12-23-2010 06:51 PM - edited 02-21-2020 05:03 PM
Hi,
https://supportforums.cisco.com/message/3255901
The thread has been resolved by teacher Naman.
But DMVPN session is always disconnected per several minutes.
If I throw PING command, the session is reconnected soon.
What is the cause of this? Rekey or keepalive, and so on.
[Ping to pcB from pcA]
C:\>Ping 192.168.1.10
Request timed out.
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126
C:\>
How can I improve this?
Regards,
okumura
Solved! Go to Solution.
12-27-2010 04:40 PM
Hi Okumura,
One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.
If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.
Thanks,
Naman
12-23-2010 08:04 PM
Hi Tomoyuki,
An IPSec session can go down, if there is no traffic passing over it, however this should not be the case with DMVPN especially if you are running a Routing protocol over it ? Are you running any EIGRP\OSPF?
Thanks,
Naman
12-23-2010 08:19 PM
Hi,
Thank you Naman.
I am running OSPF over DMVPN.
Regards,
okumura
12-24-2010 08:04 AM
Do the OSPF neighbors also go down ?
If Not, then it is probably not an IPSec issue, however if OSPF neighbors are also flapping then maybe we need to enable debugging and take a log at the logs when the Tunnel goes down.
Thanks,
Naman
12-26-2010 09:47 PM
Hi,
Thank you Naman.
> Do the OSPF neighbors also go down ?
I think it does not go down.
■DMVPN HUB ROUTER
DMVPN_HUB#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.1.1 0 FULL/DROTHER 00:00:34 10.0.0.2 Tunnel0
DMVPN_HUB#show crypto isakmp sa
dst src state conn-id slot status
172.16.0.2 211.211.211.xx QM_IDLE 4 0 ACTIVE
DMVPN_HUB#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.16.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (211.211.211.xx/255.255.255.255/47/0)
current_peer 211.211.211.xx port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 48752, #pkts encrypt: 48752, #pkts digest: 48752
#pkts decaps: 45891, #pkts decrypt: 45891, #pkts verify: 45891
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.2, remote crypto endpt.: 211.211.211.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB592E5F2(3046303218)
inbound esp sas:
spi: 0xD5F8193B(3589806395)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482648/2133)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB592E5F2(3046303218)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4482646/2132)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DMVPN_HUB#
■DMVPN SPOKE ROUTER
DMVPN_SPOKE#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.1 1 FULL/DR 00:00:34 10.0.0.1 Tunnel0
DMVPN_SPOKE#show crypto isakmp sa
dst src state conn-id slot status
200.200.200.1 211.211.211.xx QM_IDLE 4 0 ACTIVE
DMVPN_SPOKE#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 211.211.211.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (211.211.211.xx/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.200.200.1/255.255.255.255/47/0)
current_peer 200.200.200.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 46011, #pkts encrypt: 46011, #pkts digest: 46011
#pkts decaps: 48875, #pkts decrypt: 48875, #pkts verify: 48875
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 211.211.211.xx, remote crypto endpt.: 200.200.200.1
path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0xD5F8193B(3589806395)
inbound esp sas:
spi: 0xB592E5F2(3046303218)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4523592/1050)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD5F8193B(3589806395)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2003, flow_id: SW:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4523595/1047)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
DMVPN_SPOKE#
■PING from pcA to pcB
C:\>Ping 192.168.1.10
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126 (←first time, success)
Request timed out.(← once failed)
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126 (← After this, all success)
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126
C:\>
C:\>Ping 192.168.1.10
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126
Reply from 192.168.1.10: bytes=32 time=16ms TTL=126
Reply from 192.168.1.10: bytes=32 time=15ms TTL=126
Reply from 192.168.1.10: bytes=32 time=13ms TTL=126
C:\>
Is my mtu configuration proper in following configuration?
https://supportforums.cisco.com/message/3255901#3255901
Regards,
okumura
12-27-2010 04:40 PM
Hi Okumura,
One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.
If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.
Thanks,
Naman
12-27-2010 04:40 PM
Hi Okumura,
One packet loss over Internet VPN is not out of normal. THis could be a packet loss issue with ESP traffic.
If you are consistently seeing this behavior then check with your ISP and if ISP is clean then you can contact TAC to open a new case and we can assist you further.
Thanks,
Naman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: