/TRANSPORT
 set ikev2-profile DMVPN_IKEVPR_ASM
!
!
!
interface Tunnel1
 bandwidth 100000
 ip address 192.168.0.11 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication *****
 ip nhrp network-id 101
 ip nhrp holdtime 600
 ip nhrp nhs 19.168.0.1 nbma 192.168.255.1 multicast
 ip nhrp registration no-unique
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 delay 10
 if-state nhrp
 tunnel source GigabitEthernet0/0/0.1000
 tunnel mode gre multipoint
 tunnel key 101
 tunnel path-mtu-discovery
 tunnel vrf IWAN-TRANSPORT-2
 tunnel protection ipsec profile DMVPN_CRYPR_ASM
!
interface GigabitEthernet0/0/0.1000
 encapsulation dot1Q 3029
 vrf forwarding IWAN-TRANSPORT-2
 ip address 192.168.255.11 255.255.255.0
 no ip proxy-arp
 no cdp enable
!
!
router eigrp IWAN-EIGRP
 !
 address-family ipv4 unicast autonomous-system 300
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Tunnel1
   authentication mode md5
   authentication key-chain LAN-KEY
   hello-interval 20
   hold-time 60
   no passive-interface
   no split-horizon
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.0.11 0.0.0.0
 exit-address-family
!
ip route vrf IWAN-TRANSPORT-2 0.0.0.0 0.0.0.0 192.168.255.1

_____________________________________________________

 

 

 

We have such kind of problem, I'll share logs with you too:

on HUB:

Sep  9 11:59:30.683: EIGRP: Build goodbye tlv for 192.168.0.12
Sep  9 12:01:28.759: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.7 (Tunnel10) is down: holding time expired
Sep  9 12:01:28.762: EIGRP: Build goodbye tlv for 192.168.0.7
Sep  9 12:02:25.448: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is down: peer restarted
Sep  9 12:02:45.465: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is up: new adjacency
Sep  9 12:03:07.661: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.6 (Tunnel10) is down: holding time expired
Sep  9 12:03:07.665: EIGRP: Build goodbye tlv for 192.168.0.6
Sep  9 12:03:45.559: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is down: holding time expired
Sep  9 12:03:45.563: EIGRP: Build goodbye tlv for 192.168.0.11
Sep  9 12:03:52.299: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is up: new adjacency
Sep  9 12:04:02.124: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.7 (Tunnel10) is up: new adjacency
Sep  9 12:04:39.693: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.12 (Tunnel10) is up: new adjacency
Sep  9 12:04:52.303: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is down: holding time expired
Sep  9 12:04:52.305: EIGRP: Build goodbye tlv for 192.168.0.11
Sep  9 12:05:45.414: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is up: new adjacency
Sep  9 12:06:07.439: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is down: peer restarted
Sep  9 12:06:45.175: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is up: new adjacency
Sep  9 12:08:42.221: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.6 (Tunnel10) is up: new adjacency
Sep  9 12:08:42.228: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.12 (Tunnel10) is down: peer restarted
Sep  9 12:10:16.217: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.12 (Tunnel10) is up: new adjacency
Sep  9 12:13:13.533: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.14 (Tunnel10) is down: holding time expired
Sep  9 12:13:13.536: EIGRP: Build goodbye tlv for 192.168.0.14
Sep  9 12:14:33.560: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.12 (Tunnel10) is down: holding time expired
Sep  9 12:14:33.563: EIGRP: Build goodbye tlv for 192.168.0.12
Sep  9 12:14:33.568: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.7 (Tunnel10) is down: peer restarted
Sep  9 12:14:43.100: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is down: holding time expired
Sep  9 12:14:43.107: EIGRP: Build goodbye tlv for 192.168.0.11
Sep  9 12:14:52.276: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.7 (Tunnel10) is up: new adjacency
Sep  9 12:15:06.627: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.14 (Tunnel10) is up: new adjacency
Sep  9 12:15:26.654: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is up: new adjacency
Sep  9 12:15:48.672: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is down: peer restarted
Sep  9 12:16:08.234: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.11 (Tunnel10) is up: new adjacency
Sep  9 12:16:25.445: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.12 (Tunnel10) is up: new adjacency
Sep  9 12:16:28.686: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.6 (Tunnel10) is down: holding time expired
Sep  9 12:16:28.690: EIGRP: Build goodbye tlv for 192.168.0.6

 

on SPOKE:

.Sep  9 12:32:14.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
.Sep  9 12:32:21.893: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is up: new adjacency
.Sep  9 12:32:24.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
.Sep  9 12:32:24.148: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is down: interface down
.Sep  9 12:32:34.172: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
.Sep  9 12:32:41.909: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is up: new adjacency
.Sep  9 12:32:44.173: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
.Sep  9 12:32:44.175: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is down: interface down
.Sep  9 12:56:54.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
.Sep  9 12:56:54.516: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is up: new adjacency
.Sep  9 12:57:04.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
.Sep  9 12:57:04.184: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is down: interface down
.Sep  9 12:57:14.209: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
.Sep  9 12:57:14.534: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is up: new adjacency
.Sep  9 13:00:44.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
.Sep  9 13:00:44.214: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is down: interface down
.Sep  9 13:10:14.218: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
.Sep  9 13:10:14.290: %DUAL-5-NBRCHANGE: EIGRP-IPv4 300: Neighbor 192.168.0.1 (Tunnel1) is up: new adjacency

 

 

Maybe anybody has seen this problem? We have researched almost everywhere, even in this forum, but haven't found good solution.

Labels:
2 Replies 2

asmlicense
Level 1
Level 1

‎09-09-2018 05:35 AM

I changed MTU and TCP adjust on HUB side and it helped a little.

I continues to flap, but not on all spokes now. Only on 2-3 of them.

I set:

ip mtu 1300

ip tcp adjust-mss 1260

 

Do you have any suggestions?

0 Helpful

Beau Clark
Level 1
Level 1
In response to asmlicense

‎10-04-2018 11:55 AM

I just experienced this today on my IWAN deployment. 3/4 of my sites went down (at the same time), NHRP was working fine, but EIGRP was flapping. However, a router reboot at spoke resolved the issue, as soon as I rebooted, the site came up fine. My MTU is set to 1400 (the default).

 

Have you had the issue again in the last month?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card