Re: Problem with NHRP and mGRE from a VRF

james-worley · ‎09-09-2010

Hi

I have been using p2p GRE tunnels to connect remote sites to head office for some time. These have allowed us to run OSPF and Multicast. I've started to get a little fed up of having to configure new tunnel interfaces every time we add a new site - and the need for fixed IP addresses. So I've been doing some testing with DMVPN using NHRP and mGRE.

I'm having a problem with the hub sending and receiving NHRP. For troubleshooting I have taken off all the crypto stuff.

HUB

!

interface Tunnel248

description *** DMVPN over mGRE - Cloud 1 ***

ip address 172.16.248.254 255.255.255.0

no ip redirects

no ip proxy-arp

ip mtu 1400

ip pim query-interval 10

ip pim sparse-dense-mode

ip nhrp authentication secret

ip nhrp map multicast dynamic

ip nhrp network-id 123456

ip nhrp holdtime 600

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf hello-interval 3

ip ospf priority 254

qos pre-classify

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel path-mtu-discovery

tunnel vrf INTERNET

!

!
interface FastEthernet0/0
description *** UPSTREAM PROVIDER - ASxxxxx ***
ip vrf forwarding INTERNET
ip address 192.0.2.1 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
no cdp enable
max-reserved-bandwidth 90
end

The import thing to note is that these mGRE tunnels are sourced from a VRF interface.

The spoke sites do not run any form of MPLS/VRFs and are configured:

!

interface Tunnel248

description *** DMVPN over mGRE - Cloud 1 ***

ip address 172.16.248.3 255.255.255.0

no ip redirects

no ip proxy-arp

ip mtu 1400

ip pim query-interval 10

ip pim sparse-dense-mode

ip nhrp authentication secret

ip nhrp map multicast 172.16.248.254

ip nhrp map 172.16.248.254 192.0.2.1

ip nhrp network-id 123456

ip nhrp nhs 172.16.248.254

ip nhrp holdtime 600

ip tcp adjust-mss 1360

ip ospf network point-to-point

ip ospf hello-interval 3

ip ospf priority 0

qos pre-classify

tunnel source Dialer1

tunnel destination 192.0.2.1

tunnel path-mtu-discovery

!

The spoke sites can ping the hub tunnel address of 172.16.248.254 and a show of the nhrp shows a static entry for the hub.

The problem is the hub site can not ping any of the hosts and there are no dynamic nhrp entries. I have tried to debug nhrp and get the following encapsulation errors:

Sep 9 2010 10:54:51.957 BST: NHRP: Encapsulation failed for destination 172.16.248.3 out Tunnel248
Sep 9 2010 10:54:52.649 BST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel248 netid-out 123456
Sep 9 2010 10:54:52.649 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep 9 2010 10:54:52.649 BST: NHRP: No node found.
Sep 9 2010 10:54:54.649 BST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel248 netid-out 123456
Sep 9 2010 10:54:54.649 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep 9 2010 10:54:54.649 BST: NHRP: No node found.
Sep 9 2010 10:54:58.029 BST: NHRP: Checking for delayed event 0.0.0.0/172.16.248.3 on list (Tunnel248).
Sep 9 2010 10:54:58.029 BST: NHRP: No node found.
Sep 9 2010 10:54:58.029 BST: NHRP: Attempting to send packet via DEST 172.16.248.3
Sep 9 2010 10:54:58.029 BST: NHRP: Send Resolution Request via Tunnel248 vrf 0, packet size: 88
Sep 9 2010 10:54:58.029 BST: src: 172.16.248.254, dst: 172.16.248.3
Sep 9 2010 10:54:58.029 BST: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Sep 9 2010 10:54:58.029 BST:      shtl: 4(NSAP), sstl: 0(NSAP)
Sep 9 2010 10:54:58.029 BST: (M) flags: "router auth src-stable nat ", reqid: 5
Sep 9 2010 10:54:58.029 BST:      src NBMA: 192.0.2.1
Sep 9 2010 10:54:58.029 BST:      src protocol: 172.16.248.254, dst protocol: 172.16.248.3
Sep 9 2010 10:54:58.029 BST: (C-1) code: no error(0)
Sep 9 2010 10:54:58.029 BST:        prefix: 0, mtu: 1514, hd_time: 600
Sep 9 2010 10:54:58.029 BST:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
Sep 9 2010 10:54:58.029 BST: Responder Address Extension(3):
Sep 9 2010 10:54:58.029 BST: Forward Transit NHS Record Extension(4):
Sep 9 2010 10:54:58.029 BST: Reverse Transit NHS Record Extension(5):
Sep 9 2010 10:54:58.029 BST: Authentication Extension(7):
Sep 9 2010 10:54:58.029 BST:   type:Cleartext(1), data:secret
Sep 9 2010 10:54:58.029 BST: NAT address Extension(9):

I had problems with IKE when setting up the p2p GRE not being sourced from the VRF interface and I had to change my crypto config to allow for this. I suspect I am having a similar problem here and the nhrp packets are being encapsulated from the global not the VRF.

I have read a lot of documentation of this working with the tunnel interface in a VRF being sourced from a global IP interface. I can not find any documentation of this working from a VRF interface.

Does anyone know if there is a way to tell nhrp with VRF to source the packets from?

james-worley · ‎09-13-2010

I managed to fix this, contrary to the documentation stating:

Cisco IOS Software Releases 12.3(13)T, 12.3(11)T3, or later allow multiple mGRE interfaces on a single router to be configured without tunnel keys. Each mGRE interface

must reference a unique IP address as its tunnel source.

I added the tunnel key command and the tunnels came up.

Michael Sullenberger · ‎09-16-2010

If Tunnel248 is the only tunnel on the router then you shouldn't need to configure a tunnel key,

But if there are any other tunnels (point-point or multipoint) that are using the same tunnel source

then you are going to have to use a tunnel key.

I have set this up (mGRE with tunnel key and tunnel in VRF 'tunnel vrf ...') in my lab a number of

times so that I know it will work. There was a couple of IOS codes from about 2-3 years ago

where there was a bug in NHRP with VRFs but that was all fixed.

Note, there is nothing wrong with using a tunnel key.

Mike.