cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2042
Views
9
Helpful
10
Replies
wkamil123
Beginner

FlexVPN and OSPF issue

I have an issue with OSPF rountig on routers configured in hub and spoke topology.

An issue is on a routes which OSPF do not advertise from hub to spokes.

Subnets created on a hub router are not seen on spokes but new added subnet on spoke is seen in hub routing table.

Adding ip ospf network brodcast command on a hub virtual-template interface causes OSPF adjacency to down.

By the way, EIGRP works fine.

Has anyone encountered this issue with OSPF.

Please, look short config below;

-----------------------HUB-------------------------------

crypto ikev2 authorization policy default

route set interface

!

crypto ikev2 proposal ikev2_prop

encryption aes-cbc-256

integrity sha512

group 16

!

crypto ikev2 policy ikev2_policy

proposal ikev2_prop

!

crypto ikev2 keyring Flex_key

peer Spokes

  address 192.168.50.197

  pre-shared-key local 12345

  pre-shared-key remote 12345

!

peer RTB

  address 192.168.50.199

  pre-shared-key local 12345

  pre-shared-key remote 12345

!

crypto ikev2 profile Flex_IKEv2

match identity remote address 192.168.50.197 255.255.255.255

match identity remote address 192.168.50.199 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local Flex_key

virtual-template 1

!

no crypto isakmp default policy

!

crypto ipsec transform-set ipsec_trans esp-aes 256 esp-sha512-hmac

mode tunnel

!

crypto ipsec profile default

set transform-set ipsec_trans

set ikev2-profile Flex_IKEv2

!

interface Loopback1

ip address 172.16.10.1 255.255.255.0

ip ospf 10 area 0

!

interface Loopback10

ip address 10.1.1.1 255.255.255.0

ip ospf 10 area 0

!

interface Loopback50

ip address 50.1.1.1 255.255.255.0

ip ospf 10 area 50

!

interface Embedded-Service-Engine0/0

no ip address

!

interface GigabitEthernet0/1

bandwidth 100000

ip address 192.168.50.198 255.255.255.0

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile default

!

router ospf 10

redistribute connected subnets

network 10.1.1.0 0.0.0.255 area 0

sh cryp ike sa

IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         192.168.50.198/500    192.168.50.197/500    none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/77565 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         192.168.50.198/500    192.168.50.199/500    none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/77542 sec

IPv6 Crypto IKEv2  SA

sh ip rou

S*    0.0.0.0/0 [1/0] via 192.168.50.1

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.1.1.0/24 is directly connected, Loopback10

L        10.1.1.1/32 is directly connected, Loopback10

      50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        50.1.1.0/24 is directly connected, Loopback50

L        50.1.1.1/32 is directly connected, Loopback50

      100.0.0.0/32 is subnetted, 1 subnets

O IA     100.1.1.1 [110/2] via 172.16.10.254, 21:32:58, Virtual-Access1

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.10.0/24 is directly connected, Loopback1

L        172.16.10.1/32 is directly connected, Loopback1

      192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.50.0/24 is directly connected, GigabitEthernet0/1

L        192.168.50.198/32 is directly connected, GigabitEthernet0/1

      200.1.1.0/32 is subnetted, 1 subnets

O IA     200.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Virtual-Access2

      201.1.1.0/32 is subnetted, 1 subnets

O IA     201.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Virtual-Access2

      220.1.1.0/32 is subnetted, 1 subnets

O IA     220.1.1.1 [110/2] via 172.16.10.253, 00:06:11, Virtual-Access2

---------------------------SPOKE---------------------------------------------


crypto ikev2 proposal ikev2_prop

encryption aes-cbc-256

integrity sha512

group 16

!

crypto ikev2 policy ikev2_policy

proposal ikev2_prop

!

crypto ikev2 keyring Flex_key

peer Spokes

  address 192.168.50.198

  pre-shared-key local 12345

  pre-shared-key remote 12345

!

crypto ikev2 profile Flex_IKEv2

match identity remote address 192.168.50.198 255.255.255.0

authentication remote pre-share

authentication local pre-share

keyring local Flex_key

virtual-template 1

!

no crypto isakmp default policy

!

!

crypto ipsec transform-set ipsec_trans esp-aes 256 esp-sha512-hmac

mode tunnel

!

crypto ipsec profile default

set transform-set ipsec_trans

set ikev2-profile Flex_IKEv2

!

interface Loopback200

ip address 200.1.1.1 255.255.255.0

ip ospf 10 area 200

!

interface Loopback201

ip address 201.1.1.1 255.255.255.0

ip ospf 10 area 201

!

interface Loopback220

ip address 220.1.1.1 255.255.255.0

ip ospf 10 area 220

!

interface Tunnel1

ip address 172.16.10.253 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel destination 192.168.50.198

tunnel path-mtu-discovery

tunnel protection ipsec profile default shared

!

interface GigabitEthernet0/1

ip address 192.168.50.199 255.255.255.0

duplex auto

speed auto

!

router ospf 10

network 172.16.10.0 0.0.0.255 area 0

sh cryp ike sa

IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         192.168.50.199/500    192.168.50.198/500    none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/77852 sec

IPv6 Crypto IKEv2  SA

sh ip route

S*    0.0.0.0/0 [1/0] via 192.168.50.1

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.10.0/24 is directly connected, Tunnel1

L        172.16.10.253/32 is directly connected, Tunnel1

      192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.50.0/24 is directly connected, GigabitEthernet0/1

L        192.168.50.199/32 is directly connected, GigabitEthernet0/1

      200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        200.1.1.0/24 is directly connected, Loopback200

L        200.1.1.1/32 is directly connected, Loopback200

      201.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        201.1.1.0/24 is directly connected, Loopback201

L        201.1.1.1/32 is directly connected, Loopback201

      220.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        220.1.1.0/24 is directly connected, Loopback220

L        220.1.1.1/32 is directly connected, Loopback220

sh ip ospf database ro  172.16.10.1

            OSPF Router with ID (200.1.1.1) (Process ID 10)

                Router Link States (Area 0)

  Adv Router is not-reachable in topology Base with MTID 0

  LS age: 336

  Options: (No TOS-capability, DC)

  LS Type: Router Links

  Link State ID: 172.16.10.1

  Advertising Router: 172.16.10.1

  LS Seq Number: 80000065

  Checksum: 0x4B6E

  Length: 60

  Area Border Router

  AS Boundary Router

  Number of Links: 3

    Link connected to: a Stub Network

     (Link ID) Network/subnet number: 10.1.1.1

     (Link Data) Network Mask: 255.255.255.255

      Number of MTID metrics: 0

       TOS 0 Metrics: 1

    Link connected to: another Router (point-to-point)

     (Link ID) Neighboring Router ID: 100.1.1.1

     (Link Data) Router Interface address: 0.0.0.18

      Number of MTID metrics: 0

       TOS 0 Metrics: 1

    Link connected to: another Router (point-to-point)

     (Link ID) Neighboring Router ID: 200.1.1.1

     (Link Data) Router Interface address: 0.0.0.17

      Number of MTID metrics: 0

       TOS 0 Metrics: 1


1 ACCEPTED SOLUTION

Accepted Solutions

Kamil,

A tunnel interface in this deployment (and VT/VAs for that matter) is a point to point interface, there's really no good reason to keep anything other than /32 (I might not be aware of some intricacies in more complex deployment).

"set route interface" is your biggest friend ;-)

M.

View solution in original post

10 REPLIES 10
Marcin Latosiewicz
Cisco Employee

I checked it out in the lab, at least the generic OSPF setup.

A few comments - do not "redistribute connected" not all of them - you can introduce recursive routing (i.e. introduce tunnel endpoint through the tunnel).

Spoke2#show ip ospf interface tu1

Tunnel1 is up, line protocol is up

  Internet Address 10.1.1.177/32, Area 0, Attached via Network Statement

  Process ID 65001, Router ID 192.168.102.1, Network Type POINT_TO_POINT, Cost: 1000

  Topology-MTID    Cost    Disabled    Shutdown      Topology Name

        0           1000      no          no            Base

  Transmit Delay is 1 sec, State POINT_TO_POINT

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    oob-resync timeout 40

    Hello due in 00:00:03

  Supports Link-local Signaling (LLS)

  Cisco NSF helper support enabled

  IETF NSF helper support enabled

  Index 1/1, flood queue length 0

  Next 0x0(0)/0x0(0)

  Last flood scan length is 1, maximum is 1

  Last flood scan time is 0 msec, maximum is 0 msec

  Neighbor Count is 1, Adjacent neighbor count is 1

    Adjacent with neighbor 172.25.1.1

  Suppress hello for 0 neighbor(s)

Spoke2#show ip route ospf

(...)

