cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

312
Views
5
Helpful
4
Replies
Highlighted
Participant

DMVPN and EIGRP and redistribution

Hi ,

I would like to ask about DMVPN setup.

I tested DMVPN with GNS3.I am using ios c7200-adventerprisek9-mz.152-4.S7.image.

I run EIGRP is overlay protocol to carry route.I also run static route redistribution.I didn't get eigrp route and static on my Branch router R1( Spoke1).  i saw  below error message in my HUB router R2.

R2(config-if)#
*Nov 22 12:02:00.287: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.202.2 (Tunnel0) is down: retry limit exceeded
*Nov 22 12:02:00.395: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.202.2 (Tunnel0) is up: new adjacency

I already changed tcp adjust-mss is 1300 and mtu is 1400.I still got error message.Let me know how to fix.

Everyone's tags (3)
4 REPLIES 4
RJI Advisor
Advisor

Re: DMVPN and EIGRP and redistribution

Hi,
Can you run EIGRP debug on the spoke router and provide the output please?
For testing, can you remove "redistribute static" from EIGRP configuration on the Hub router and observe whether the issue remains.

FYI, I previously had issues using the 7200 image with GNS3 when testing DMVPN. I don't believe it's related to this specific issue you are facing, but something to be aware of.

HTH
Cisco Employee

Re: DMVPN and EIGRP and redistribution

Pretty sure, this is a config issue. Please post the config here :

EIGRP is getting hellos only and then flaps. so it is not communicating properly:

1- NHRP /ESP are not passing through 

2- redistributing NBMA into overlay and i do not think it is the case, otherwise you will see the midchain errors. 

 

check show cry ipsec sa // do you see encaps and decaps 

check your config on both sides and paste it here ., i can look here with you 

Participant

Re: DMVPN and EIGRP and redistribution

Hi ,

I didn't get this issue on physical devices.I already tested.

Please see below config  and help me  to find my error.

R2#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.26.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.26.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.16.1/255.255.255.255/47/0)
current_peer 10.1.16.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.26.1, remote crypto endpt.: 10.1.16.1
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x5AF81C3C(1526209596)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x63AC0EBC(1672220348)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, sibling_flags 80000030, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4221679/3481)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:
spi: 0xFECC3623(4274796067)
transform: ah-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, sibling_flags 80000030, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4221679/3481)
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound pcp sas:

outbound esp sas:
spi: 0x754F0B8(123007160)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, sibling_flags 80000030, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4221679/3481)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:
spi: 0x5AF81C3C(1526209596)
transform: ah-sha-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, sibling_flags 80000030, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4221679/3481)
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound pcp sas:

R2(config)#do sh run
Building configuration...
Current configuration : 10208 bytes

ip domain name crypto.local
!
crypto pki trustpoint dmvpn-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=DMVPN ou=net c=SG
revocation-check none
rsakeypair dmvpn
!
crypto pki certificate map cert-map 10
subject-name co dmvpn
!

crypto ikev2 proposal proposal
encryption 3des
integrity sha1
group 2
!
crypto ikev2 policy policy
proposal proposal
!
!
crypto ikev2 profile DMVPN-PROF
description DMVPN-IKE2 profile
match certificate cert-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint dmvpn-ca

crypto ipsec transform-set DMVPN-TS ah-sha-hmac esp-3des
mode transport
!
crypto ipsec profile DMVPN-IPSEC
set transform-set DMVPN-TS
set ikev2-profile DMVPN-PROF
!
interface Tunnel0
description DMVPN
ip address 192.168.202.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip split-horizon eigrp 10
ip nhrp authentication 2o!18
ip nhrp network-id 111
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1300
tunnel source GigabitEthernet2/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN-IPSEC
!
interface GigabitEthernet2/0
ip address 10.1.26.1 255.255.255.252
negotiation auto
!
interface GigabitEthernet3/0
ip address 10.1.23.1 255.255.255.252
negotiation auto
!
router eigrp 10
network 10.1.23.0 0.0.0.255
network 192.168.202.1 0.0.0.0
!
router bgp 65200
bgp log-neighbor-changes
neighbor 10.1.26.2 remote-as 600

 


R1#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.1.16.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.16.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.26.1/255.255.255.255/47/0)
current_peer 10.1.26.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 290, #pkts encrypt: 290, #pkts digest: 290
#pkts decaps: 277, #pkts decrypt: 277, #pkts verify: 277
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.16.1, remote crypto endpt.: 10.1.26.1
path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xFECC3623(4274796067)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x754F0B8(123007160)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, sibling_flags 80000030, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4316262/2517)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:
spi: 0x5AF81C3C(1526209596)
transform: ah-sha-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, sibling_flags 80000030, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4316262/2517)
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound pcp sas:
outbound esp sas:
spi: 0x63AC0EBC(1672220348)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, sibling_flags 80000030, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4316258/2517)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:
spi: 0xFECC3623(4274796067)
transform: ah-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, sibling_flags 80000030, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4316258/2517)
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound pcp sas:
R1#sh run
hostname R1
crypto pki trustpoint dmvpn-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=DMVPN ou=net c=SG
revocation-check none
rsakeypair dmvpn
!
crypto pki certificate map cert-map 10
subject-name co dmvpn
!
crypto ikev2 proposal proposal
encryption 3des
integrity sha1
group 2
!
crypto ikev2 policy policy
proposal proposal
!
crypto ikev2 profile DMVPN-PROF
description DMVPN-IKE2 profile
match certificate cert-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint dmvpn-ca
!
crypto ipsec transform-set DMVPN-TS ah-sha-hmac esp-3des
mode transport
!
crypto ipsec profile DMVPN-IPSEC
set transform-set DMVPN-TS
set ikev2-profile DMVPN-PROF
!
interface Tunnel1
description DMVPN Tunnel
ip address 192.168.202.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 2o!18
ip nhrp map 192.168.202.1 10.1.26.1
ip nhrp map multicast 10.1.26.1
ip nhrp network-id 111
ip nhrp holdtime 60
ip nhrp nhs 192.168.202.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN-IPSEC
!

interface GigabitEthernet1/0
ip address 10.1.16.1 255.255.255.252
negotiation auto

interface GigabitEthernet4/0
ip address 10.1.14.1 255.255.255.252
negotiation auto
!
interface GigabitEthernet5/0
no ip address
shutdown
negotiation auto
!
!
router eigrp 10
network 10.1.14.0 0.0.0.255
network 192.168.202.2 0.0.0.0
!
router bgp 65100
bgp log-neighbor-changes
neighbor 10.1.16.2 remote-as 600

R1#

Everyone's tags (2)
RJI Advisor
Advisor

Re: DMVPN and EIGRP and redistribution

Why are you using AH and ESP encapsulation in your transform set? Try just ESP e.g "crypto ipsec transform-set DMVPN-TS esp-aes 256 esp-sha256-hmac".
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here