Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
2
Replies

DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface

wellu
Level 1
Level 1

‎03-07-2012 05:48 AM - edited ‎02-21-2020 05:56 PM

Hello folks!

I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.

Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?

I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".

Labels:
123999-sh-crypto-ipsec-sa.txt.zip
124000-spoke-router.txt.zip
124001-hub-router.txt.zip
0 Helpful
2 Replies 2

mstreb1585
Level 1
Level 1

‎04-04-2014 08:31 AM

wellu - Did you ever find a solution to this problem? I'm experiencing the same issue on a new implementation. This is the first thing I've found so far that describes the exact problem I have.

0 Helpful

mstreb1585
Level 1
Level 1
In response to mstreb1585

‎04-04-2014 09:16 AM

I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...

 

interface tunnel 0

 ...

 tunnel protection ipsec profile MyProfile shared

end

 

I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above. 

0 Helpful
Customers Also Viewed These Support Documents