Hi,

Thank you Naman.

I am running OSPF over DMVPN.

Regards,

okumura

Do the OSPF neighbors also go down ?

If Not, then it is probably not an IPSec issue, however if OSPF neighbors are also flapping then maybe we need to enable debugging and take a log at the logs when the Tunnel goes down.

Thanks,

Naman

Hi,

Thank you Naman.

> Do the OSPF neighbors also go down ?

I think it does not go down.

■DMVPN HUB ROUTER

DMVPN_HUB#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.1       0   FULL/DROTHER    00:00:34    10.0.0.2        Tunnel0

DMVPN_HUB#show crypto isakmp sa
dst             src             state          conn-id slot status
172.16.0.2      211.211.211.xx QM_IDLE              4    0 ACTIVE

DMVPN_HUB#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 172.16.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (211.211.211.xx/255.255.255.255/47/0)
   current_peer 211.211.211.xx port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 48752, #pkts encrypt: 48752, #pkts digest: 48752
    #pkts decaps: 45891, #pkts decrypt: 45891, #pkts verify: 45891
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.0.2, remote crypto endpt.: 211.211.211.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xB592E5F2(3046303218)

     inbound esp sas:
      spi: 0xD5F8193B(3589806395)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4482648/2133)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB592E5F2(3046303218)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4482646/2132)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
DMVPN_HUB#

■DMVPN SPOKE ROUTER

DMVPN_SPOKE#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.0.1        1   FULL/DR         00:00:34    10.0.0.1        Tunnel0

DMVPN_SPOKE#show crypto isakmp sa
dst             src             state          conn-id slot status
200.200.200.1 211.211.211.xx QM_IDLE              4    0 ACTIVE

DMVPN_SPOKE#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 211.211.211.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (211.211.211.xx/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (200.200.200.1/255.255.255.255/47/0)
   current_peer 200.200.200.1 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 46011, #pkts encrypt: 46011, #pkts digest: 46011
    #pkts decaps: 48875, #pkts decrypt: 48875, #pkts verify: 48875
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 211.211.211.xx, remote crypto endpt.: 200.200.200.1
     path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0xD5F8193B(3589806395)

     inbound esp sas:
      spi: 0xB592E5F2(3046303218)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4523592/1050)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD5F8193B(3589806395)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4523595/1047)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
DMVPN_SPOKE#

■PING from pcA to pcB

C:\>Ping 192.168.1.10

Reply from 192.168.1.10: bytes=32 time=16ms TTL=126 (←first time, success)

Request timed out.(← once failed)
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126 (← After this, all success)
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126

C:\>

C:\>Ping 192.168.1.10

Reply from 192.168.1.10: bytes=32 time=16ms TTL=126

Reply from 192.168.1.10: bytes=32 time=16ms TTL=126

Reply from 192.168.1.10: bytes=32 time=15ms TTL=126
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126

C:\>

Is my mtu configuration proper in following configuration?

https://supportforums.cisco.com/message/3255901#3255901

Regards,

okumura

Hi Okumura,

One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.

If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.

Thanks,

Naman