01-19-2015 02:00 AM - edited 02-21-2020 08:01 PM
Hi expert,
I am facing a eigrp routing issues , Has anyone kindly assist...
The topology as below, each router only has two tunnels and run in same eigrp AS
Here is my question in red with underline :
R2: sh ip ro
D 192.168.30.0/24 [90/310172416] via 192.168.1.1, 01:08:05, Tunnel1
[90/310172416] via 192.168.0.3, 01:08:05, Tunnel0
R3: sh ip ro
D 192.168.20.0/24 [90/310172416] via 192.168.1.1, 01:12:25, Tunnel1
[90/310172416] via 192.168.0.2, 01:12:25, Tunnel0
The result see above is not my expect , as i understand :
at R2 192.168.30.0 learn from Tunnel1 should be via192.168.1.3 not red one
at R3 192.168.20.0 learn from Tunnel1 should be via 192.168.1.2 not red one
because of via 192.168.1.1 , that's mean the traffic must through R1 (spoke to HUB) not Spoke to Spoke , am i right ?
I hope the route between R2 and R3 can always use spoke to spoke tunnel
I also checked nhrp and ipsec status , anything looks work properly except the eigrp route i mention above.
Here is configuration:
R1:
interface Loopback0
ip address 192.168.10.254 255.255.255.0
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip accounting output-packets
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.10.0
no auto-summary
R2:
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.20.0
no auto-summary
R3
interface Loopback0
ip address 192.168.30.254 255.255.255.0
!
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
ip address 192.168.1.3 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.30.0
01-21-2015 06:50 AM
Hello, .
Do you have the same isakmp key for all devices (for example when R2 wants connect to R3 the key must be crypto isakmp key cisco123 address 172.16.35.2)? Also at our network we don't have "no ip next-hop-self eigrp" line at the spoke routers and it works well. Can you try delete them (but not sure that'll help you)?
01-26-2015 07:35 PM
Hi AllertGen
thanks for your feedback , actually i am using "crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0" for hub and all spokes
i think ipsec is not a problem , i also tried to remove "no ip next-hop-self eigrp 1" from spokes.
but it doesn't work
thanks
01-27-2015 03:36 AM
Hi, sam19800816.
I'm trying look at your configuration more deeply to find a source of the problem. I see that your topology at the scheme is different from your configuration. At each router you have 1 ISP and 2 tunnel interfaces (look at tunnel source. The Interface is the same). Also all your tunnels have the same priority at the EIGRP so mb there is some type of protection that prevents using spoke to spoke communication (beecause at this rate you'd be have 2 routes to another spoke with the same priority and to the same IP addres, but by 2 different NHRP clouds).
Also does your tunnels works well? As I know you can't use the same ipsec profile at the same device at the different tunnel interfaces without command "shared" at the end of the line.
Can you also show output of commands:
sh dmvp
sh ip egrp topology
sh ip nhrp
And if you really want test a network as you showed above at the scheme you need create one more interface at each router. It can be physical interface or sub interface by .# at the end of physical interface (for example Gi0/0.1, but don't forget to use command encapsulation iside the sub interface) or by VRF.
01-27-2015 07:41 PM
Hi AllertGen ,
Each each router's tunnel0 and tunnel1 are work well , they all can ping each other ip as well via tunnel 0 and tunnel 1 (192.168.0.0/24 & 192.168.1.0/24)
and also at each router has two physical interface connect to different ISP.
In this topology ,my purpose is when spoke to spoke , they will has two routes via two NHRP cloulds , i keep the same eigrp priority at each router just for equal cost load sharing ,the more important thing is the next hop IP.
Actually , The ipsec function is not my concern so far, i just try your suggestion add the "shared" at the end of the line , its still has same result , but as i understand , if there is any wrong with ipsec profile, the tunnel won't work well , am i right ?
Thanks for your kind assist
Here is some show result at each router , hope that's helpful.
R1
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.15.2 YES NVRAM up up
FastEthernet0/1 172.17.15.2 YES NVRAM up up
Loopback0 192.168.10.254 YES NVRAM up up
Tunnel0 192.168.0.1 YES NVRAM up up
Tunnel1 192.168.1.1 YES NVRAM up up
R1#sh dmvpn
R1#sh ip eigrp top
P 192.168.10.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 297372416
via 192.168.0.3 (297372416/128256), Tunnel0
via 192.168.1.3 (297372416/128256), Tunnel1
P 192.168.20.0/24, 2 successors, FD is 297372416
via 192.168.0.2 (297372416/128256), Tunnel0
via 192.168.1.2 (297372416/128256), Tunnel1
R1#sh ip nhrp
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 20:53:39, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.25.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 20:53:38, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.35.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 4d17h, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.25.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 4d17h, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.35.2
R2
R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.25.2 YES NVRAM up up
FastEthernet0/1 172.17.25.2 YES NVRAM up up
Loopback0 192.168.20.254 YES NVRAM up up
Tunnel0 192.168.0.2 YES NVRAM up up
Tunnel1 192.168.1.2 YES NVRAM up up
R2#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 310172416
192.168.0.3 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
P 192.168.20.0/24, 1 successors, FD is 128256
via Connected, Loopback0
R2#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 00:00:14, expire 00:00:51
Type: dynamic, Flags: router nat
NBMA address: 172.16.35.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 00:00:12, expire 00:00:53
Type: dynamic, Flags: router nat
NBMA address: 172.17.35.2
R3
R3#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.35.2 YES NVRAM up up
FastEthernet0/1 172.17.35.2 YES NVRAM up up
Loopback0 192.168.30.254 YES NVRAM up up
Tunnel0 192.168.0.3 YES NVRAM up up
Tunnel1 192.168.1.3 YES NVRAM up up
R3#sh dmvpn
R3#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 00:00:43, expire 00:00:22
Type: dynamic, Flags: router nat
NBMA address: 172.16.25.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 00:01:02, expire 00:00:48
Type: dynamic, Flags: router nat implicit used
NBMA address: 172.17.25.2
01-27-2015 10:38 PM
Hi, sam19800816.
Yes, it was my mistake, because I didn't notice difference at the second octet. You really use 2 different ISP.
Also by your EIGRP topology I see that all works well. Here is example from R3:
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
In normal mode when there is no traffic between spokes they don't create tunnels between each other. So, try send ICMP from R3 to R2 and right after this look at sh cry isakmp sa. There must be new connection between spokes. Also you can use traceroute right after sending ICMP to check that spoke to spoke traffic goes directly.
02-02-2015 07:38 PM
Hi AllertGen ,
I also think EIGRP seems works well via Tunnel 0 and Tunnel1 between each router ,
i also send ICMP traffic at each router to create dynamic tunnel.
For example by R3 eigrp topology below, what i want to figure out that why second
successor is not via 192.168.1.2 ?
As my trac result from spoke to another spoke , because of they both has two
successors , when R3 choice Tunnel 1 via 192.168.1.1 to R2 , the traffic will
always pass through R1 not goes directly by dynamic tunnel.
My goals is spoke to spoke must goes directly by dynamic tunnel
via tunnel0 and tunne1 , it's no problem via tunnel0 so far, but via tunnel1
still has wrong next-hop ip (192.168.1.1)
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
Many thanks!!
02-02-2015 10:46 PM
Hi, sam19800816.
Just for checking. If you turn off tunnel0 (at all routers) the traffic via tunnel1 still goes trought R1?
And how did you check that via tunnel1 the traffic is going trough R1? Can you show eigrp topology when direct dynamic channel is up via tunnel1 (when tunnel0 is not shut down)? Also can you use command "show ip eigrp topology 192.168.20.0/24" (example is for R3) for this?
Best Regards.
02-03-2015 02:41 AM
Hi AllertGen ,
It was interesting ,If i shutdown tunnel0 at all router , the traffic between R2 and R3 will became goes directly , will not via R1 , everything is works well just like tunnel0 , but if tunnel 0 and tunnel1 both up at same time , only tunnel1 has route problem that i mention above.
Before i am checking traffic , I configed "ip accouting out packet" on Tunnel0 at R1 , then did icmp test from R2 to R3 or R3 to R2 use 192.168.x.x as source , finally use "show ip accounting" i can found there is no any record , but if confiured "ip accouting out packet" on Tunnel1 did same test , will see R2 and R3 connection record by " show ip accounting " , so its mean that R2 and R3 is not goes directly by tunnel1.
here is eigrp topology and sh dmvpn at R3, same as i posted last time
tunnel0 and tunnel1 both up , you can see all has 2 peers at tunnel0 and
tunnel1.
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
02-03-2015 05:55 AM
Hi, sam19800816.
I think the source of the problem is one EIGRP process for all tunnels. So your R1 gets a routing from R2 via tunnel0 and sends it to R3 via tunnel1. But at this case he sends that this route acceseble trough R1, because tunnel0 and tunnel1 in the different dmvpn clouds. Try to use different eigrp process for each dmvpn cloud.
But I'm not sure how will work route balance at this case because at this topology R2 can see R3 with the same metric via both eigrp clouds. But, well, you already have the same situation but with one eigrp cloud.
Best Regards.
06-02-2015 08:43 PM
Hi, sam19800816!
Have you resolved this case?
I have the same problem and configuring Diferent AS's do not solve the problem like sugested by AllertGen.
Anyone have some tips?
Best regards.
01-21-2015 11:33 AM
It is because you are using repeatedly the "no ip next-hop-self eigrp 1" at spokes as well as HUB. So when spokes send the update to the remote spokes they PRESERVE the Next-Hop address as the Hub address.
So Just remove the "no ip next-hop-self eigrp 1" from the spokes....
01-26-2015 07:47 PM
Hi rtnet_4820
Thanks for your feedback , I have tried to remove "no ip next-hop-self eigrp 1" from all spokes
but it doesn't work , the eigrp route on spokes doesn't change
Here is spokes "sh ip ro" result ,
R2:
D 192.168.30.0/24 [90/310172416] via 192.168.1.1, 00:37:06, Tunnel1 // it should be 192.168.1.3
[90/310172416] via 192.168.0.3, 00:37:06, Tunnel0
R3:
D 192.168.20.0/24 [90/310172416] via 192.168.1.1, 00:37:27, Tunnel1 // it should be 192.168.1.2
[90/310172416] via 192.168.0.2, 00:37:27, Tunnel0
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide