Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
2
Replies

DMVPN phase 2 - first packet drop for spoke-spoke traffic

vstepanov
Level 1
Level 1

‎07-24-2019 08:36 AM

Hello colleagues,

 

the history - we had DMVPN configured on different models 800, 2800, 2900 series with different IOS versions. Everything works quite good.

 Recently we added two new routers - c1111-4p, with different IOS versions - 16.8.1 and 16.9.3 as spokes. Then we found a strange issue. For all old spokes, if there is a new spoke-spoke traffic, the first several packets go through the hub and after establishing a spoke-spoke direct tunnel it goes directly. There is no any packet loss.

   For these new c1111-4p situation is different. Looks like if there is a packet to another spoke and there is no nhrp entry then the first spoke is trying to resolve nhrp and until then for the first seconds all packets are dropped and traffic doesn't goes through the hub. 

 R2#ping 10.99.99.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.99.99.40, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 92/101/112 ms

R2#traceroute 10.99.99.40
Type escape sequence to abort.
Tracing the route to 10.99.99.40
VRF info: (vrf in name/id, vrf out name/id)
  1  * 
    10.99.99.40 136 msec * 

 

  If I block the direct traffic between spokes by access-list, it is the same, first packets are dropped until nhrp resolve and after traffic successfully goes through the hub.

  As I understand, at the beginning in cef we have incomplete entry and first packets should be process switched, so maybe there is some platform-related difference for c1111 routers? For example, I cannot disable route-cache cef on the tunnel interface. 

  

 Also, I the only difference I found is that in 16.x versions "ip nhrp shortcut" command is enabled by default, so I have added "no ip nhrp shortcut", but it didn't help.

Labels:
0 Helpful
2 Replies 2

vstepanov
Level 1
Level 1

‎07-24-2019 08:38 AM

forgot to add, I captured traffic from tunnel interface and it is clear that the spoke doesn't send the first packet to the hub, so it is not dropped on the hub of further. 

0 Helpful

Martin L
VIP
VIP

‎07-24-2019 02:57 PM


Perhaps 16.x versions do behave differently from regular IOS. Or it could be a bug in 16.x
XE 3 will be replacing IOS XE 16 or it should; besides, XE code is completely different from regular IOS code.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents