04-03-2023 04:48 AM
We have IPSEC tunnels between different DC and its working fine with static routing, For Dynamic routing i have configured OSPF in between them one end is Huawei and other end ISR4400, On Huawei end i can receive and send Hello packets but at ISR end i can only see Hello packet sent on Tunnel interface no Hello received. We have different VRF at ISR end. With tunnel interface we can run ospf over it? and secondly if i can send hello over esp why i cannot receive it .
interface Tunnel1
vrf forwarding xyz
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1350
ip ospf network point-to-point
ip ospf 600 area 0
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel vrf xyz
tunnel protection ipsec profile abc
04-03-2023 04:52 AM
You tunnel is vrf aware
Are you yse you config
Opsf vrf aware (use tunnel vrf)
Ipsec key vrf aware (use tunnel source vrf)
04-03-2023 05:09 AM
OSPF is VRF aware as well as the tunnel interface, PFB.
router ospf 600 vrf abc
router-id x.x.x.x
log-adjacency-changes detail
capability vrf-lite
network x.x.x.x 0.0.0.3 area 0
04-03-2023 05:16 AM - edited 04-03-2023 05:42 AM
Show crypto ipsec sa <<- share this please
04-03-2023 05:33 AM
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr x.x.x.x
protected vrf: abc
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2700631871, #pkts encrypt: 2700631871, #pkts digest: 2700631871
#pkts decaps: 1725822288, #pkts decrypt: 1725822288, #pkts verify: 1725822288
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1056
local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1.220
current outbound spi: 0xB1E1E6C(186523244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1AFB747(28292935)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 11465, flow_id: ESG:9465, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607889/2682)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB1E1E6C(186523244)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 11466, flow_id: ESG:9466, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607781/2682)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
04-03-2023 07:11 AM
Your last post delete,
I think I found issue,
Can you use same mtu under tunnel in both ends?
04-03-2023 07:17 AM
mtu is same at both end.
At Huawei End
Route Port,The Maximum Transmit Unit is 1438
Tunnel transport MTU 1438 bytes
at Cisco end
on both the tunnel interface its same.
04-03-2023 07:19 AM
Sorry your original post dont show mtu config just confirm that you config right mtu under tunnel.
04-03-2023 07:23 AM
Yes under tunnel interface same mtu is configured at both end.
04-03-2023 07:45 AM
You config it under tunnel or interfaces of tunnel source?
04-03-2023 09:31 AM
Tunnel not under the interface of tunnel source.
04-04-2023 04:08 AM
just to update you
run lab and do more test today
I will share result hope today
have a nice days
04-04-2023 04:55 AM
Thanks
04-04-2023 04:35 PM
#recv errors 1056 <<-
can you monitor this value are it increase for each OSPF hello receive ?
04-04-2023 10:13 PM
its the same during that time of period.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide