06-22-2022 01:26 PM - last edited on 06-24-2022 02:19 AM by Translator
I'm having trouble pinning up ISIS over GRE over VTI-based IPsec. If anyone has insight on ISIS over VTI-based IPSec directly (ie without the intermediate GRE), that would be awesome too. I've seen a lot of guides should how to do ISIS over GRE over cryto-map IPsec, but I'm not getting ISIS to work over VTI-based IPsec.
One router's configuration below; other router is identical except the local/remote IP address are swapped and it's an ASR1k with adventerprise. The physical interfaces are connected to the same switch on the same VLAN, and as you can see in the config the IPs are on the same subnet.
Symptoms:
debug isis adj-packetsshows IIH sent, but not recieved
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted but it works on GRE-only]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel destination 128.197.255.172
tunnel vrf internet
clns mtu 512
isis authentication mode md5
isis authentication key-chain isis-password
no isis hello padding
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
Solved! Go to Solution.
06-24-2022 01:54 PM - edited 06-24-2022 10:21 PM
And... found other error prior to opening TAC case - tunnel3 had "tunnel vrf internet", which was part of an earlier troubleshooting effort that I forgot to remove. After clearing that, ISIS adjacencies formed right away, routes exchanged, and pings worked perfectly. Pasting complete config here for reference.
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 128.197.255.172
isis authentication mode md5
isis authentication key-chain isis-password
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
06-23-2022 07:53 PM - edited 06-24-2022 05:52 AM
I realized I had the wrong source interface for the GRE tunnel. Corrected config below for reference of anyone that's looking for this later.
I still have a problem in that
show ip traffic
shows counters increasing, but not correctly: one router will send and receive, the other router sends but does not receive. I've corroborated this a few ways - with an in and an out ACL applied to the interface with
permit icmp any any log
that reports ping messages in one direction, I see ISIS IIH messages successfully passing one direction but not the other, and I see CLNS neighbor data on one router but not the other (ping across the IPsec tunnel always succeed, and unencrypted GRE works fine to bring up ISIS routing).
With the fixed config, the symptoms are significantly different to warranted a different post, so I'll follow up separately.
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 128.197.255.172
tunnel vrf internet
clns mtu 512
isis authentication mode md5
isis authentication key-chain isis-password
no isis hello padding
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
06-23-2022 11:17 PM
Hello,
little documentation (if any at all) available indeed...
Can you post the full running configs (sh run) of both sides so we can lab this up ?
06-24-2022 10:20 PM
I can go into detail on the "why" of a lot of these configs, but for simplicity I'll skip that unless asked.
Cat8200#sh run Building configuration... Current configuration : 16455 bytes ! ! Last configuration change at 19:03:49 EDT Fri Jun 24 2022 by weylin ! NVRAM config last updated at 19:03:59 EDT Fri Jun 24 2022 by weylin ! version 17.6 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core platform hardware throughput crypto 250M ! hostname Cat8200 ! boot-start-marker boot system bootflash:c8000be-universalk9.17.06.02.SPA.bin boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition Tunnel ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition internet ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret [redacted] ! aaa new-model ! ! aaa group server tacacs+ TACACS_GROUP server name tacacs01 server name tacacs02 ip tacacs source-interface Loopback0 ! aaa authentication [redacted] aaa authorization [redacted] aaa accounting [redacted] ! ! ! ! ! ! aaa session-id common clock timezone EST -5 0 clock summer-time EDT recurring ! ! ! ! ! ! ! ip name-server [redacted] ip name-server vrf Mgmt-vrf [rdacted] ip domain lookup source-interface Loopback0 ! ! ! login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! vtp mode off udld recovery udld recovery interval 90 ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! key chain isis-password key 1 key-string [redacted] ! ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check none ! ! crypto pki certificate chain SLA-TrustPoint certificate ca 01 [redacted] quit ! crypto pki certificate pool ! ('certificate ca' cmd has been deprecated. Downloaded ! Trustpool certificates should be re-downloaded ! using 'crypro pki trustpool import url <url>') ! ! ! ! ! ! ! ! ! no license feature hseck9 license udi pid C8200-1N-4T sn [redacted] license boot level network-essentials addon dna-essentials license smart url cslu https://[redacted] archive log config record rc logging enable logging size 1000 notify syslog contenttype plaintext path bootflash: maximum 14 write-memory memory free low-watermark processor 68302 ! diagnostic bootup level complete diagnostic monitor syslog ! spanning-tree mode rapid-pvst spanning-tree extend system-id spanning-tree vlan 1-4094 priority 8192 errdisable flap-setting cause link-flap max-flaps 100 time 1800 errdisable recovery interval 60 ! username admin secret [redacted] ! redundancy mode none ! ! crypto ikev2 proposal test encryption aes-cbc-256 integrity sha1 group 14 ! crypto ikev2 policy test proposal test ! crypto ikev2 keyring test peer 10.76.16.4 address 10.76.16.4 pre-shared-key qawsedQAWSED12345!!!!! ! ! ! crypto ikev2 profile test match fvrf internet match address local interface GigabitEthernet0/0/1 match identity remote address 10.76.16.4 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local test lifetime 3600 dpd 10 5 on-demand ! ! ! ! lldp run ! ! ! ! ! ! ! ! ! crypto ipsec security-association replay window-size 128 ! crypto ipsec transform-set test esp-aes 256 mode tunnel crypto ipsec df-bit clear ! ! crypto ipsec profile test set transform-set test set ikev2-profile test ! ! ! ! ! ! ! ! ! interface Loopback0 description Loopback0 default routing table ip address [redacted] 255.255.255.255 ! interface Loopback1 description vrf Tunnel loopback vrf forwarding Tunnel no ip address ! interface Tunnel2 description test ipsec tunnel for isis-over-ipsec with asr1k ip address 10.76.1.9 255.255.255.254 ip tcp adjust-mss 1379 history BPS all tunnel source GigabitEthernet0/0/1 tunnel mode ipsec ipv4 tunnel destination 10.76.16.4 tunnel vrf internet tunnel protection ipsec profile test clns mtu 512 ip virtual-reassembly ! interface Tunnel3 description test gre tunnel for isis-over-ipsec with asr1k ip address 10.76.1.11 255.255.255.254 ip router isis history BPS all tunnel source Tunnel2 tunnel destination 10.76.1.8 isis authentication mode md5 isis authentication key-chain isis-password ip virtual-reassembly ! interface Tunnel10 description guest network "core" router #1 bandwidth 1000000 vrf forwarding Tunnel ip address [redacted] 255.255.255.254 no ip redirects ip mtu 1414 ip ospf authentication message-digest ip ospf message-digest-key [redacted] ip ospf network point-to-point ip ospf 204 area 0 history BPS cdp enable tunnel source Loopback0 tunnel destination [redacted] ! interface Tunnel11 description guest network "core" router #2 bandwidth 1000000 vrf forwarding Tunnel ip address [redacted] 255.255.255.254 no ip redirects ip mtu 1414 ip ospf authentication message-digest ip ospf message-digest-key [redacted] ip ospf network point-to-point ip ospf 204 area 0 history BPS cdp enable tunnel source Loopback0 tunnel destination [redacted] ! interface GigabitEthernet0/0/0 description OOB Mgmt vrf forwarding Mgmt-vrf ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip access-group Management:in in negotiation auto ! interface GigabitEthernet0/0/1 vrf forwarding internet ip address 10.76.16.63 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp negotiation auto ! interface GigabitEthernet0/0/2 no ip address negotiation auto ! interface GigabitEthernet0/0/3 no ip address negotiation auto ! router ospf 204 vrf Tunnel log-adjacency-changes detail redistribute connected redistribute static passive-interface default ! router isis net 49.0000.[redacted].00 is-type level-2-only metric-style wide log-adjacency-changes redistribute connected redistribute static ip passive-interface default no passive-interface Tunnel3 ! ip telnet source-interface Loopback0 no ip http server no ip http secure-server ip http client source-interface Loopback0 ip forward-protocol nd ip tftp source-interface Loopback0 ip tftp blocksize 8192 ip ssh source-interface Loopback0 ip ssh version 2 ip scp server enable ! ! ip access-list standard SNMP-ro 10 remark filter restricting access to SNMP polling 20 permit [redacted] ! ip access-list standard ntp-peer 10 remark NTP servers 20 permit [redacted] ! ip access-list extended Management:in 10 permit ip any any ip access-list extended line-vty:in 10 permit [redacted] ! ! logging trap debugging logging origin-id hostname logging facility local4 logging source-interface Loopback0 logging host [redacted] ! snmp-server community [redacted] RO SNMP-ro snmp-server trap-source Loopback0 snmp-server contact [redacted] snmp-server enable traps snmp linkdown linkup coldstart warmstart snmp-server host [redacted] ! tacacs server tacacs01 address ipv4 [redacted] key [redacted] tacacs server tacacs02 address ipv4 [rdacted] key [redacted] ! ! ! ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! banner motd ^C +------------------------------------+ | [redacted] | +------------------------------------+ | !! WARNING !! | | AUTHORIZED ACCESS ONLY! | | Access to this system is permitted | | for authorized persons only. All | | connections are logged and | | monitored. By accessing this | | system, you acknowledge that use | | of this and any other technology | | at [redacted] is subject to | | the terms of [redacted], please | | see: http://[redacted] | | for details. | +------------------------------------+ ^C ! line con 0 stopbits 1 line aux 0 line vty 0 4 session-timeout 15 access-class line-vty:in in vrf-also exec-timeout 15 0 session-limit 64 transport preferred none transport input ssh transport output ssh line vty 5 97 session-timeout 15 access-class line-vty:in in vrf-also exec-timeout 15 0 session-limit 64 transport preferred none transport input ssh transport output ssh ! call-home contact-email-addr [redacted] no http secure server-identity-check profile "CiscoTAC-1" active destination transport-method http destination address http https://[redacted] no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService ntp source Loopback0 ntp access-group peer ntp-peer ntp server [redacted] ! ! ! ! ! ! end Cat8200#
clab-asr1002x-01#sh run Building configuration... Current configuration : 8494 bytes ! ! Last configuration change at 13:55:42 UTC Fri Jun 24 2022 by weylin ! version 16.6 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core ! hostname clab-asr1002x-01 ! boot-start-marker boot system flash bootflash:asr1002x-universalk9.16.06.06.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret [redacted] ! aaa new-model ! ! aaa group server tacacs+ TACACS_GROUP server name tacacs01 server name tacacs02 ! aaa authentication [redacted] aaa authorization [redacted] aaa accounting [redacted] ! ! ! ! ! ! aaa session-id common ! ! ! ! ! ! ! ! ! ! login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! key chain isis-password key 1 key-string [redacted] ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3027023122 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3027023122 revocation-check none rsakeypair TP-self-signed-3027023122 ! ! crypto pki certificate chain TP-self-signed-3027023122 certificate self-signed 01 [redacted] quit ! ! license udi pid ASR1002-X sn [redacted] license solution level securityk9 spanning-tree extend system-id diagnostic bootup level minimal ! ! ! user-name admin creation-time 1655583726 secret [redacted] ! redundancy mode none ! crypto ikev2 proposal proposal-Cat8200 encryption aes-cbc-256 integrity sha1 group 14 ! crypto ikev2 policy policy-Cat8200 proposal proposal-Cat8200 ! crypto ikev2 keyring ikev2-keyring-Cat8200 peer 10.76.16.63 address 10.76.16.63 pre-shared-key qawsedQAWSED12345!!!!! ! ! ! crypto ikev2 profile ikev2-profile-Cat8200 match address local interface Port-channel1.2000 match identity remote address 10.76.16.63 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local ikev2-keyring-Cat8200 lifetime 3600 dpd 10 5 on-demand ! ! ! ! lldp run cdp run ! ! ! ! ! ! ! ! crypto ipsec security-association replay window-size 128 ! crypto ipsec transform-set ikev2-transform-Cat8200 esp-aes 256 mode tunnel crypto ipsec df-bit clear ! ! crypto ipsec profile ipsec-profile-Cat8200 set transform-set ikev2-transform-Cat8200 set ikev2-profile ikev2-profile-Cat8200 ! ! ! ! ! ! ! ! ! interface Port-channel1 no ip address no negotiation auto ! interface Port-channel1.920 description ISIS with lab 6807 encapsulation dot1Q 920 ip address 10.76.1.7 255.255.255.254 ip router isis isis network point-to-point isis authentication mode md5 isis authentication key-chain isis-password ! interface Port-channel1.2000 encapsulation dot1Q 2000 ip address 10.76.16.4 255.255.255.0 ! interface Port-channel1.2800 encapsulation dot1Q 2800 native ! interface Tunnel0 description test ipsec tunnel for isis-over-ipsec with cat8200 ip address 10.76.1.8 255.255.255.254 ip tcp adjust-mss 1379 history BPS all tunnel source Port-channel1.2000 tunnel mode ipsec ipv4 tunnel destination 10.76.16.63 tunnel protection ipsec profile ipsec-profile-Cat8200 ip virtual-reassembly ! interface Tunnel1 description gre tunnel for isis-over-gre with cat8200 ip address 10.76.1.10 255.255.255.254 ip router isis ip access-group Cat8200-test in ip access-group Cat8200-test out history BPS all tunnel source Tunnel0 tunnel destination 10.76.1.9 isis authentication mode md5 isis authentication key-chain isis-password ip virtual-reassembly ! interface GigabitEthernet0/0/0 no ip address negotiation auto channel-group 1 mode active ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/2 no ip address negotiation auto ! interface GigabitEthernet0/0/3 no ip address negotiation auto ! interface GigabitEthernet0/0/4 no ip address negotiation auto ! interface GigabitEthernet0/0/5 no ip address negotiation auto channel-group 1 mode active ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.17.245.11 255.255.255.0 negotiation auto cdp enable ! router isis net 49.0000.[redacted].00 is-type level-2-only metric-style wide log-adjacency-changes redistribute connected redistribute static ip passive-interface default no passive-interface Port-channel1.920 no passive-interface Tunnel1 ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip tftp source-interface GigabitEthernet0 ip tftp blocksize 8192 ip route 0.0.0.0 0.0.0.0 10.76.16.1 ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.17.245.1 ! ! ! ip access-list extended Cat8200-test permit icmp any any log-input permit ip any any ! ! tacacs server tacacs01 address ipv4 [redacted] key [redacted] tacacs server tacacs02 address ipv4 [redacted] key [reacted] ! ! ! ! control-plane ! ! ! ! ! banner motd ^C +------------------------------------+ | [redacted] | +------------------------------------+ | !! WARNING !! | | AUTHORIZED ACCESS ONLY! | | Access to this system is permitted | | for authorized persons only. All | | connections are logged and | | monitored. By accessing this | | system, you acknowledge that use | | of this and any other technology | | at [redacted] is subject to | | the terms of [redacted], please | | see: http://[redacted] | | for details. | +------------------------------------+ ^C ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport preferred none transport input ssh transport output ssh line vty 5 97 transport preferred none transport input ssh transport output ssh ! ! ! ! ! ! ! end clab-asr1002x-01#
Cat8200#sh vrf Name Default RD Protocols Interfaces Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0 Tunnel <not set> ipv4,ipv6 Lo1 Tu10 Tu11 internet <not set> ipv4,ipv6 Gi0/0/1 Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh ip int br Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 10.76.10.243 YES DHCP up up GigabitEthernet0/0/1 10.76.16.63 YES NVRAM up up GigabitEthernet0/0/2 unassigned YES NVRAM up up GigabitEthernet0/0/3 unassigned YES manual down down Loopback0 [redacted] YES manual up up Loopback1 unassigned YES unset up up Tunnel2 10.76.1.9 YES manual up up Tunnel3 10.76.1.11 YES manual up up Tunnel10 [redacted] YES manual up up Tunnel11 [redacted] YES manual up up Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh crypto ikev2 ses IPv4 Crypto IKEv2 Session Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote fvrf/ivrf Status 5 10.76.16.63/500 10.76.16.4/500 internet/none READY Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 3600/2588 sec Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 remote selector 0.0.0.0/0 - 255.255.255.255/65535 ESP spi in/out: 0xB22070F5/0x43C0EEC9 IPv6 Crypto IKEv2 Session Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 5 10.76.16.63/500 10.76.16.4/500 internet/none READY Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK Life/Active Time: 3600/2592 sec IPv6 Crypto IKEv2 SA Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh crypto ipsec sa interface: Tunnel2 Crypto map tag: Tunnel2-head-0, local addr 10.76.16.63 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 10.76.16.4 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 2669, #pkts encrypt: 2669, #pkts digest: 2669 #pkts decaps: 10642, #pkts decrypt: 10642, #pkts verify: 10642 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.76.16.63, remote crypto endpt.: 10.76.16.4 plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1 current outbound spi: 0x43C0EEC9(1136717513) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xB22070F5(2988470517) transform: esp-256-aes , in use settings ={Tunnel, } conn id: 2113, flow_id: ESG:113, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0 sa timing: remaining key lifetime (k/sec): (4607479/1020) IV size: 16 bytes replay detection support: N Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x43C0EEC9(1136717513) transform: esp-256-aes , in use settings ={Tunnel, } conn id: 2114, flow_id: ESG:114, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0 sa timing: remaining key lifetime (k/sec): (4607459/1020) IV size: 16 bytes replay detection support: N Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh int tu2 Tunnel2 is up, line protocol is up Hardware is Tunnel Description: test ipsec tunnel for isis-over-ipsec with asr1k Internet address is 10.76.1.9/31 MTU 9954 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 5/255, rxload 5/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 10.76.16.63 (GigabitEthernet0/0/1), destination 10.76.16.4 Tunnel Subblocks: src-track: Tunnel2 source tracking subblock associated with GigabitEthernet0/0/1 Set of tunnels with source GigabitEthernet0/0/1, 3 members (includes iterators), on interface <OK> Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1454 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "test") Last input 00:00:02, output 07:21:07, output hang never Last clearing of "show interface" counters 2d01h Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 2000 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 139647 packets input, 27584648 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 11703 packets output, 5603777 bytes, 0 underruns Output 0 broadcasts (0 IP multicasts) 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh int tu3 Tunnel3 is up, line protocol is up Hardware is Tunnel Description: test gre tunnel for isis-over-ipsec with asr1k Internet address is 10.76.1.11/31 MTU 9976 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 7/255, rxload 5/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 10.76.1.9 (Tunnel2), destination 10.76.1.8 Tunnel Subblocks: src-track: Tunnel3 source tracking subblock associated with Tunnel2 Set of tunnels with source Tunnel2, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1430 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 2d01h Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 2000 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 10328 packets input, 4813363 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 165033 packets output, 41539208 bytes, 0 underruns Output 0 broadcasts (0 IP multicasts) 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh clns nei System Id Interface SNPA State Holdtime Type Protocol clab-asr1002x-0 Tu3 10.76.1.8 Up 28 L2 IS-IS Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh isis nei System Id Type Interface IP Address State Holdtime Circuit Id clab-asr1002x-0 L2 Tu3 10.76.1.10 UP 22 10 Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200# Cat8200#sh ip route vrf * Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR & - replicated local route overrides by connected Gateway of last resort is 10.76.1.10 to network 0.0.0.0 i*L2 0.0.0.0/0 [115/20] via 10.76.1.10, 06:53:53, Tunnel3 10.0.0.0/8 is variably subnetted, 18 subnets, 5 masks i L2 10.76.1.1/32 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.1.2/31 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.1.4/31 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.1.6/31 [115/20] via 10.76.1.10, 06:53:53, Tunnel3 C 10.76.1.8/31 is directly connected, Tunnel2 L 10.76.1.9/32 is directly connected, Tunnel2 C 10.76.1.10/31 is directly connected, Tunnel3 L 10.76.1.11/32 is directly connected, Tunnel3 i L2 10.76.16.0/24 [115/10] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.33.0/24 [115/20] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.100.0/24 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.101.0/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.101.32/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.101.64/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.101.128/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.101.192/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.76.101.240/28 [115/30] via 10.76.1.10, 06:53:53, Tunnel3 i L2 10.123.0.224/28 [115/20] via 10.76.1.10, 06:53:53, Tunnel3 [redacted]/16 is variably subnetted, 9 subnets, 4 masks i L2 [redacted] Routing Table: Mgmt-vrf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR & - replicated local route overrides by connected Gateway of last resort is 10.76.10.1 to network 0.0.0.0 S* 0.0.0.0/0 [254/0] via 10.76.10.1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.76.10.0/24 is directly connected, GigabitEthernet0/0/0 L 10.76.10.243/32 is directly connected, GigabitEthernet0/0/0 S 10.254.12.16/32 [254/0] via 10.76.10.1, GigabitEthernet0/0/0 Routing Table: Tunnel Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR & - replicated local route overrides by connected Gateway of last resort is not set [redacted]/24 is variably subnetted, 4 subnets, 2 masks C [redacted]/31 is directly connected, Tunnel10 L [redacted]/32 is directly connected, Tunnel10 C [redacted]/31 is directly connected, Tunnel11 L [redacted]/32 is directly connected, Tunnel11 Routing Table: internet Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR & - replicated local route overrides by connected Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.76.16.0/24 is directly connected, GigabitEthernet0/0/1 L 10.76.16.63/32 is directly connected, GigabitEthernet0/0/1 Cat8200#
06-24-2022 01:54 PM - edited 06-24-2022 10:21 PM
And... found other error prior to opening TAC case - tunnel3 had "tunnel vrf internet", which was part of an earlier troubleshooting effort that I forgot to remove. After clearing that, ISIS adjacencies formed right away, routes exchanged, and pings worked perfectly. Pasting complete config here for reference.
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 128.197.255.172
isis authentication mode md5
isis authentication key-chain isis-password
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide