12-28-2018 06:31 AM - edited 03-05-2019 11:08 AM
We changed our circuit (VPLS) to new location and having issues with EIGRP Neighbor's, they are flapping sporadically (Coming up in less than 4sec).
here is the config
R1>>>>>>>>>>>
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 6 USER address 192.168.1.2 255.255.255.252
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto map WARN 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set AES-SHA
match address 100
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed 100
crypto map WARN
!
router eigrp 12
neighbor 192.168.1.2 g0/0
network 192.168.1.1 0.0.0.0
network 192.168.20.5 0.0.0.0
xxxx
xxx
redistribute static
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 10.200.255.25 192.168.20.5
R2>>>>>>>>>>>>
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key 6 USER address 192.168.1.1 255.255.255.252
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto map WARN 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set AES-SHA
match address 100
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.252
speed 100
crypto map WARN
!
router eigrp 12
neighbor 192.168.1.2 g0/0
network 192.168.1.2 0.0.0.0
xxxx
xxxx
xxx
we have "Hold time expired" on R2 logs and R1 has "interface peer termination received". Assuming we are having issues with hold and Adjusted hello to 5 and Hold to 30, still we have neighbor flap. So we pointed the neighbors to each other making them unicast neighbors to see if the link has any multicast drops, still no luck.
Involved cisco Tac and they did not find any errors in the script and opened TIC# with ISP for circuit issues where they tested their circuit and said they don't have any issues.
Do any one experience the same issue and can guide me in right direction to solve this one.
12-28-2018 09:54 AM
If R1 received a termination message and if R2 has hold time expired then it appears that there may be some issue and more likely it is with R2 (though it is possible that both are involved). Are there other log messages on R2. It might be helpful to run debug on R2 for EIGRP looking especially for adjacency events.
You describe this as a move. Would we be correct in assuming that R2 is the one that moved? Are you sure that provisioning of the new connection for R2 is exactly like that of the previous site?
Are R1 and R2 able to communicate successfully?
When I see IPsec and EIGRP both i the configuration I generally see some type of tunneling. But there is not any in what you have posted. Is this correct? Did this same configuration work before the move?
Perhaps you can post the content of the acl used by each side to identify traffic to be encrypted?
HTH
Rick
12-28-2018 12:55 PM
Yes, R2 is the one moved and R1 is upgraded to ISR 4331 as well. This configuration is up and running for long time in 2900 series and had no issues.
no other logs at this time but to see more we attached bfd to eigrp at a point and saw a log RX down. That we assumed that their is a ciruit problem and opened a ticket with ISP which did not help
12-28-2018 01:30 PM
When it was running on the 2900 were you configuring the neighbor under eigrp then as you are now?
HTH
Rick
12-28-2018 02:10 PM
I see that there is another version of this discussion and that Georg and Peter have made responses in that discussion. I suggest that we focus our attention on that discussion and not do anything further with this thread.
HTH
Rick
12-29-2018 06:36 AM
Sure , thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide