L2TPv3 Xconnect established, but same VLAN between sites not pinging.

AtdheZyhranaj7016 · ‎12-21-2020

Hello guys,

sorry if this is the wrong section, but because the question is about layer 2 tunneling, I might as well have chosen the right place. So as the title states my L2TPv3 Tunnel is established, but I can't ping my peers in the Same VLAN. I have done this over a DMVPN Tunnel. Here is the config:

DMVPN:

DRS Site

interface Tunnel1
ip address 10.200.246.2 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication kspr1
ip nhrp map multicast dynamic
ip nhrp map 10.200.246.1 10.200.201.2
ip nhrp map multicast 10.200.201.2
ip nhrp network-id 1
ip nhrp nhs 10.200.246.1
zone-member security REMOTE_ZONE
ip tcp adjust-mss 1360
tunnel source 10.200.242.252
tunnel mode gre multipoint
tunnel protection ipsec profile PROTECT_GRE

HQ:

interface Tunnel1
ip address 10.200.246.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp authentication kspr1
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0.201
tunnel mode gre multipoint
tunnel protection ipsec profile PROTECT_GRE

DMVPN Status on both Sides:

DRS:

Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.200.201.2 10.200.246.1 UP 00:13:38 S

HQ:

Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.200.242.252 10.200.246.2 UP 00:14:03 D

Here is the Xconnect State:

DRS:

XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Po4.63:63(Eth VLAN) UP l2tp 192.168.18.1:63 UP

HQ:

XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Gi0/0.63:63(Eth VLAN) UP l2tp 192.168.18.2:63 UP

As you can see I created subinterfaces for the VLAN 63 on both ends, and also allowed these VLANs through the trunk interfaces on each switch.

Here are the configs for that:

DRS Switch:

interface Port-channel4
switchport trunk allowed vlan 63
switchport mode trunk

HQ Switch:

interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 63
switchport mode trunk
no cdp enable

xconnect config:

DRS:

pseudowire-class LAB-VLAN_63
encapsulation l2tpv3
ip local interface Loopback63

interface Loopback63
description ==XCONNECT Interface-VLAN_63==
ip address 192.168.18.2 255.255.255.252
zone-member security INSIDE_ZONE

interface Port-channel4.63
description ==XCONNECT_LAB==
encapsulation dot1Q 63
xconnect 192.168.18.1 63 encapsulation l2tpv3 pw-class LAB-VLAN_63

HQ:

pseudowire-class LAB-VLAN_63
encapsulation l2tpv3
ip local interface Loopback63

interface Loopback63
description ==INTERFACE_FOR_XCONNECT-TO-DRS==
ip address 192.168.18.1 255.255.255.252

interface GigabitEthernet0/0.63
description ==XCONNECT_LAB_VLAN63==
encapsulation dot1Q 63
no cdp enable
xconnect 192.168.18.2 63 encapsulation l2tpv3 pw-class LAB-VLAN_63

when I issue the command "show l2tp session all" this is what I get:

DRS:

Session id 1283494775 is up, logical session id 41359, tunnel id 299214979
Remote session id is 1674789417, remote tunnel id 1804659859
Locally initiated session
Unique ID is 0
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel4.63:63
Session vcid is 63
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 1598100029
Remote tunnel name is PSTN_GW
Internet address is 192.168.18.1
Local tunnel name is KSPR2S2SGW01
Internet address is 192.168.18.2
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 00:24:19
118 Packets sent, 3026 received
7834 Bytes sent, 297952 received
Last clearing of counters never
Counters, ignoring last clear:
118 Packets sent, 3026 received
7834 Bytes sent, 297952 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff731623 c0a81202
c0a81201 63d34229
Sequencing is off
Conditional debugging is disabled
SSM switch id is 7486, SSM segment id is 8638

HQ:

Session id 1674789417 is up, logical session id 65681, tunnel id 1804659859
Remote session id is 1283494775, remote tunnel id 299214979
Remotely initiated session
Unique ID is 0
Session Layer 2 circuit, type is Ethernet Vlan, name is GigabitEthernet0/0.63:63
Session vcid is 63
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 1598100029
Remote tunnel name is KSPR2S2SGW01
Internet address is 192.168.18.2
Local tunnel name is PSTN_GW
Internet address is 192.168.18.1
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 00:26:29
3388 Packets sent, 0 received
334242 Bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
3388 Packets sent, 0 received
334242 Bytes sent, 0 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff731623 c0a81201
c0a81202 4c809377
Sequencing is off
Conditional debugging is disabled
SSM switch id is 4096, SSM segment id is 8339

As you can see from the highlighted parts, the HQ Router is receiving any packets, but the DRS Router is sending and receiving... which is weird. Can someone please enlighten me with some ideas of what might cause this issue. I had xconnect working 2 days ago, it worked just fine for 24 hours, but now it's not working anymore. I was using another router at that time, so I thought maybe the router was faulty or something along the lines, but this router(HQ Side) is not working either, so maybe I have something that I forgot.

Thanks a lot.

MHM Cisco World · ‎12-21-2020

show crypto ipsec sa in each HQ and DRS,
check if there is inbound and outbound SA in HQ

AtdheZyhranaj7016 · ‎12-22-2020

Here they are:

HQ:

ASSE_KS_PSTN_GW#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.200.201.2 10.200.242.252 QM_IDLE 1057 ACTIVE

show crypto session output:

Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 10.200.242.252 port 500
Session ID: 0
IKEv1 SA: local 10.200.201.2/500 remote 10.200.242.252/500 Active
IPSEC FLOW: permit 47 host 10.200.201.2 host 10.200.242.252
Active SAs: 2, origin: crypto map

DRS:

KSPR2S2SGW01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.200.201.2 10.200.242.252 QM_IDLE 1028 ACTIVE

show crypto session output:

Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 10.200.201.2 port 500
Session ID: 0
IKEv1 SA: local 10.200.242.252/500 remote 10.200.201.2/500 Active
IPSEC FLOW: permit 47 host 10.200.242.252 host 10.200.201.2
Active SAs: 2, origin: crypto map

I tried this even without IPSec, but my xconnect still doesn't work.

MHM Cisco World · ‎12-22-2020

check FW in windows if it allow ping or not.

also i need to see show crypto ipsec sa in HQ

AtdheZyhranaj7016 · ‎12-23-2020

Ping is allowed because it was working. But atm I can't even ping from my switch. I have 3 Switches in 1 HSRP Group, and the Switch on the DRS Side, is seeing the HQ Switches, but it can't ping them, which is strange. Here is the HSRP Output:

Vlan63 - Group 63 (version 2)
State is Listen
27 state changes, last state change 00:05:16
Virtual IP address is 10.200.63.250
Active virtual MAC address is 0000.0c9f.f03f (MAC Not In Use)
Local virtual MAC address is 0000.0c9f.f03f (v2 default)
Hello time 5 sec, hold time 10 sec
Preemption disabled
Active router is 10.200.63.251, priority 10 (expires in 9.168 sec)
MAC address is 0006.f64b.7ad8
Standby router is 10.200.63.252, priority 9 (expires in 10.832 sec)
Priority 3 (configured 3)
Group name is "NAME" (cfgd)

Here is the IPsec SA:

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.200.201.2

protected vrf: (none)
local ident (addr/mask/prot/port): (10.200.201.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.200.242.252/255.255.255.255/47/0)
current_peer 10.200.242.252 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 282, #pkts encrypt: 282, #pkts digest: 282
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.200.201.2, remote crypto endpt.: 10.200.242.252
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x45EC3435(1173107765)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE2396C38(3795414072)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 4041, flow_id: Onboard VPN:2041, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4334968/86261)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x45EC3435(1173107765)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 4042, flow_id: Onboard VPN:2042, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4334909/86261)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Maurizio Roggia · ‎07-26-2022

Hi, so far, do you found a solution, because I'm hitting on the same issue

Thanks for your help