02-21-2019 02:21 PM
Hey everyone I'm running into an issue with recursive routing and can't seem to figure out how to fix it. I have an IPSEC with GRE runnning OSPF. The tunnel comes up fine but OSPF is flapping. It appears that the route to the destination is via the tunnel itself which is an issue. I inflated the ospf cost of the tunnel interfaces but that didn't help. I also added in a static route to the tunnel destination on each router but that didn't help either. From what I've read in most cases this causes the tunnel to go down but in my case the tunnel stays up on both sides. Configs are attached.
02-21-2019 03:04 PM
check this document may help you.
02-21-2019 09:06 PM
Hi,
I have noticed there is some miss configuration on the branch router routing. Also, confirm that are you advertising any default route on the OSPF?
Please make below changes in the branch router configuration:
no ip route 10.192.0.254 255.255.255.255 2.2.2.1
ip route 1.1.1.1 255.255.255.255 2.2.2.1
Here, I am assuming that you have changed the IP address in attached configuration or this is a lab (because 1.1.1.1 is known IP). Here 1.1.1.1 is your Head office IP address and 2.2.2.1 is your branch office gateway.
Regards,
Deepak Kumar
02-22-2019 05:10 AM
Hello
1) Remove the static routes for each tunel interfaces that are pointing to what looks like a recursive next-hop
Head
no ip route 10.192.0.17 255.255.255.255 198.190.160.1
Spoke
no ip route 10.192.0.254 255.255.255.255 2.2.2.1
2) Check your default routes to make sure their next-hop address are correct as it lookslike you have typo's
Head
ip route 0.0.0.0 0.0.0.0 1.1.1.1 < ?
interface GigabitEthernet0/0/1
description WAN UPLINK
ip address 1.1.1.1 255.255.255.0
3)
router ospf 1
passive interface default
no passive interface tunnel x
02-22-2019 06:16 AM
02-22-2019 06:38 AM
Hi,
Also, make below changes in the configuration:
Head Office:
interface Tunnel1
no ip policy route-map VPN-Internal
And Why are you ignoring a Basic OSPF area concept? Why everything in the Area1? It is not making an issue in current network but will make issue while increasing spokes in the network.
Branch Office:
crypto ipsec transform-set trans2 esp-aes esp-md5-hmac
mode transport
!
Regards,
Deepak Kumar
02-22-2019 07:39 AM
I removed the route map from the headend and made the change on the branch, bounced the tunnel and got the same error message.
This tunnel will act as a backup for WAN sites. All WAN sites are in area 1. Campus area 100 and backbone area 0.
02-22-2019 07:53 AM
Hi,
Again I went through the DMVPN configuration and found that you have enabled Phase3 on the HUB site as below:
interface Tunnel1
ip nhrp redirect
And you didn't enable on the Spoke router. Spoke is still working on Phase2. try below commands:
interface Tunnel1
ip nhrp shortcut
Regards,
Deepak Kumar
02-22-2019 08:31 AM
That command (ip nhrp shortcut) isn't explicitly stated when active on the tunnel interface. But is stated when you enter no ip nhrp shortcut. When I enter the ip nhrp shortcut command it breaks the OSPF adjancy.
02-22-2019 08:43 AM
Hi,
Share OSPF routing and routing output.
Show ip route ospf
Sho ip route
Sho ip nhre brief
show Dmvpn
Regards,
Deepak Kumar
02-22-2019 09:36 AM - edited 02-22-2019 09:37 AM
Show commands are attached. The DMVPM results is interesting (at least I think). I ran the command a few times and had different results. You will notice that the state changed from NHRP to UP in the photo below. But I think the issue is NRHP the next hop and target network are the same.
02-22-2019 10:37 AM
I believe you have made the changes the others suggested. However, I noticed that both your Hub and Spoke are configured with same OSPF priority.
ip ospf priority 2
The Hub should always be the DR, hence set it with the highest priority or make the Spokes 0 priority.
02-22-2019 10:49 AM
I made that change on the branch and I'm still seeing the same looped chain message. Here is the sh ip NHRP result.
Router#sh ip nhrp
10.192.0.254/32 via 10.192.0.254 - I think this is the problem.
Tunnel1 created 00:02:56, never expire
Type: static, Flags:
NBMA address: 1.1.1.237
02-22-2019 11:31 AM
There is nothing wrong with the output of Sh ip nhrp. That is the correct output, as you should see only the Hub address mapped to the NBMA. This is not recursive routing. You can ping any address behind the Hub from the Spoke, with the tunnel IP as the source and see if it goes through the tunnel or not
If you're worried about recursive routing in the future, then put the WAN interface in a VRF and also reference the VRF in the Tunnel interface (Tunnel vrf command) and static default route.
If I may ask, why is your NBMA 1.1.1.237, while the Hub config file shows 1.1.1.2. Was that a typo?
02-22-2019 11:43 AM
Configure the WAN in a VRF on the spoke? I can ping the tunnel IP but nothing else. There is a typo in the config file....trying to mask the public IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide