Solved: FlexVPN and OSPF issue

wkamil123 · ‎09-12-2013

I have an issue with OSPF rountig on routers configured in hub and spoke topology.

An issue is on a routes which OSPF do not advertise from hub to spokes.

Subnets created on a hub router are not seen on spokes but new added subnet on spoke is seen in hub routing table.

Adding ip ospf network brodcast command on a hub virtual-template interface causes OSPF adjacency to down.

By the way, EIGRP works fine.

Has anyone encountered this issue with OSPF.

Please, look short config below;

-----------------------HUB-------------------------------

crypto ikev2 authorization policy default

route set interface

!

crypto ikev2 proposal ikev2_prop

encryption aes-cbc-256

integrity sha512

group 16

!

crypto ikev2 policy ikev2_policy

proposal ikev2_prop

!

crypto ikev2 keyring Flex_key

peer Spokes

address 192.168.50.197

pre-shared-key local 12345

pre-shared-key remote 12345

!

peer RTB

address 192.168.50.199

pre-shared-key local 12345

pre-shared-key remote 12345

!

crypto ikev2 profile Flex_IKEv2

match identity remote address 192.168.50.197 255.255.255.255

match identity remote address 192.168.50.199 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local Flex_key

virtual-template 1

!

no crypto isakmp default policy

!

crypto ipsec transform-set ipsec_trans esp-aes 256 esp-sha512-hmac

mode tunnel

!

crypto ipsec profile default

set transform-set ipsec_trans

set ikev2-profile Flex_IKEv2

!

interface Loopback1

ip address 172.16.10.1 255.255.255.0

ip ospf 10 area 0

!

interface Loopback10

ip address 10.1.1.1 255.255.255.0

ip ospf 10 area 0

!

interface Loopback50

ip address 50.1.1.1 255.255.255.0

ip ospf 10 area 50

!

interface Embedded-Service-Engine0/0

no ip address

!

interface GigabitEthernet0/1

bandwidth 100000

ip address 192.168.50.198 255.255.255.0

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile default

!

router ospf 10

redistribute connected subnets

network 10.1.1.0 0.0.0.255 area 0

sh cryp ike sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status

1 192.168.50.198/500 192.168.50.197/500 none/none READY

Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/77565 sec

Tunnel-id Local Remote fvrf/ivrf Status

2 192.168.50.198/500 192.168.50.199/500 none/none READY

Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/77542 sec

IPv6 Crypto IKEv2 SA

sh ip rou

S* 0.0.0.0/0 [1/0] via 192.168.50.1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.1.1.0/24 is directly connected, Loopback10

L 10.1.1.1/32 is directly connected, Loopback10

50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 50.1.1.0/24 is directly connected, Loopback50

L 50.1.1.1/32 is directly connected, Loopback50

100.0.0.0/32 is subnetted, 1 subnets

O IA 100.1.1.1 [110/2] via 172.16.10.254, 21:32:58, Virtual-Access1

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.10.0/24 is directly connected, Loopback1

L 172.16.10.1/32 is directly connected, Loopback1

192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.50.0/24 is directly connected, GigabitEthernet0/1

L 192.168.50.198/32 is directly connected, GigabitEthernet0/1

200.1.1.0/32 is subnetted, 1 subnets

O IA 200.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Virtual-Access2

201.1.1.0/32 is subnetted, 1 subnets

O IA 201.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Virtual-Access2

220.1.1.0/32 is subnetted, 1 subnets

O IA 220.1.1.1 [110/2] via 172.16.10.253, 00:06:11, Virtual-Access2

---------------------------SPOKE---------------------------------------------

crypto ikev2 proposal ikev2_prop

encryption aes-cbc-256

integrity sha512

group 16

!

crypto ikev2 policy ikev2_policy

proposal ikev2_prop

!

crypto ikev2 keyring Flex_key

peer Spokes

address 192.168.50.198

pre-shared-key local 12345

pre-shared-key remote 12345

!

crypto ikev2 profile Flex_IKEv2

match identity remote address 192.168.50.198 255.255.255.0

authentication remote pre-share

authentication local pre-share

keyring local Flex_key

virtual-template 1

!

no crypto isakmp default policy

!

crypto ipsec transform-set ipsec_trans esp-aes 256 esp-sha512-hmac

mode tunnel

!

crypto ipsec profile default

set transform-set ipsec_trans

set ikev2-profile Flex_IKEv2

!

interface Loopback200

ip address 200.1.1.1 255.255.255.0

ip ospf 10 area 200

!

interface Loopback201

ip address 201.1.1.1 255.255.255.0

ip ospf 10 area 201

!

interface Loopback220

ip address 220.1.1.1 255.255.255.0

ip ospf 10 area 220

!

interface Tunnel1

ip address 172.16.10.253 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel destination 192.168.50.198

tunnel path-mtu-discovery

tunnel protection ipsec profile default shared

!

interface GigabitEthernet0/1

ip address 192.168.50.199 255.255.255.0

duplex auto

speed auto

!

router ospf 10

network 172.16.10.0 0.0.0.255 area 0

sh cryp ike sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status

1 192.168.50.199/500 192.168.50.198/500 none/none READY

Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/77852 sec

IPv6 Crypto IKEv2 SA

sh ip route

S* 0.0.0.0/0 [1/0] via 192.168.50.1

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.10.0/24 is directly connected, Tunnel1

L 172.16.10.253/32 is directly connected, Tunnel1

192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.50.0/24 is directly connected, GigabitEthernet0/1

L 192.168.50.199/32 is directly connected, GigabitEthernet0/1

200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 200.1.1.0/24 is directly connected, Loopback200

L 200.1.1.1/32 is directly connected, Loopback200

201.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 201.1.1.0/24 is directly connected, Loopback201

L 201.1.1.1/32 is directly connected, Loopback201

220.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 220.1.1.0/24 is directly connected, Loopback220

L 220.1.1.1/32 is directly connected, Loopback220

sh ip ospf database ro 172.16.10.1

OSPF Router with ID (200.1.1.1) (Process ID 10)

Router Link States (Area 0)

Adv Router is not-reachable in topology Base with MTID 0

LS age: 336

Options: (No TOS-capability, DC)

LS Type: Router Links

Link State ID: 172.16.10.1

Advertising Router: 172.16.10.1

LS Seq Number: 80000065

Checksum: 0x4B6E

Length: 60

Area Border Router

AS Boundary Router

Number of Links: 3

Link connected to: a Stub Network

(Link ID) Network/subnet number: 10.1.1.1

(Link Data) Network Mask: 255.255.255.255

Number of MTID metrics: 0

TOS 0 Metrics: 1

Link connected to: another Router (point-to-point)

(Link ID) Neighboring Router ID: 100.1.1.1

(Link Data) Router Interface address: 0.0.0.18

Number of MTID metrics: 0

TOS 0 Metrics: 1

Link connected to: another Router (point-to-point)

(Link ID) Neighboring Router ID: 200.1.1.1

(Link Data) Router Interface address: 0.0.0.17

Number of MTID metrics: 0

TOS 0 Metrics: 1

Marcin Latosiewicz · ‎09-13-2013

Kamil,

A tunnel interface in this deployment (and VT/VAs for that matter) is a point to point interface, there's really no good reason to keep anything other than /32 (I might not be aware of some intricacies in more complex deployment).

"set route interface" is your biggest friend ;-)

M.

View solution in original post

Marcin Latosiewicz · ‎09-12-2013

I checked it out in the lab, at least the generic OSPF setup.

A few comments - do not "redistribute connected" not all of them - you can introduce recursive routing (i.e. introduce tunnel endpoint through the tunnel).

Spoke2#show ip ospf interface tu1

Tunnel1 is up, line protocol is up

Internet Address 10.1.1.177/32, Area 0, Attached via Network Statement

Process ID 65001, Router ID 192.168.102.1, Network Type POINT_TO_POINT, Cost: 1000

Topology-MTID Cost Disabled Shutdown Topology Name

0 1000 no no Base

Transmit Delay is 1 sec, State POINT_TO_POINT

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:03

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 172.25.1.1

Suppress hello for 0 neighbor(s)

Spoke2#show ip route ospf

(...)

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

10.0.0.0/32 is subnetted, 3 subnets

O 10.1.1.176 [110/3000] via 10.1.1.1, 00:01:38, Tunnel1

O IA 192.168.0.0/24 [110/1010] via 10.1.1.1, 00:01:21, Tunnel1

Hub#sh run | s r o

router ospf 65001

network 10.1.1.0 0.0.0.255 area 0

network 192.168.0.0 0.0.0.255 area 10

then I added

route-map CONNECTED_TO_OSPF, permit, sequence 10

Match clauses:

interface Loopback999

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Hub#sh run | s r o

router ospf 65001

redistribute connected subnets route-map CONNECTED_TO_OSPF

network 10.1.1.0 0.0.0.255 area 0

network 192.168.0.0 0.0.0.255 area 10

And checked on Spoke

Spoke1#show ip route ospf

(...)

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

O 10.1.1.177/32 [110/3000] via 10.1.1.1, 00:05:06, Tunnel1

O E2 10.255.255.0/24 [110/20] via 10.1.1.1, 00:00:04, Tunnel1

O IA 192.168.0.0/24 [110/1010] via 10.1.1.1, 00:04:49, Tunnel1

Final note "shared" is not needed on point to point interfaces.

wkamil123 · ‎09-13-2013

Hi Marcin,

Thanks for quick response.

Unfortunately this solution with a route-map did not work.

Please provide listing from command "sh ip ospf dat rou 10.1.1.1" on your Spoke.

I'm looking solution why Adv Router is not-reachable on spoke - 'Adv Router is not-reachable in topology Base with MTID 0'

Regards Kamil

Marcin Latosiewicz · ‎09-13-2013

Kamil,

That was not meant to be THE solution, it was a solution to the problem I listed above ;-)

The setup is gone, I had to move one to do some testing for document I'm writing, I'll try to restore it back, but can't promise the timeline.

M.

Marcin Latosiewicz · ‎09-13-2013

Spoke1#sh ip ospf database topology

OSPF Router with ID (192.168.101.1) (Process ID 1)

Base Topology (MTID 0)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

172.25.1.1 172.25.1.1 11 0x80000008 0x004B78 3

192.168.101.1 192.168.101.1 17 0x80000003 0x00C69D 2

192.168.102.1 192.168.102.1 19 0x80000003 0x0090D3 2

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

192.168.0.0 172.25.1.1 6 0x80000003 0x004A23 0

and

Spoke1#sh ip ospf database route 172.25.1.1

OSPF Router with ID (192.168.101.1) (Process ID 1)

Router Link States (Area 0)

Routing Bit Set on this LSA in topology Base with MTID 0

LS age: 42

Options: (No TOS-capability, DC)

LS Type: Router Links

Link State ID: 172.25.1.1

Advertising Router: 172.25.1.1

LS Seq Number: 80000008

Checksum: 0x4B78

Length: 60

AS Boundary Router

Number of Links: 3

Link connected to: a Stub Network

(Link ID) Network/subnet number: 10.1.1.1

(Link Data) Network Mask: 255.255.255.255

Number of MTID metrics: 0

TOS 0 Metrics: 1

Link connected to: another Router (point-to-point)

(Link ID) Neighboring Router ID: 192.168.102.1

(Link Data) Router Interface address: 0.0.0.27

Number of MTID metrics: 0

TOS 0 Metrics: 1000

Link connected to: another Router (point-to-point)

(Link ID) Neighboring Router ID: 192.168.101.1

(Link Data) Router Interface address: 0.0.0.25

Number of MTID metrics: 0

TOS 0 Metrics: 1000

wkamil123 · ‎09-13-2013

I'm looking further what is wrong.

Thank's for your help.

K.

Marcin Latosiewicz · ‎09-13-2013

One thing that I noticed is that you're using /24 assignment on your interfaces (tun and VT) since those are point to point, I'm relying on /32 addressing assigned from same pool.

wkamil123 · ‎09-13-2013

I'm using /24 addressing because I have 14 sites (spokes) and two hub routers and I deceided to use one subnet for tunnel connection.

Marcin Latosiewicz · ‎09-13-2013

Kamil,

A tunnel interface in this deployment (and VT/VAs for that matter) is a point to point interface, there's really no good reason to keep anything other than /32 (I might not be aware of some intricacies in more complex deployment).

"set route interface" is your biggest friend ;-)

M.

wkamil123 · ‎09-23-2013

Marcin, you are right, ospf works with a /32 addressing.

CB90021204 · ‎05-24-2015

Hi Marcin, I have just run into the exact same issue. I was using a /27 mask and didn't receive the OSPF routes on my spoke router. Once I changed the interface mask to /32 on the hub and spoke tunnel interfaces it fixed the issue.

Do you know why the /32 mask resolves the issue?