12-23-2010 06:51 PM - edited 02-21-2020 05:03 PM
Hi,
https://supportforums.cisco.com/message/3255901
The thread has been resolved by teacher Naman.
But DMVPN session is always disconnected per several minutes.
If I throw PING command, the session is reconnected soon.
What is the cause of this? Rekey or keepalive, and so on.
[Ping to pcB from pcA]
C:\>Ping 192.168.1.10
Request timed out.
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126
C:\>
How can I improve this?
Regards,
okumura
Solved! Go to Solution.
12-27-2010 04:40 PM
Hi Okumura,
One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.
If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.
Thanks,
Naman
12-23-2010 08:04 PM
Hi Tomoyuki,
An IPSec session can go down, if there is no traffic passing over it, however this should not be the case with DMVPN especially if you are running a Routing protocol over it ? Are you running any EIGRP\OSPF?
Thanks,
Naman
12-23-2010 08:19 PM
Hi,
Thank you Naman.
I am running OSPF over DMVPN.
Regards,
okumura
12-24-2010 08:04 AM
Do the OSPF neighbors also go down ?
If Not, then it is probably not an IPSec issue, however if OSPF neighbors are also flapping then maybe we need to enable debugging and take a log at the logs when the Tunnel goes down.
Thanks,
Naman
12-26-2010 09:47 PM
Hi,
Thank you Naman.
> Do the OSPF neighbors also go down ?
I think it does not go down.
■DMVPN HUB ROUTER
DMVPN_HUB#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.1.1 0 FULL/DROTHER 00:00:34 10.0.0.2 Tunnel0
DMVPN_HUB#show crypto isakmp sa
dst src state conn-id slot status
172.16.0.2 211.211.211.xx QM_IDLE 4 0 ACTIVE
DMVPN_HUB#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (211.211.211.xx/255.255.255.255/47/0)
current_peer 211.211.211.xx port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 48752, #pkts encrypt: 48752, #pkts digest: 48752
#pkts decaps: 45891, #pkts decrypt: 45891, #pkts verify: 45891
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.2, remote crypto endpt.: 211.211.211.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB592E5F2(3046303218)
inbound esp sas:
spi: 0xD5F8193B(3589806395)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482648/2133)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB592E5F2(3046303218)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482646/2132)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DMVPN_HUB#
■DMVPN SPOKE ROUTER
DMVPN_SPOKE#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.1 1 FULL/DR 00:00:34 10.0.0.1 Tunnel0
DMVPN_SPOKE#show crypto isakmp sa
dst src state conn-id slot status
200.200.200.1 211.211.211.xx QM_IDLE 4 0 ACTIVE
DMVPN_SPOKE#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 211.211.211.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (211.211.211.xx/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.200.200.1/255.255.255.255/47/0)
current_peer 200.200.200.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 46011, #pkts encrypt: 46011, #pkts digest: 46011
#pkts decaps: 48875, #pkts decrypt: 48875, #pkts verify: 48875
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 211.211.211.xx, remote crypto endpt.: 200.200.200.1
path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0xD5F8193B(3589806395)
inbound esp sas:
spi: 0xB592E5F2(3046303218)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4523592/1050)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD5F8193B(3589806395)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4523595/1047)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DMVPN_SPOKE#
■PING from pcA to pcB
C:\>Ping 192.168.1.10
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126 (←first time, success)
Request timed out.(← once failed)
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126 (← After this, all success)
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126
C:\>
C:\>Ping 192.168.1.10
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126
C:\>
Is my mtu configuration proper in following configuration?
https://supportforums.cisco.com/message/3255901#3255901
Regards,
okumura
12-27-2010 04:40 PM
Hi Okumura,
One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.
If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.
Thanks,
Naman
12-27-2010 04:40 PM
Hi Okumura,
One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.
If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.
Thanks,
Naman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide