Solved: Re: Routes issue in ipsec tunnel

lakhwaraa · ‎01-02-2023

I have following configuration. My tunnel is up but i cant send routes since yesterday. I have done nothing to the original configuration. My router is not advertising my routes

interface Tunnel1
ip address 100.200.10.5 255.255.255.0
no ip redirects
ip mtu 1390
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp_keys
ip hold-time eigrp 10 60
ip nhrp authentication deast
ip nhrp map multicast 50.217.30.110
ip nhrp map 100.200.10.12 50.217.30.110
ip nhrp map multicast 51.230.159.19
ip nhrp map 100.200.10.254 51.230.159.19
ip nhrp network-id 2
ip nhrp holdtime 60
ip nhrp nhs 100.200.10.12
ip nhrp nhs 100.200.10.254
zone-member security vpn
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 121
tunnel protection ipsec profile FL-DE-SWITC


router eigrp 10
network 100.200.10.0 0.0.0.255
network 172.17.30.0 0.0.0.255
passive-interface Vlan10
eigrp stub connected
!
!
router eigrp 2
network 10.2.2.0 0.0.0.255
network 172.17.0.0
passive-interface Vlan10
passive-interface FastEthernet8
eigrp stub connected

interface GigabitEthernet0
mac-address e02f.6d0d.2123
ip address 122.31.15.11 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 172.17.30.254 255.255.0.0
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security inside
ip tcp adjust-mss 1450

sh dmvpn
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 50.217.30.110 100.200.10.12 UP 10:27:49 S
1 51.230.159.19 100.200.10.254 UP 1d12h S

sh crypto session
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 51.230.159.19 port 500
Session ID: 0
IKEv1 SA: local 122.31.15.11/500 remote 51.230.159.19/500 Active
IPSEC FLOW: permit 47 host 122.31.15.11 host 51.230.159.19
Active SAs: 2, origin: crypto map

Sh ip route

Gateway of last resort is 122.31.15.121 to network 0.0.0.0

S* 0.0.0.0/0 [3/0] via 122.31.15.11
1.0.0.0/32 is subnetted, 1 subnets
S 1.1.1.1 [1/0] via 122.31.15.11
8.0.0.0/32 is subnetted, 1 subnets
S 8.8.8.8 [1/0] via 122.31.15.11
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 100.200.10.0/24 is directly connected, Tunnel1
L 100.200.10.5/32 is directly connected, Tunnel1
S 10.20.1.0/24 [1/0] via 100.200.10.254
119.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 122.31.15.11/29 is directly connected, GigabitEthernet0
L 122.31.15.12/32 is directly connected, GigabitEthernet0
L 122.31.15.13 is directly connected, GigabitEthernet0
L 122.31.15.14/32 is directly connected, GigabitEthernet0
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.0.0/16 is directly connected, Vlan10
L 172.17.30.254/32 is directly connected, Vlan10
172.20.0.0/24 is subnetted, 1 subnets
S 172.20.17.0 [1/0] via 100.200.10.12
S 192.168.20.0/24 [1/0] via 100.200.10.249

Georg Pauwen · ‎01-03-2023

Hello,

try and remove and reapply the EIGRP authentication. First, turn on debugging:

Router#debug eigrp packets terse

Then, remove and reapply the key chain.

Router#conf t
Router(config)interface Tunnel1
Router(config-if)#no ip authentication key-chain eigrp 10 eigrp_keys
Router(config-if)#ip authentication key-chain eigrp 10 eigrp_keys

Post the debug output you see.

View solution in original post

MHM Cisco World · ‎01-02-2023

no ip next-hop self eigrp x

no ip split-horizon eigrp x

you need both this command in Hub tunnel

lakhwaraa · ‎01-02-2023

Already has this command in hub

interface Tunnel1
bandwidth 1602
ip address 100.200.10.254 255.255.255.0
no ip redirects
ip mtu 1390
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp_keys
ip hold-time eigrp 10 60
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication deast
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp registration no-unique
ip tcp adjust-mss 1350
delay 300
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 121
tunnel protection ipsec profile FL-DE-SWITC shared

the configuration suddenly died even no body changed it.

MHM Cisco World · ‎01-02-2023

OK,
1-tunnel UP not meaning that is health,
please can you config

if-state nhrp

in spoke and check the tunnel still UP or down ?

2-network 172.17.30.0 0.0.0.255 <<-interface Vlan10 ip address 172.17.30.254 255.255.0.0

please can match the subnet mask f VLAN10 and what you config under EIGRP

3- I dont try before but I will check by lab the config of two EIGRP process and advertise same IP. (I will update you soon).

lakhwaraa · ‎01-02-2023

1. Tunnel is still active

Interface: Tunnel1
Session status: UP-ACTIVE

2.

IP : Vlan10 172.17.30.254 

router eigrp 10
network 100.200.10.0 0.0.0.255
network 172.17.30.0 0.0.0.255
passive-interface Vlan10
eigrp stub connected

all configuration is ok

MHM Cisco World · ‎01-02-2023

I run lab and It OK for me,

zone-member security vpn

can you share the zone security config ?

lakhwaraa · ‎01-02-2023


class-map type inspect match-any inside-to-vpn
match access-group name ACL-INSIDE-TO-VPN
class-map type inspect match-any vpn-to-inside
match access-group name ACL-VPN-TO-INSIDE
class-map type inspect match-any inside-to-outside
match access-group name ACL-INSIDE-TO-OUTSIDE
class-map type inspect match-any outside-to-self
match access-group name ACL-outside-TO-self
class-map type inspect match-any self-to-outside
match access-group name ACL-self-TO-outside
class-map type inspect match-any outside-to-inside

policy-map type inspect Policy-inside-to-outside
class type inspect inside-to-outside
inspect
class class-default
drop
policy-map type inspect Policy-outside-to-inside
class type inspect outside-to-inside
inspect
class class-default
drop
policy-map type inspect Policy-outside-to-self
class type inspect outside-to-self
inspect
class class-default
drop
policy-map type inspect Policy-inside-to-vpn
class type inspect inside-to-vpn
inspect
class class-default
drop
policy-map type inspect Policy-vpn-to-inside
class type inspect vpn-to-inside
inspect
class class-default
drop
policy-map type inspect Policy-self-to-outside
class type inspect self-to-outside
inspect
class class-default
drop
!
zone security inside
zone security outside
zone security vpn
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect Policy-inside-to-outside
zone-pair security inside-to-vpn source inside destination vpn
service-policy type inspect Policy-inside-to-vpn
zone-pair security vpn-to-inside source vpn destination inside
service-policy type inspect Policy-vpn-to-inside
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect Policy-outside-to-inside
zone-pair security vpn-to-outside source vpn destination outside
service-policy type inspect Policy-vpn-to-inside
zone-pair security outside-to-vpn source outside destination vpn
service-policy type inspect Policy-vpn-to-inside

ip route 1.1.1.1 255.255.255.255 122.31.15.121
ip route 8.8.8.8 255.255.255.255 122.31.15.121

ip access-list extended ACL-INSIDE-TO-OUTSIDE
permit ip any any
permit gre any any
permit icmp any any

ip access-list extended ACL-INSIDE-TO-VPN
permit ip any any
permit gre any any
permit icmp any any

ip access-list extended ACL-OUTSIDE-TO-INSIDE
permit ip any any
permit gre any any
permit icmp any any

ip access-list extended ACL-VPN-TO-INSIDE
permit ip any any
permit gre any any
permit icmp any any

ip access-list extended ACL-outside-TO-self
permit ip any any
permit gre any any
permit icmp any any

ip access-list extended ACL-self-TO-outside
permit ip any any
permit gre any any
permit icmp any any
ip access-list extended NAT
permit ip any any
permit gre any any
permit icmp any any

ip access-list extended webserver
permit ip any any
permit gre any any
permit icmp any any

MHM Cisco World · ‎01-03-2023

I do same zone security config and It OK,
still one thing
you mention that the eigrp stop advertise the route,
I see you use key-chain for auth can I see config ??
can you share

show ip eigrp

neighbor ?

lakhwaraa · ‎01-03-2023

show ip eigrp neighbor
EIGRP-IPv4 Neighbors for AS(10)
EIGRP-IPv4 Neighbors for AS(2)

crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key hehs@jj address 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set FL-DE-SWITC esp-aes esp-sha-hmac
mode transport

!
crypto ipsec profile Removed
set transform-set FL-DE-SWITC

MHM Cisco World · ‎01-03-2023

ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp_keys

this key I talk about, we already check that tunnel is UP and health.

Georg Pauwen · ‎01-03-2023

Hello,

try and remove and reapply the EIGRP authentication. First, turn on debugging:

Router#debug eigrp packets terse

Then, remove and reapply the key chain.

Router#conf t
Router(config)interface Tunnel1
Router(config-if)#no ip authentication key-chain eigrp 10 eigrp_keys
Router(config-if)#ip authentication key-chain eigrp 10 eigrp_keys

Post the debug output you see.

lakhwaraa · ‎01-04-2023

I have done this configuration by installing a secondary internet source and creating tunnel 2 with same configuration.

it works

but tunnel 1 has some routing issue. how to check routing issue

lakhwaraa · ‎02-06-2023

my tunnel is up thanks to you. But now there is one more problem

i can ping my hub router interface (10.20.1.11) from my spoke using tunnel but my computer can not ping it. why

paul driver · ‎01-04-2023

Hello

@lakhwaraa wrote:

interface Tunnel1
ip nhrp map 100.200.10.12 50.217.30.110
ip nhrp map 100.200.10.254 51.230.159.19

I have done this configuration by installing a secondary internet source and creating tunnel 2 with same configuration.,
it works, but tunnel 1 has some routing issue. how to check routing issue

By the sounds of it you have a dual DMVPN hub, if so you need to implement some resiliency and conditional routing
Append the following on the spoke (NHC) and test..


int tun 1
ip nhrp nhs 100.200.10.12 cluster 1
ip nhrp nhs 100.200.10.254 priority 255 cluster 1
ip nhrp nhs cluster 1 max-connections 1
ip nhrp nhs fallback 25

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul