Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
4
Helpful
23
Replies

Tunnel went DOWN, the fragment table has reached its maximum threshold

JonRedn11
Level 1
Level 1

‎12-15-2023 11:39 AM

Hi everyone,

Suddenly, my tunnels Cisco-Cisco stopped working and I'm getting those messages:

*Dec 15 2023 20:41:52.180: %DMVPN-5-NHRP_CACHE: Client 192.xxx.xx.xxx on Tunnel went DOWN.
*Dec 15 2023 20:42:10.352: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/0.102: the fragment table has reached its maximum threshold 16
*Dec 15 2023 20:42:35.201: %DMVPN-3-NHRP_ERROR: Resolution Request failed for 0.0.0.0 on Tunnel
*Dec 15 2023 20:42:41.305: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/1.300: the fragment table has reached its maximum threshold 16
*Dec 15 2023 20:43:11.329: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/0.102: the fragment table has reached its maximum threshold 16

I executed the command virtual-reassembly <max-reassemblies> according some comments but I still have the problem.

Please, can someone help me?

Thx

 

Labels:
0 Helpful
23 Replies 23

MHM Cisco World
VIP
VIP

‎12-15-2023 12:04 PM

What mtu you use with this dmvpn tunnel?

0 Helpful

JonRedn11
Level 1
Level 1
In response to MHM Cisco World

‎12-15-2023 12:10 PM

@MHM Cisco World

ip mtu 1400
ip tcp adjust-mss 1360

0 Helpful

MHM Cisco World
VIP
VIP
In response to JonRedn11

‎12-15-2023 12:18 PM - edited ‎12-15-2023 12:19 PM

Ping <client tunnel IP that face issue> size 1400 df-bit source <hub tunnel IP>

Test ISP is support this mut1400 or not

MHM

0 Helpful

JonRedn11
Level 1
Level 1
In response to MHM Cisco World

‎12-15-2023 12:32 PM

@MHM Cisco World, it's down:

ping [client tunnel IP] size 1400 df-bit source [hub tunnel IP]

Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to [client tunnel IP], timeout is 2 seconds:
Packet sent with a source address of [hub tunnel IP]
Packet sent with the DF bit set
.....
Success rate is 0 percent (0/5)

0 Helpful

MHM Cisco World
VIP
VIP
In response to JonRedn11

‎12-15-2023 01:01 PM

Then check your ISP ask him about mtu size' 

The router need to send packet to other routers use small mtu so it fragment it and this generate this log.

I will also check more about this log and update you

MHM

0 Helpful

JonRedn11
Level 1
Level 1
In response to MHM Cisco World

‎12-15-2023 04:09 PM

Thxs @MHM Cisco World,

After several tests, I'm getting this message from the client tunnel: %CRYPTO-4-IKMP_NO_SA: IKE message from [Public_IP_hub] has no SA and is not an initialization offer.

I'll read about this.

 

JonRedn11
Level 1
Level 1

‎12-17-2023 05:53 PM

Hi everyone,

More information for this case:

#show ip nhrp:
(remote_clientvpn_1) via (remote_clientvpn_1), Tunnel0 created 00:14:53, expire 00:05:35
Type: dynamic, Flags: nat registered used
NBMA address: (public_ip)
(remote_clientvpn_2)/32, Tunnel0 created 00:01:00, expire 00:02:04
Type: incomplete, Flags: negative
Cache hits: 7
(remote_clientvpn_3)/32, Tunnel0 created 00:02:14, expire 00:00:50
Type: incomplete, Flags: negative
Cache hits: 7

Please, can someone help me?.  I tried a lot of test but it's doesn't work.
Best regards.

Jo

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to JonRedn11

‎12-18-2023 08:46 AM

Help here' dont worry I will try to figure out what problem here.

Now I see flag NAT' this can make huge issue in dmvpn.

Are this spoke behind NAT?

MHM

0 Helpful

JonRedn11
Level 1
Level 1

‎12-18-2023 12:40 PM

Hi @MHM Cisco World,

No, it's not behind nat. Look it's very weird. I realized if I reboot a client, the tunnel will up again a few minutes before falls again.

MHM Cisco World
VIP
VIP
In response to JonRedn11

‎12-19-2023 09:40 AM

I will share some point to check if your Spoke behind NAT or not

MHM

0 Helpful

JonRedn11
Level 1
Level 1
In response to MHM Cisco World

‎12-20-2023 11:33 AM

I found new information by a debug:

*Dec 20 2023 21:06:29.268: NHRP: MACADDR: if_in INTERFACE netid-in 0 if_out Tunnel0 netid-out ID
*Dec 20 2023 21:06:29.268: NHRP: Checking for delayed event 0.0.0.0/CLIENT_VPN on list (Tunnel0).
*Dec 20 2023 21:06:29.268: NHRP: No node found.
*Dec 20 2023 21:06:29.268: IKE Dispatcher: Unexpected destination port 4500. Dropping packet!

But I don't understand exactly what's meaning of.

0 Helpful

MHM Cisco World
VIP
VIP
In response to JonRedn11

‎12-20-2023 11:40 AM

Did you check NAT ? 

Can you share 

Show ip nhrp 

In hub

MHM

0 Helpful

JonRedn11
Level 1
Level 1
In response to MHM Cisco World

‎12-20-2023 11:46 AM

Yes, I did but isn't behind a nat. 

In hub:
RO1Ba#Show ip nhrp
Client_VPN1/32, Tunnel0 created 00:01:10, expire 00:01:54
Type: incomplete, Flags: negative
Cache hits: 7
Client_VPN2/32, Tunnel0 created 00:02:22, expire 00:00:42
Type: incomplete, Flags: negative
Cache hits: 7
Client_VPN3/32, Tunnel0 created 00:01:24, expire 00:01:40
Type: incomplete, Flags: negative
Cache hits: 7
Client_VPN4/32, Tunnel0 created 00:01:04, expire 00:02:00
Type: incomplete, Flags: negative
Cache hits: 7
Client_VPN5/32, Tunnel0 created 00:00:07, expire 00:02:57
Type: incomplete, Flags: negative
Cache hits: 4

0 Helpful

MHM Cisco World
VIP
VIP
In response to JonRedn11

‎12-20-2023 11:58 AM

I already run lab 
in R1 hub 
show dmvpn 
it give use Spoke IP 
when we return to Spoke 
show ip int brief we dont see this IP 
i.e. Spoke behind NAT
this can OK in some case but in other no it killed DMVPN tunnel 

MHM

Screenshot (602).pngScreenshot (603).png

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card