NHRP resolution time out causing one way IPSEC traffic

paul amaral · ‎06-20-2024

Hi, recently I came across NHRP resolution errors when upgrading a Cisco ASR 1001-x to 17.9.4 from 16.12.05. Under 16.12.x the NHRP configuration was working without any issues. I simply upgraded from the 16.12.x to 17.9.4 and am having one way ipsec traffic. It seems like there’s an issue with spokes registering with the NHS.

On the NHS I see both SPIs for the ipsec tunnel but only one way traffic. There’s not traffic being encapsulated from the NHS to the NHC. This is because the NHR resolution for the NHC is not resolving. This one way IPSEC state is followed by resolution time-out requests in the debug logs for that particular NHC. When I bounce the tunnel interface on the NHC side the resolution works again only to time out eventually.

I also upgraded to 17.19.5a gold image but the problem persisted. When I back down to 16.12.x the issue goes away. I know there's some unresolved NHRP and IPSEC bugs in 17.9.x so am not sure if am hitting a bug. Am using all modern crypto ciphers an and the underlaying connectivity is working with out packet loss.

Has anyone come across this issue when upgrading an ASR IOS XE to 17.9.4 or 17.9.5a. On the client side we are using C1161X-8PLTEP with IOS 17.03.04a.

TIA,

Paul

%DMVPN-6-NHRP_RES_TIMEOUT: Tunnel555: Resolution Request for Address : 10.5.5.37 is Timed-out

And

%DMVPN-5-NHRP_NHC_DOWN: Tunnel555: Next Hop Client : (Tunnel: 10.5.5.37 NBMA: 216.xxxxx ) for (Tunnel: 10.5.5.2 NBMA: 50.xxxxx) is DOWN, Reason: Expiry(NHRP: no error)

MHM Cisco World · ‎06-20-2024

in Spoke
clear crypto isakmp
clear crypto sa
shut/no shut the tunnel interface

if issue not solve then

share the following
show ip nhrp nhs
show ip nhrp detail
show dmpvn detail
debug ip nhrp
MHM

paul amaral · ‎06-20-2024

When I shut/no shut the tunnel on the NHRP client most of the time it fixes the issue. The NHRP debugs were posted. The issue is that on IOS 16.12.x this doesn't occur.

%DMVPN-6-NHRP_RES_TIMEOUT: Tunnel555: Resolution Request for Address : 10.5.5.37 is Timed-out

And

%DMVPN-5-NHRP_NHC_DOWN: Tunnel555: Next Hop Client : (Tunnel: 10.5.5.37 NBMA: 216.xxxxx ) for (Tunnel: 10.5.5.2 NBMA: 50.xxxxx) is DOWN, Reason: Expiry(NHRP: no error)

MHM Cisco World · ‎06-20-2024

You dont share what I want'

The log error is for resolution not about register' register is between spoke and hub and resolution for spoke to spoke using hub to resolve IP

MHM

paul amaral · ‎06-20-2024

Unfortunately I only debug for nhrp and didn't get more DMVPN debugs. But the problem that was seen was a resolution issue. Where the NHS was not resolving the client. Again this config is working with zero issues for years with 16.12.x but not under 17.9.x.

NHRP: Receive Purge Request via Tunnel555 vrf: global(0x0), packet size: 88
NHRP: Attempting to forward to destination: 10.5.5.28 vrf: global(0x0)
NHRP: Forwarding: NHRP SAS picked source: 10.5.5.2 for destination: 10.5.5.28
NHRP: Attempting to send packet through interface Tunnel555 via DEST  dst 10.5.5.28
NHRP: Forwarding Purge Request via Tunnel555 vrf: global(0x0), packet size: 88 src: 10.5.5.2, dst: 10.5.5.28
NHRP: NHRP could not map 10.5.5.28 to NBMA, cache entry not found
NHRP: Encapsulation failed for destination 10.5.5.28 out Tunnel555

%DMVPN-3-DMVPN_NHRP_ERROR:  Tunnel555: NHRP Encap Error for  Purge Request , Reason:  protocol generic error (7) on (Tunnel: 10.5.5.2 NBMA: 50.x.x.x)

%DMVPN-6-NHRP_RES_TIMEOUT:  Tunnel555: Resolution Request for Address : 10.5.5.28 is Timed-out

MHM Cisco World · ‎06-22-2024

sorry I need to see some show before I can know what happened here

thanks

MHM