02-26-2014 05:59 AM - edited 03-04-2019 10:27 PM
Hi All,
I have an issue where on a point to point link (ipsec/gre tunnel) the OSPF state between the 2 routers is in Exchange and doesn't ever change.
Router A
192.168.40.1 0 EXCHANGE/ - 00:00:32 172.27.240.70 Tunnel 19
Router B
Neighbor ID Pri State Dead Time Address Interface
192.168.240.1 0 EXCHANGE/ - 00:00:31 172.27.240.69 Tunnel1
I ran a debug ip ospf events on router B and it comes back with the following.
What stands out I guess are:
Cannot see ourself in hello from 192.168.240.1 on Tunnel1, state INIT
NBR Negotiation Done. We are the SLAVE
I also have other P2P links with the sam setup (IPSEC/GRE) tunnels and they are in the FULL state.
001757: Feb 26 13:46:20.647: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001758: Feb 26 13:46:20.647: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001759: Feb 26 13:46:24.071: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001760: Feb 26 13:46:24.071: OSPF: End of hello processing
001761: Feb 26 13:46:30.819: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001762: Feb 26 13:46:30.819: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001763: Feb 26 13:46:34.312: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001764: Feb 26 13:46:34.312: OSPF: End of hello processing
001765: Feb 26 13:46:41.000: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001766: Feb 26 13:46:41.000: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001767: Feb 26 13:46:44.444: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001768: Feb 26 13:46:44.444: OSPF: Cannot see ourself in hello from 192.168.240.1 on Tunnel1, state INIT
001769: Feb 26 13:46:44.444: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1
001770: Feb 26 13:46:44.444: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001771: Feb 26 13:46:44.444: OSPF: End of hello processing
001772: Feb 26 13:46:48.840: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=61, sequence number=1064223
001773: Feb 26 13:46:51.072: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001774: Feb 26 13:46:51.072: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001775: Feb 26 13:46:54.524: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001776: Feb 26 13:46:54.524: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1
001777: Feb 26 13:46:54.524: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001778: Feb 26 13:46:54.524: OSPF: End of hello processing
001779: Feb 26 13:47:01.168: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001780: Feb 26 13:47:01.168: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001781: Feb 26 13:47:04.776: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001782: Feb 26 13:47:04.776: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1
001783: Feb 26 13:47:04.776: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001784: Feb 26 13:47:04.776: OSPF: End of hello processing
001785: Feb 26 13:47:11.316: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001786: Feb 26 13:47:11.316: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001787: Feb 26 13:47:14.872: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001788: Feb 26 13:47:14.872: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1
001789: Feb 26 13:47:14.872: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001790: Feb 26 13:47:14.872: OSPF: End of hello processing
001791: Feb 26 13:47:21.421: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001792: Feb 26 13:47:21.421: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001793: Feb 26 13:47:24.993: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001794: Feb 26 13:47:24.993: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1
001795: Feb 26 13:47:24.993: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001796: Feb 26 13:47:24.993: OSPF: End of hello processing
001797: Feb 26 13:47:31.565: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001798: Feb 26 13:47:31.565: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001799: Feb 26 13:47:35.573: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001800: Feb 26 13:47:35.573: OSPF: Send immediate hello to nbr 192.168.240.1, src address 172.27.240.69, on Tunnel1
001801: Feb 26 13:47:35.573: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001802: Feb 26 13:47:35.573: OSPF: End of hello processing
001803: Feb 26 13:47:41.633: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001804: Feb 26 13:47:41.633: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001805: Feb 26 13:47:42.329: OSPF: Rcv DBD from 192.168.240.1 on Tunnel1 seq 0xD17 opt 0x52 flag 0x7 len 32 mtu 1400 state INIT
001806: Feb 26 13:47:42.329: OSPF: 2 Way Communication to 192.168.240.1 on Tunnel1, state 2WAY
001807: Feb 26 13:47:42.329: OSPF: Send DBD to 192.168.240.1 on Tunnel1 seq 0x107E opt 0x52 flag 0x7 len 32
001808: Feb 26 13:47:42.329: OSPF: NBR Negotiation Done. We are the SLAVE
001809: Feb 26 13:47:42.329: OSPF: Send DBD to 192.168.240.1 on Tunnel1 seq 0xD17 opt 0x52 flag 0x2 len 1052
001810: Feb 26 13:47:45.921: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001811: Feb 26 13:47:45.921: OSPF: End of hello processing
001812: Feb 26 13:47:48.909: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=61, sequence number=1094936
001813: Feb 26 13:47:51.833: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001814: Feb 26 13:47:51.833: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001815: Feb 26 13:47:56.025: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001816: Feb 26 13:47:56.025: OSPF: End of hello processing
001817: Feb 26 13:48:01.882: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001818: Feb 26 13:48:01.882: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001819: Feb 26 13:48:05.922: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001820: Feb 26 13:48:05.922: OSPF: End of hello processing
001821: Feb 26 13:48:12.046: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001822: Feb 26 13:48:12.046: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001823: Feb 26 13:48:16.030: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001824: Feb 26 13:48:16.030: OSPF: End of hello processing
001825: Feb 26 13:48:16.678: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/1: the fragment table has reached its maximum threshold 16
001826: Feb 26 13:48:22.102: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001827: Feb 26 13:48:22.102: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001828: Feb 26 13:48:26.102: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001829: Feb 26 13:48:26.102: OSPF: End of hello processing
001830: Feb 26 13:48:32.298: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001831: Feb 26 13:48:32.298: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001832: Feb 26 13:48:36.310: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001833: Feb 26 13:48:36.310: OSPF: End of hello processing
001834: Feb 26 13:48:42.506: OSPF: Send hello to 224.0.0.5 area 18 on GigabitEthernet0/0.1 from 10.44.0.10
001835: Feb 26 13:48:42.506: OSPF: Send hello to 224.0.0.5 area 18 on Tunnel1 from 172.27.240.70
001836: Feb 26 13:48:46.379: OSPF: Rcv hello from 192.168.240.1 area 18 from Tunnel1 172.27.240.69
001837: Feb 26 13:48:46.379: OSPF: End of hello processing
02-26-2014 07:16 AM
Hi,
Try ip ospf ignore-mtu under the tunnel interface on both tunnel interfaces.
Also show ip ospf interface tuX output from routers shall help.
Thanks
Hitesh
02-26-2014 07:22 AM
Hi,
is the
ospf ignore-mtu command ok to use? I don't want to bring the tunnels down in any way.
See below.
From Router B
-01#show ip ospf interface tu1
Tunnel1 is up, line protocol is up
Internet Address 172.27.240.70/30, Area 18
Process ID 1, Router ID 192.168.40.1, Network Type POINT_TO_POINT, Cost: 11111
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 22
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
From Router A
N-01#show ip ospf interface tunnel 19
Tunnel19 is up, line protocol is up
Internet Address 172.27.240.69/30, Area 18
Process ID 1, Router ID 192.168.240.1, Network Type POINT_TO_POINT, Cost: 11111
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:09
Supports Link-local Signaling (LLS)
Index 1/9, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 46
Last flood scan time is 4 msec, maximum is 220 msec
Neighbor Count is 1, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
02-26-2014 07:27 AM
That command is for OSPF only. Your tunnel condition to stay up is based on the endpoint reachability. The tunnel shall stay up.
also share the output for show int tuX
Thanks
Hitesh
02-26-2014 07:31 AM
001812: Feb 26 13:47:48.909: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=61, sequence number=1094936
You are obviously using IPSec over GRE. I agree with Hitesh. Verify you are using the same MTU value on both sides, but it looks like you are having a typical MTU issue during your Database Description Packet exchange, which is pretty common.
Although from looking at the below, it may be an IPSec issue.
001805: Feb 26 13:47:42.329: OSPF: Rcv DBD from 192.168.240.1 on Tunnel1 seq 0xD17 opt 0x52 flag 0x7 len 32 mtu 1400 state INIT
If you run a debug on the other side, do you see 1400 as well?
02-26-2014 09:38 AM
Hi There,
On looking at the Tunnel configs of each router I could see the only difference was one had
ip virtual-reassembly max-reassemblies 64
The other didn't.
I removed this and the full adjacency came up!
Cheers
02-26-2014 01:55 PM
Grant,
Virtual Reassembly is special IOS feature that allows the router to obtain full picture of a fragmented packet on the fly. When you activate virtual-reassembly on interface, using the command
ip virtual-reassembly
, IOS starts tracking all incoming fragmented packets. The code
delays fragmented packets until it receives all of them, or until the maximum reassembly timeout expires (there are some other thresholds, discussed below). After this, the router performs “virtual” datagram reassembly. Here “virtual” means the packet is not getting actually assembled into a single entity, but rather IOS views it as a whole for subsequent processing. If the router does not receive all fragments during the reassembly timeout, the incomplete packet is dropped.
There's a good defintiion if you are interesting. Glad you got it working!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide