IPSEC on Tunnel interface cannot Receive Hello packet from OSPF Peer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 04:48 AM
We have IPSEC tunnels between different DC and its working fine with static routing, For Dynamic routing i have configured OSPF in between them one end is Huawei and other end ISR4400, On Huawei end i can receive and send Hello packets but at ISR end i can only see Hello packet sent on Tunnel interface no Hello received. We have different VRF at ISR end. With tunnel interface we can run ospf over it? and secondly if i can send hello over esp why i cannot receive it .
interface Tunnel1
vrf forwarding xyz
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1350
ip ospf network point-to-point
ip ospf 600 area 0
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel vrf xyz
tunnel protection ipsec profile abc
- Labels:
-
Routing Protocols
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 04:52 AM
You tunnel is vrf aware
Are you yse you config
Opsf vrf aware (use tunnel vrf)
Ipsec key vrf aware (use tunnel source vrf)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 05:09 AM
OSPF is VRF aware as well as the tunnel interface, PFB.
router ospf 600 vrf abc
router-id x.x.x.x
log-adjacency-changes detail
capability vrf-lite
network x.x.x.x 0.0.0.3 area 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 05:16 AM - edited 04-03-2023 05:42 AM
Show crypto ipsec sa <<- share this please
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 05:33 AM
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr x.x.x.x
protected vrf: abc
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2700631871, #pkts encrypt: 2700631871, #pkts digest: 2700631871
#pkts decaps: 1725822288, #pkts decrypt: 1725822288, #pkts verify: 1725822288
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1056
local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1.220
current outbound spi: 0xB1E1E6C(186523244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1AFB747(28292935)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 11465, flow_id: ESG:9465, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607889/2682)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB1E1E6C(186523244)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 11466, flow_id: ESG:9466, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607781/2682)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 07:11 AM
Your last post delete,
I think I found issue,
Can you use same mtu under tunnel in both ends?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 07:17 AM
mtu is same at both end.
At Huawei End
Route Port,The Maximum Transmit Unit is 1438
Tunnel transport MTU 1438 bytes
at Cisco end
on both the tunnel interface its same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 07:19 AM
Sorry your original post dont show mtu config just confirm that you config right mtu under tunnel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 07:23 AM
Yes under tunnel interface same mtu is configured at both end.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 07:45 AM
You config it under tunnel or interfaces of tunnel source?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 09:31 AM
Tunnel not under the interface of tunnel source.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 04:08 AM
just to update you
run lab and do more test today
I will share result hope today
have a nice days
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 04:55 AM
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 04:35 PM
#recv errors 1056 <<-
can you monitor this value are it increase for each OSPF hello receive ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 10:13 PM
its the same during that time of period.