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

      10.0.0.0/32 is subnetted, 3 subnets

O        10.1.1.176 [110/3000] via 10.1.1.1, 00:01:38, Tunnel1

O IA  192.168.0.0/24 [110/1010] via 10.1.1.1, 00:01:21, Tunnel1

Hub#sh run | s r o

router ospf 65001

network 10.1.1.0 0.0.0.255 area 0

network 192.168.0.0 0.0.0.255 area 10

then I added

route-map CONNECTED_TO_OSPF, permit, sequence 10

  Match clauses:

    interface Loopback999

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

Hub#sh run | s r o

router ospf 65001

redistribute connected subnets route-map CONNECTED_TO_OSPF

network 10.1.1.0 0.0.0.255 area 0

network 192.168.0.0 0.0.0.255 area 10

And checked on Spoke

Spoke1#show ip route ospf

(...)

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

O        10.1.1.177/32 [110/3000] via 10.1.1.1, 00:05:06, Tunnel1

O E2     10.255.255.0/24 [110/20] via 10.1.1.1, 00:00:04, Tunnel1

O IA  192.168.0.0/24 [110/1010] via 10.1.1.1, 00:04:49, Tunnel1

Final note "shared" is not needed on point to point interfaces.

Hi Marcin,

Thanks for quick response.

Unfortunately this solution with a route-map did not work.

Please provide listing from command "sh ip ospf dat rou 10.1.1.1" on your Spoke.

I'm looking solution why Adv Router is not-reachable on spoke - 'Adv Router is not-reachable in topology Base with MTID 0'

Regards Kamil

Kamil,

That was not meant to be THE solution, it was a solution to the problem I listed above ;-)

The setup is gone, I had to move one to do some testing for document I'm writing, I'll try to restore it back, but can't promise the timeline.

M.

Spoke1#sh ip ospf database topology

            OSPF Router with ID (192.168.101.1) (Process ID 1)

                Base Topology (MTID 0)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count

172.25.1.1      172.25.1.1      11          0x80000008 0x004B78 3

192.168.101.1   192.168.101.1   17          0x80000003 0x00C69D 2

192.168.102.1   192.168.102.1   19          0x80000003 0x0090D3 2

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag

192.168.0.0     172.25.1.1      6           0x80000003 0x004A23 0

and

Spoke1#sh ip ospf database route 172.25.1.1

            OSPF Router with ID (192.168.101.1) (Process ID 1)

                Router Link States (Area 0)

  Routing Bit Set on this LSA in topology Base with MTID 0

  LS age: 42

  Options: (No TOS-capability, DC)

  LS Type: Router Links

  Link State ID: 172.25.1.1

  Advertising Router: 172.25.1.1

  LS Seq Number: 80000008

  Checksum: 0x4B78

  Length: 60

  AS Boundary Router

  Number of Links: 3

    Link connected to: a Stub Network

     (Link ID) Network/subnet number: 10.1.1.1

     (Link Data) Network Mask: 255.255.255.255

      Number of MTID metrics: 0

       TOS 0 Metrics: 1

    Link connected to: another Router (point-to-point)

     (Link ID) Neighboring Router ID: 192.168.102.1

     (Link Data) Router Interface address: 0.0.0.27

      Number of MTID metrics: 0

       TOS 0 Metrics: 1000

    Link connected to: another Router (point-to-point)

     (Link ID) Neighboring Router ID: 192.168.101.1

     (Link Data) Router Interface address: 0.0.0.25

      Number of MTID metrics: 0

       TOS 0 Metrics: 1000

I'm looking further what is wrong.

Thank's for your help.

K.

One thing that I noticed is that you're using /24 assignment on your interfaces (tun and VT) since those are point to point, I'm relying on /32 addressing assigned from same pool.

I'm using /24 addressing because I have 14 sites (spokes) and two hub routers and I deceided to use one subnet for tunnel connection.

Kamil,

A tunnel interface in this deployment (and VT/VAs for that matter) is a point to point interface, there's really no good reason to keep anything other than /32 (I might not be aware of some intricacies in more complex deployment).

"set route interface" is your biggest friend ;-)

M.

View solution in original post

Marcin, you are right, ospf works with a /32 addressing.

Hi Marcin, I have just run into the exact same issue. I was using a /27 mask and didn't receive the OSPF routes on my spoke router. Once I changed the interface mask to /32 on the hub and spoke tunnel interfaces it fixed the issue.

 

Do you know why the /32 mask resolves the issue?

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (40%)

Content for Community-Ad