Solved: OSPF neighborship not establishing between Tunnels

Mark1110 · ‎04-11-2022

Hello,

I have two location A and B and two internet service provider. For one isp tunnel is working fine and having ospf neighborship. For other isp, ospf neighborship is not firming. I am able to ping both locations from ISP IPs. I checked ospf parameters they are same on both location. Let me know if any other information need for more details. Appreciate any kind of help.

Location A




Tunnel configuration

interface Tunnel5
description tunnel to B location
bandwidth 50000
ip address 10.10.10.1 255.255.255.252
no ip redirects
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 tunnelB
ip ospf cost 10
tunnel source GigabitEthernet0/0/1(2.2.2.2)
tunnel destination 1.1.1.1
tunnel key 5
tunnel vrf hello
tunnel protection ipsec profile P1 shared
end




OSPF

router ospf 1

area 0 authentication message-digest

network 10.10.10.0 0.0.0.3 area 0




sh ip ospf interface tunnel5
Tunnel5 is up, line protocol is down
Internet Address 10.10.10.1/30, Interface ID 75, Area 0
Attached via Network Statement
Process ID 1, Router ID 10.10.120.10, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Transmit Delay is 1 sec, State DOWN
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40




Location B

interface Tunnel5
description tunnel to A location
bandwidth 50000
ip address 10.10.10.2 255.255.255.252
no ip redirects
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 tunnelB
ip ospf cost 10
tunnel source source GigabitEthernet0/0/2(1.1.1.1)
tunnel destination 2.2.2.2
tunnel key 5
tunnel vrf bye
tunnel protection ipsec profile P1 shared
end




OSPF

router ospf 1

area 0 authentication message-digest

network 10.10.10.0 0.0.0.3 area 0




Tunnel5 is up, line protocol is down
Internet Address 10.10.10.2/30, Interface ID 26, Area 0
Attached via Network Statement
Process ID 1, Router ID 10.10.30.15, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Transmit Delay is 1 sec, State DOWN
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40

Thanks,

Mark

Richard Burts · ‎04-12-2022

On tunnels using VTI like this a tunnel up line protocol down is frequently an indication that crypto negotiation was not successful. Can you post the output of

show crypto ipsec sa

from both routers?

HTH

Rick

View solution in original post

David Ruess · ‎04-11-2022

Hello,

A couple notes/questions:

Does the tunnel work without the IPSec/OSPF applied?

If so just add the OSPF back in.

If it works it could be something with the IPSec tunnel. Also, I'm not sure the exact amount but adding an IPSec configuration on top of a GRE tunnel adds more headers I believe. You could try lowering the MTU to 1400 and the TCP adjust-mss to 1360

COuld you also show the out put of the

debug ip ospf packets

and the

debug crypto ipsec

commands

-David

Mark1110 · ‎04-11-2022

Hi David,

Thank you for your reply. For other ISP, i have same configuration with MTU and and TCP adjust-mss. It is working good. Cant do debug on production router. Last time i did debug and it was hangup. I had to go to datacenter for reboot it. any thing else can i provide you?

Thanks,

Mark

David Ruess · ‎04-11-2022

Understood.

OK on both routers can you do a:

show ip protocols

show ip interface brief

show ip route

Also, do you have the excact same IPSec profile on the working routers?

Another question. Can you do a terminal monitor command to see error messages on your logged in session to see if OSPF is trying to form an adjacency and getting messages? Usually you will see output of neighbor ship trying to form but not establishing.

MHM Cisco World · ‎04-12-2022

Both tunnel use same key?

Change key if you use same one

paul driver · ‎04-12-2022

Hello

Can both location reach each other source/destination addressing?
Are they in the correct vrf?
Append the same vrf on the tunnels and possibly

capability vrf-lite

to the ospf stanza

interface Tunnel5
description tunnel to B location
tunnel source source GigabitEthernet0/0/2(1.1.1.1 <   is this the correct interface
tunnel vrf hello < ------different vrf


interface Tunnel5
description tunnel to A location
tunnel source GigabitEthernet0/0/1(2.2.2.2)<   is this the correct interface
tunnel vrf bye < ------different vrf

Possible going forward append this also

router ospf xx
capability vrf-lite

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎04-12-2022

On tunnels using VTI like this a tunnel up line protocol down is frequently an indication that crypto negotiation was not successful. Can you post the output of

show crypto ipsec sa

from both routers?

HTH

Rick

paul driver · ‎04-12-2022

Hello
As stated the tunnels are in different vrfs, So remove them from the tunnels and test otherwise make sure the source and transit interface are also in the same vrf rib table.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Mark1110 · ‎04-12-2022

Thank you @Richard Burts . You are correct. Crypto key was missing. Issue has been fixed.

Richard Burts · ‎04-13-2022

Mark

You are welcome. I am glad that my suggestion pointed you toward the solution. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Mark1110 · ‎04-12-2022

Thank you @paul driver @MHM Cisco World @David Ruess . Issue was with crypto key. I fixed it. once tunnel became up. ospf neighborship automatically Built up. Thank you for your effort and time. Appreciate it.