IPSEC on Tunnel interface cannot Receive Hello packet from OSPF Peer

rajashajeelahmed · ‎04-03-2023

We have IPSEC tunnels between different DC and its working fine with static routing, For Dynamic routing i have configured OSPF in between them one end is Huawei and other end ISR4400, On Huawei end i can receive and send Hello packets but at ISR end i can only see Hello packet sent on Tunnel interface no Hello received. We have different VRF at ISR end. With tunnel interface we can run ospf over it? and secondly if i can send hello over esp why i cannot receive it .

interface Tunnel1
vrf forwarding xyz
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1350
ip ospf network point-to-point
ip ospf 600 area 0
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel vrf xyz
tunnel protection ipsec profile abc

MHM Cisco World · ‎04-03-2023

You tunnel is vrf aware

Are you yse you config

Opsf vrf aware (use tunnel vrf)

Ipsec key vrf aware (use tunnel source vrf)

rajashajeelahmed · ‎04-03-2023

OSPF is VRF aware as well as the tunnel interface, PFB.
router ospf 600 vrf abc
router-id x.x.x.x
log-adjacency-changes detail
capability vrf-lite
network x.x.x.x 0.0.0.3 area 0

MHM Cisco World · ‎04-03-2023

Show crypto ipsec sa <<- share this please

rajashajeelahmed · ‎04-03-2023

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr x.x.x.x

protected vrf: abc
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2700631871, #pkts encrypt: 2700631871, #pkts digest: 2700631871
#pkts decaps: 1725822288, #pkts decrypt: 1725822288, #pkts verify: 1725822288
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1056

local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1.220
current outbound spi: 0xB1E1E6C(186523244)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x1AFB747(28292935)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 11465, flow_id: ESG:9465, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607889/2682)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB1E1E6C(186523244)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 11466, flow_id: ESG:9466, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607781/2682)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

MHM Cisco World · ‎04-03-2023

Your last post delete,

I think I found issue,

Can you use same mtu under tunnel in both ends?

rajashajeelahmed · ‎04-03-2023

mtu is same at both end.
At Huawei End
Route Port,The Maximum Transmit Unit is 1438

Tunnel transport MTU 1438 bytes
at Cisco end
on both the tunnel interface its same.

MHM Cisco World · ‎04-03-2023

Sorry your original post dont show mtu config just confirm that you config right mtu under tunnel.

rajashajeelahmed · ‎04-03-2023

Yes under tunnel interface same mtu is configured at both end.

MHM Cisco World · ‎04-03-2023

You config it under tunnel or interfaces of tunnel source?

rajashajeelahmed · ‎04-03-2023

Tunnel not under the interface of tunnel source.

MHM Cisco World · ‎04-04-2023

just to update you
run lab and do more test today
I will share result hope today

have a nice days

rajashajeelahmed · ‎04-04-2023

Thanks

MHM Cisco World · ‎04-04-2023

#recv errors 1056 <<-

can you monitor this value are it increase for each OSPF hello receive ?

rajashajeelahmed · ‎04-04-2023

its the same during that time of period.