Hi DYou can reuse the

Dinesh Kumar Mariappan · ‎06-20-2014

Hi

We are facing the issue with EIGRP flapping..

when we checked the interface the bandwidth utilization is going more than alloted bandwidth.. But no one is transvering the traffice...

We configured IPSec for packet encapsulation. Once neighbour ship came tunnel is going down... and frequently EIGRP is flapping . i dont think flapping is due to Bandwidth.. I need to fix the issue. Any experience please provide the steps to trouble shoot.

in log i am observing these two message frequently. Could u help me on this?

% CRYPTO-4-RECVD_PKT_INV_SPI:decaps:rec'd IPSEC Packet had valid spi for destaddr=<local ipaddress>,prot=50, spi=0XEB0A5D3A(3943324986),srcaddr=<remote ip address>. input interface=Gigabithethernet1/0/0

% CRYPTO-4-IKMP_NO_SA: IKE Message from <Remote ip address> had no SA and is not an initialization offer

%DUAL_5-NBR-CHANGE: EIGRP-IPv4 AS: Neigbor WAN IP < gi1/0/0> is down: PEER -Termination received

DUAL_5-NBR-CHANGE: EIGRP-IPv4 AS: Neigbor WAN IP < gi1/0/0> is up:new adjacency

Robert Mogan · ‎06-20-2014

Hi Dineshkumar

Not much to go on but it looks like the tunnel is connecting at phase 1 (isakmp) but failing in phase 2 (ipsec)

% CRYPTO-4-IKMP_NO_SA: IKE Message from <Remote ip address> had no SA and is not an initialization offer

I think above suggests that your ipsec parameters don't match.

Check config on both sides to make sure the transform set is the same.

If your still stuck please post the following

show crypto isakmp sa

show crypto ipsec sa

sho run | s crypto

Good luck

Dinesh Kumar Mariappan · ‎06-20-2014

i can share the Show Crypto Isakmp Sa on local router.

Ipv4 crypto ISAKMP SA

dst src state conn-id Status

local interface address Remote location 1 interface address QM_IDLE 38040 ACTIVE

ocal interface address Remote location 2 interface address QM_IDLE 38037 ACTIVE

RL Sec int address local interface address QM_IDLE 38041 ACTIVE

RLsec int address- Remote location secondary router interface address.

Due EIGRP flapping i am not able to login other router. checked with remote engineer transform set was same on both site.

Robert Mogan · ‎06-20-2014

Hi D,

The output above confirms that phase 1 isakmp has completed successfully. So just need to double check what your doing for phase 2.

Its difficult if you cant see both sides but best to set up a phone call to check and agree the following ipsec settings with the other guy:
Encryption - esp-des, esp-3des or esp-aes?
Hashing - are you using esp-md5-hmac or esp-sha-hmac?
Group - Have you set a diffie hellman group - if so what have you got? 1, 2, 5?
Lifetime - not so important but best to agree on

Once you are sure you are in agreement check your config paying attention to your transform set:

crypto ipsec transform-set mytset esp-3des esp-md5-hmac

crypto ipsec profile whateverUcalledIT
set security-association lifetime seconds 86400
set transform-set mytset

Make sure you are referencing the correct tranform set - especially important if you have configured more than one.

Let us know how you get on.

Robert Mogan · ‎06-20-2014

Sorry also to add the transform set name is only locally important - so you can both use whatever name you want. Important to make sure you reference it correctly in your own config:

crypto ipsec transform-set mytset esp-3des esp-md5-hmac

crypto ipsec profile whateverUcalledIT
set security-association lifetime seconds 86400
set transform-set mytset

Cheers for now

Dinesh Kumar Mariappan · ‎06-20-2014

everything was fine.. But we not configured set security-association lifetime seconds 86400 on device..

Robert Mogan · ‎06-20-2014

Is it all working now?

Dinesh Kumar Mariappan · ‎06-20-2014

its working fine now.. But the issue we disconnected one of the device the local lan and now the link is working fine.. But i dont know why eigrp flapping occur and Ipsec error message received.. Eventhough as per my understanding router will forward broadcast packets..

We are using two separate tunnel for production and T&D..

Robert Mogan · ‎06-20-2014

Hi D

I guess you are using eigrp to advertise the T&D network, and the Tunnel interface IP range

Is it possible that you are also including the ip range of the tunnel destination in the same eigrp instance?

Robert Mogan · ‎06-20-2014

Hi D

You can reuse the transform set but I believe its best practice to use separate ones.

Just to get things straight - what is the output from: show crypto ipsec sa

Is the tunnel up?

Also I'm a little confused are you connecting 2 separate vpn tunnels between CPC & DC.

CPC======VPN1 Production Tunnel=====DC

CPC======VPN2 T&D Tunnel=========DC

Cheers

Dinesh Kumar Mariappan · ‎06-20-2014

Hi Robert.

We have 3 Location.

CPC, DC, DR

Each location we have 2 Routers for Primary and Secondary for Production link

One router for DC for T& D link

in CPC unit T&D terminated in Primary production router.

Encryption - esp-aes on all three location for production and T&D Link
Hashing - using esp-md5-hmac for production and T&D Link
Group - using 2.

Only one doubt i have

in CPC we are same router so created production link set transform-Set trans2

T&D Link at CPC set transform-set trans1

but in DR & DC production interface we used transform-set trans1

in T&D link at DC used transform-Set trans1 on T&D Router

did this is issue . But we did this confifiguration nearly 1 Year before. we not faced the problem previous.. I need explanation for that command only.. I am much familiar in ipsec troubleshooting..

Dinesh Kumar Mariappan · ‎06-20-2014

Hi robert.

Did this is the issue? but it was working fine from intial configiguartion.. why now its creating problem..

One of the location

set transform-set trans2

but other 2 location

Set transform-set trans1

EIGRP Flapping