cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9964
Views
0
Helpful
29
Replies

looped chain attempting to stack

roharris33
Level 1
Level 1

Hey everyone I'm running into an issue with recursive routing and can't seem to figure out how to fix it. I have an IPSEC with GRE runnning OSPF. The tunnel comes up fine but OSPF is flapping. It appears that the route to the destination is via the tunnel itself which is an issue. I inflated the ospf cost of the tunnel interfaces but that didn't help. I also added in a static route to the tunnel destination on each router but that didn't help either. From what I've read in most cases this causes the tunnel to go down but in my case the tunnel stays up on both sides. Configs are attached.

CaptureError.PNG

Headend route to branch tunnel IPHeadend route to branch tunnel IP

Branch route to Headend tunnel IPBranch route to Headend tunnel IP

29 Replies 29

balaji.bandi
Hall of Fame
Hall of Fame

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

I have noticed there is some miss configuration on the branch router routing. Also, confirm that are you advertising any default route on the OSPF?

 

Please make below changes in the branch router configuration:

 

no ip route 10.192.0.254 255.255.255.255 2.2.2.1
ip route 1.1.1.1 255.255.255.255 2.2.2.1 

 

Here, I am assuming that you have changed the IP address in attached configuration or this is a lab (because 1.1.1.1 is known IP). Here 1.1.1.1 is your Head office IP address and 2.2.2.1 is your branch office gateway. 

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hello


1) Remove the static routes for each tunel interfaces that are pointing to what looks like a recursive next-hop


Head
no ip route 10.192.0.17 255.255.255.255 198.190.160.1

 

Spoke
no ip route 10.192.0.254 255.255.255.255 2.2.2.1


2) Check your default routes to make sure their next-hop address are correct as it lookslike you have typo's
Head
ip route 0.0.0.0 0.0.0.0 1.1.1.1 < ?

interface GigabitEthernet0/0/1
 description WAN UPLINK
 ip address 1.1.1.1 255.255.255.0

3)
router ospf 1
passive interface default

no passive interface tunnel x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I made the suggested changes. I fixed the typo's and uploaded new configs. I'm still getting the same error. Also here is a snip of the routing table from the branch router after making the changes. I don't think it should be learning 10.192.0.17 right?

 

branchroute.PNG

Hi,

Also, make below changes in the configuration:

Head Office:

interface Tunnel1

no ip policy route-map VPN-Internal

 

And Why are you ignoring a Basic OSPF area concept? Why everything in the Area1? It is not making an issue in current network but will make issue while increasing spokes in the network. 

 

Branch Office:

 

crypto ipsec transform-set trans2 esp-aes esp-md5-hmac
mode transport

!

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

I removed the route map from the headend and made the change on the branch, bounced the tunnel and got the same error message. 

 

This tunnel will act as a backup for WAN sites. All WAN sites are in area 1. Campus area 100 and backbone area 0. 

Hi,

Again I went through the DMVPN configuration and found that you have enabled Phase3 on the HUB site as below:

 

interface Tunnel1
ip nhrp redirect

 

And you didn't enable on the Spoke router. Spoke is still working on Phase2. try below commands:

 

interface Tunnel1
ip nhrp shortcut

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

That command (ip nhrp shortcut) isn't explicitly stated when active on the tunnel interface. But is stated when you enter no ip nhrp shortcut. When I enter the ip nhrp shortcut command it breaks the OSPF adjancy. 

Hi,

Share OSPF routing and routing output.

 

Show ip route ospf

 

Sho ip route

 

Sho ip nhre brief

 

show Dmvpn 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Show commands are attached. The DMVPM results is interesting (at least I think). I ran the command a few times and had different results. You will notice that the state changed from NHRP to UP in the photo below. But I think the issue is NRHP the next hop and target network are the same.

 

dmvpn.PNG.jpg

 

NHRP.PNG

 

 

 

 

I believe you have made the changes the others suggested. However, I noticed that both your Hub and Spoke are configured with same OSPF priority.

 

ip ospf priority 2

 

The Hub should always be the DR, hence set it with the highest priority or make the Spokes 0 priority.

I made that change on the branch and I'm still seeing the same looped chain message. Here is the sh ip NHRP result.

 

Router#sh ip nhrp
10.192.0.254/32 via 10.192.0.254 - I think this is the problem.
Tunnel1 created 00:02:56, never expire
Type: static, Flags:
NBMA address: 1.1.1.237

There is nothing wrong with the output of Sh ip nhrp. That is the correct output, as you should see only the Hub address mapped to the NBMA. This is not recursive routing. You can ping any address behind the Hub from the Spoke, with the tunnel IP as the source and see if it goes through the tunnel or not

 

If you're worried about recursive routing in the future, then put the WAN interface in a VRF and also reference the VRF in the Tunnel interface (Tunnel vrf command) and static default route.

 

If I may ask, why is your NBMA 1.1.1.237, while the Hub config file shows 1.1.1.2. Was that a typo?

 

 

Configure the WAN in a VRF on the spoke? I can ping the tunnel IP but nothing else. There is a typo in the config file....trying to mask the public IP. 

 

ping.PNG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: