cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
0
Helpful
4
Replies

MGre and Tunnel protection

Jonn cos
Level 4
Level 4

Hi all experts.

I am facing a very weird issue, kindly look into it and benefit us all from your expertise. Please dont run away after seeing this long post.

First  i am giving all the details.

I have 1 3845 router in my HO. 100 Branches are connecting to it. We have divided all branches in 2 ospf areas, i,e

area 1

area 2

I am using 2 MGre tunnels for these branches on my 3845-core router. Everything is working fine now. All branches are connecting to my 3845-core, proper routing is taking place, means everything is ok !

Following are the 2 MGre tunnels on my 3845-core router.

For Area 1

int tun 1101

description Tunnel for Area 1
ip address 172.17.5.1 255.255.255.0
no ip redirects
ip flow ingress
ip nhrp authentication *****
ip nhrp map multicast dynamic
ip nhrp network-id 1101
ip ospf network point-to-multipoint
ip ospf cost 100
ip ospf hello-interval 10
ip ospf mtu-ignore
load-interval 30
tunnel source x.x.x.x
tunnel mode gre multipoint
tunnel key 1101

For Area 2

int tun 2202

description Tunnel for Area 2
ip address 172.17.6.1 255.255.255.0
no ip redirects
ip flow ingress
ip nhrp authentication *****
ip nhrp map multicast dynamic
ip nhrp network-id 2202
ip ospf network point-to-multipoint
ip ospf cost 100
ip ospf hello-interval 10
ip ospf mtu-ignore
load-interval 30
tunnel source x.x.x.x 
tunnel mode gre multipoint
tunnel key 2202

Now the problem arises, when i try to apply tunnel protection to these tunnels. I will keep it short

Problem is

Only 1 Tunnel (whether "Tunnel 1101" or Tunnel 2202") is able to function properly with tunnel protection, while other dont even get nhrp registration requests !! Now kindly bear with me as i present a branch that falls on tunnel 2202 after applying tunnel protection

Sample branch (after applying tunnel protection)

interface Tunnel 2202
description Tunnel of Area 2
ip address 172.17.6.6 255.255.255.0
ip nhrp authentication ****
ip nhrp map 172.17.6.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 2202
ip nhrp nhs 172.17.6.1
ip nhrp registration timeout 35
ip ospf network point-to-point
ip ospf cost 100
ip ospf mtu-ignore
tunnel source x.x.x.x
tunnel destination x.x.x.x
tunnel key 2202
tunnel protection ipsec profile Tunnel-2202

crypto configuration of branch

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 6 ****   address x.x.x.x
crypto ipsec transform-set Tunnel-2202 esp-des esp-md5-hmac
mode transport
crypto ipsec profile Tunnel-2202
set transform-set Tunnel-2202

crypto ipsec df-bit clear

Branch# sh crypto isakmp sa

172.18.x.x   172.18.x.x   QM_IDLE           1021    0 ACTIVE

Branch#sh crypto ipsec sa int tun 2202

interface: Tunnel2202
    Crypto map tag: Tunnel2202-head-0, local addr 172.18.144.38

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.18.x.x/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.18.x.x/255.255.255.255/47/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
   #pkts encaps: 342, #pkts encrypt: 342, #pkts digest: 342
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 17, #recv errors 0

Area 1 Tunnel is working fine with tunnel protection, where as area 2 tunnel doesnt gets up.

Now when i check at the 3845-core router

3845-Core# sh crypto ipsec sa int tun 2202

3845-Core#

its blank !! whereas on branch, its showing under ipsec sa but over here its showing nothing !!

Can someone please help me

Following are results of sh ver

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(20)T,                                                                               RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 11-Jul-08 02:28 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

3845-Core uptime is 2 weeks, 6 days, 19 hours, 7 minutes
System returned to ROM by reload at 11:32:57 UTC Tue Sep 14 2010
System image file is "flash:c3845-advipservicesk9-mz.124-20.T.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3845 (revision 1.0) with 482304K/41984K bytes of memory.
Processor board ID FCZ113372SW
13 FastEthernet interfaces
2 Gigabit Ethernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

Someone pls !

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jonn,

there is an additional option shared to be used if you want both tunnels to be up using protection

see

Use the shared keyword in the tunnel IPsec protection for both the       tunnel interfaces on the hub, and on the spoke also.

Configuration example:

interface Tunnel43
 description <>
 tunnel source interface vlan10
 tunnel protection IPSec profile myprofile shared



!---
!--- Output is truncated
!---

interface Tunnel44
 description <>
 tunnel source interface vlan10
 tunnel protection IPSec profile myprofile shared

http://www.cisco.com/en/US/products/ps6658/products_tech_note09186a0080b2a901.shtml#verifynhrpreg

Hope to help

Giuseppe

Dear Giuslar

I have tried it on another router (on our DR site), everything is same, meaning all the configuration is 100% same. Only the IOS is different now,

c3845-advsecurityk9-mz.124-22.T.bin

Does it mean that previous IOs -> c3845-advipservicesk9-mz.124-20.T.bin is buggy ?

I have ran some debug and i can clearly see the problem. I will tell it briefly here.

When i debug crypto ipsec, i can see that ipsec packets from sample branch, that should be associated to tunnel 1232, were being associated to tunnel 1231 !!! i have made sure all tunnel keys and everything works fine if i remove the tunnel protection.

Any idea, if its a bug ? can you help me locate this bug pls ?

Hello Jonn,

I agree that this is probably a SW bug, and the good news is that you have already a working IOS image on the other device.

I remember from a search I did some mounths ago that there are some bugs related to DMVPN in 12.4(20)T, there were other threads about issues with DMVPN and 12.4(20)T.

Hope to help

Giuseppe

Dear Giuslar

I tried shared option with this buggy IOS. Now even a single tunnel cant come up !!

At first, one tunnel was working out of 2. Currently, i removed tunnel protection from Tunnel 1232 and applied only to Tunnel 1231 with shared option. Its not working any more !!

Any ideas why this is so ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: