06-20-2024 11:53 AM
Hi, recently I came across NHRP resolution errors when upgrading a Cisco ASR 1001-x to 17.9.4 from 16.12.05. Under 16.12.x the NHRP configuration was working without any issues. I simply upgraded from the 16.12.x to 17.9.4 and am having one way ipsec traffic. It seems like there’s an issue with spokes registering with the NHS.
On the NHS I see both SPIs for the ipsec tunnel but only one way traffic. There’s not traffic being encapsulated from the NHS to the NHC. This is because the NHR resolution for the NHC is not resolving. This one way IPSEC state is followed by resolution time-out requests in the debug logs for that particular NHC. When I bounce the tunnel interface on the NHC side the resolution works again only to time out eventually.
I also upgraded to 17.19.5a gold image but the problem persisted. When I back down to 16.12.x the issue goes away. I know there's some unresolved NHRP and IPSEC bugs in 17.9.x so am not sure if am hitting a bug. Am using all modern crypto ciphers an and the underlaying connectivity is working with out packet loss.
Has anyone come across this issue when upgrading an ASR IOS XE to 17.9.4 or 17.9.5a. On the client side we are using C1161X-8PLTEP with IOS 17.03.04a.
TIA,
Paul
%DMVPN-6-NHRP_RES_TIMEOUT: Tunnel555: Resolution Request for Address : 10.5.5.37 is Timed-out
And
%DMVPN-5-NHRP_NHC_DOWN: Tunnel555: Next Hop Client : (Tunnel: 10.5.5.37 NBMA: 216.xxxxx ) for (Tunnel: 10.5.5.2 NBMA: 50.xxxxx) is DOWN, Reason: Expiry(NHRP: no error)
06-20-2024 12:01 PM - edited 06-20-2024 12:01 PM
in Spoke
clear crypto isakmp
clear crypto sa
shut/no shut the tunnel interface
if issue not solve then
share the following
show ip nhrp nhs
show ip nhrp detail
show dmpvn detail
debug ip nhrp
MHM
06-20-2024 12:38 PM
When I shut/no shut the tunnel on the NHRP client most of the time it fixes the issue. The NHRP debugs were posted. The issue is that on IOS 16.12.x this doesn't occur.
%DMVPN-6-NHRP_RES_TIMEOUT: Tunnel555: Resolution Request for Address : 10.5.5.37 is Timed-out
And
%DMVPN-5-NHRP_NHC_DOWN: Tunnel555: Next Hop Client : (Tunnel: 10.5.5.37 NBMA: 216.xxxxx ) for (Tunnel: 10.5.5.2 NBMA: 50.xxxxx) is DOWN, Reason: Expiry(NHRP: no error)
06-20-2024 01:05 PM
You dont share what I want'
The log error is for resolution not about register' register is between spoke and hub and resolution for spoke to spoke using hub to resolve IP
MHM
06-20-2024 01:41 PM
Unfortunately I only debug for nhrp and didn't get more DMVPN debugs. But the problem that was seen was a resolution issue. Where the NHS was not resolving the client. Again this config is working with zero issues for years with 16.12.x but not under 17.9.x.
NHRP: Receive Purge Request via Tunnel555 vrf: global(0x0), packet size: 88
NHRP: Attempting to forward to destination: 10.5.5.28 vrf: global(0x0)
NHRP: Forwarding: NHRP SAS picked source: 10.5.5.2 for destination: 10.5.5.28
NHRP: Attempting to send packet through interface Tunnel555 via DEST dst 10.5.5.28
NHRP: Forwarding Purge Request via Tunnel555 vrf: global(0x0), packet size: 88 src: 10.5.5.2, dst: 10.5.5.28
NHRP: NHRP could not map 10.5.5.28 to NBMA, cache entry not found
NHRP: Encapsulation failed for destination 10.5.5.28 out Tunnel555
%DMVPN-3-DMVPN_NHRP_ERROR: Tunnel555: NHRP Encap Error for Purge Request , Reason: protocol generic error (7) on (Tunnel: 10.5.5.2 NBMA: 50.x.x.x)
%DMVPN-6-NHRP_RES_TIMEOUT: Tunnel555: Resolution Request for Address : 10.5.5.28 is Timed-out
06-22-2024 05:30 AM
sorry I need to see some show before I can know what happened here
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide