Solved: FlexVPN does not work between spokes

Maksym Ozerov · ‎05-13-2020

There is a hub router and a few spokes routers in my network. The spokes work well with the hub but cannot set up tunnel between them from virtual-template.

HUB:

aaa new-model

aaa authorization network default local

aaa session-id common

crypto isakmp invalid-spi-recovery

crypto ikev2 fragmentation

crypto ikev2 authorization policy default

pool Spokes

route set interface

crypto ikev2 keyring My_key

peer Spokes

address 0.0.0.0 0.0.0.0

pre-shared-key local my_key

pre-shared-key remote my_key

crypto ikev2 profile My_IKEv2

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local My_key

aaa authorization group psk list default default

virtual-template 1

crypto ikev2 dpd 30 5 on-demand

crypto ipsec transform-set My_IKEv2 esp-gcm 256

mode tunnel

crypto ipsec profile default

set ikev2-profile My_IKEv2

set transform-set My_IKEv2

crypto ikev2 proposal default

no integrity

encryption aes-gcm-256

prf sha256

group 20

interface Loopback1

ip address 10.67.0.1 255.255.255.255

interface Virtual-Template1 type tunnel

ip mtu 1400

ip unnumbered lo1

ip nhrp network-id 10

ip nhrp redirect

ip tcp adjust-mss 1352

tunnel protection ipsec profile default

ip local pool Spokes 10.67.4.1 10.67.7.254

router eigrp 1

network 10.67.0.0 0.0.255.255

no passive-interface Loopback1

no passive-interface Virtual-Template1

Spoke1:

aaa new-model

aaa authorization network default local

aaa session-id common

crypto isakmp invalid-spi-recovery

crypto ikev2 fragmentation

crypto ikev2 keyring My_key

peer Spokes

address 0.0.0.0 0.0.0.0

pre-shared-key local my_key

pre-shared-key remote my_key

crypto ikev2 profile My_IKEv2

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local My_key

aaa authorization group psk list default default

virtual-template 1

crypto ikev2 dpd 30 5 on-demand

crypto ipsec transform-set My_IKEv2 esp-gcm 256

mode tunnel

crypto ipsec profile default

set ikev2-profile My_IKEv2

set transform-set My_IKEv2

crypto ikev2 proposal default

no integrity

encryption aes-gcm-256

prf sha256

group 20

interface Tunnel20

ip address negotiated

ip access-group TUNIN in

ip access-group TUNOUT out

ip mtu 1400

ip nhrp network-id 10

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1352

tunnel source di0

tunnel destination my_hub_ip_address

tunnel protection ipsec profile default

interface Virtual-Template1 type tunnel

ip unnumbered di0

ip access-group TUNIN in

ip access-group TUNOUT out

ip mtu 1400

ip nhrp network-id 10

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1352

tunnel protection ipsec profile default ikev2-profile My_IKEv2

router eigrp 1

network 10.67.0.0 0.0.255.255

passive-interface default

no passive-interface Tunnel20

no passive-interface Virtual-Template1

Spoke2:

aaa new-model

aaa authorization network default local

aaa session-id common

crypto isakmp invalid-spi-recovery

crypto ikev2 fragmentation

crypto ikev2 keyring My_key

peer Spokes

address 0.0.0.0 0.0.0.0

pre-shared-key local my_key

pre-shared-key remote my_key

crypto ikev2 profile My_IKEv2

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local My_key

aaa authorization group psk list default default

virtual-template 1

crypto ikev2 dpd 30 5 on-demand

crypto ipsec transform-set My_IKEv2 esp-gcm 256

mode tunnel

crypto ipsec profile default

set ikev2-profile My_IKEv2

set transform-set My_IKEv2

crypto ikev2 proposal default

no integrity

encryption aes-gcm-256

prf sha256

group 20

interface Tunnel20

ip address negotiated

ip access-group TUNIN in

ip access-group TUNOUT out

ip mtu 1400

ip nhrp network-id 10

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1352

tunnel source fa8

tunnel destination my_hub_ip_address

tunnel protection ipsec profile default

interface Virtual-Template1 type tunnel

ip unnumbered fa8

ip access-group TUNIN in

ip access-group TUNOUT out

ip mtu 1400

ip nhrp network-id 10

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1352

tunnel protection ipsec profile default ikev2-profile My_IKEv2

router eigrp 1

network 10.67.0.0 0.0.255.255

passive-interface default

no passive-interface Tunnel20

no passive-interface Virtual-Template1

spoke1#show crypto ikev2 sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status

1 spoke1_ip/500 hub_ip/500 none/none READY

Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:20, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/395 sec

Tunnel-id Local Remote fvrf/ivrf Status

2 spoke1_ip/500 spoke2_ip/500 none/none READY

Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:20, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/8 sec

spoke2#sh crypto ikev2 sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status

3 spoke2_ip/500 spoke1_ip/500 none/none DELETE

Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:20, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 300/117 sec

Tunnel-id Local Remote fvrf/ivrf Status

1 spoke2_ip/500 hub_ip/500 none/none READY

Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:20, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/323 sec

IPv6 Crypto IKEv2 SA

debug spoke1:

000070: May 14 03:25:03.862 EET: IKEv2:(SESSION ID = 8,SA ID = 2):Building packet for encryption.

000071: May 14 03:25:03 EET: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

000072: May 14 03:25:30 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

000073: May 14 03:25:30.609 EET: IKEv2-ERROR:%Invalid msg context handle

000074: May 14 03:25:30.613 EET: IPSEC(crypto_ipsec_kmi_send_message): Invalid KMI msg id: 13

000075: May 14 03:25:30.613 EET: IPSEC(crypto_ipsec_send_ready): Couldn't send KMI message

000076: May 14 03:25:30.613 EET: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb

000077: May 14 03:25:30.613 EET: IPSEC: Expand action denied, discard or forward packet.

000078: May 14 03:25:30.613 EET: IPSEC: Expand action denied, notify RP

000079: May 14 03:25:30.613 EET: IPSEC: Expand action denied, discard or forward packet.

000080: May 14 03:25:30.613 EET: IPSEC: Expand action denied, discard or forward packet.

000081: May 14 03:25:32.597 EET: IKEv2:(SESSION ID = 9,SA ID = 2):Retransmitting packet

000082: May 14 03:25:32.597 EET: IKEv2:(SESSION ID = 9,SA ID = 2):Sending Packet [To spoke2_ip:500/From spoke1_ip:500/VRF i0:f0]

Initiator SPI : 9228A8F046534DA5 - Responder SPI : 38DBC6DE3E92DD9B Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

000083: May 14 03:25:36.213 EET: IKEv2:(SESSION ID = 9,SA ID = 2):Retransmitting packet

000084: May 14 03:25:36.213 EET: IKEv2:(SESSION ID = 9,SA ID = 2):Sending Packet [To spoke2_ip:500/From spoke1_ip:500/VRF i0:f0]

Initiator SPI : 9228A8F046534DA5 - Responder SPI : 38DBC6DE3E92DD9B Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

debug spoke2:

000063: May 14 03:19:20 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

000064: May 14 03:19:21 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up

000065: May 14 03:19:21 EET: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Virtual-Access1 (incomplete) - looped chain attempting to stack

000066: May 14 03:19:30 EET: %TUN-5-RECURDOWN: Virtual-Access1 temporarily disabled due to recursive routing

000067: May 14 03:19:30 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

000068: May 14 03:19:30 EET: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

000069: May 14 03:23:20 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

000070: May 14 03:23:20 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up

000071: May 14 03:23:20 EET: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Virtual-Access1 (incomplete) - looped chain attempting to stack

000072: May 14 03:23:30 EET: %TUN-5-RECURDOWN: Virtual-Access1 temporarily disabled due to recursive routing

000073: May 14 03:23:30 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

000074: May 14 03:23:30 EET: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

000075: May 14 03:24:51 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

000076: May 14 03:24:51.938 EET: IKEv2-ERROR:%Invalid msg context handle

000077: May 14 03:24:51.938 EET: IPSEC(crypto_ipsec_kmi_send_message): Invalid KMI msg id: 13

000078: May 14 03:24:51.938 EET: IPSEC(crypto_ipsec_send_ready): Couldn't send KMI message

000079: May 14 03:24:51.942 EET: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb

000080: May 14 03:24:51.942 EET: IPSEC: Expand action denied, discard or forward packet.

000081: May 14 03:24:51.942 EET: IPSEC: Expand action denied, notify RP

000082: May 14 03:24:51.942 EET: IPSEC: Expand action denied, discard or forward packet.

000083: May 14 03:24:51.942 EET: IPSEC: Expand action denied, discard or forward packet.

000084: May 14 03:24:53.982 EET: IKEv2:(SESSION ID = 7,SA ID = 2):Retransmitting packet

000085: May 14 03:24:53.982 EET: IKEv2:(SESSION ID = 7,SA ID = 2):Sending Packet [To spoke1_ip:500/From spoke2_ip:500/VRF i0:f0]

Initiator SPI : F99EEE1B05876B31 - Responder SPI : E5DA75C2842D003C Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

000086: May 14 03:24:57.726 EET: IKEv2:(SESSION ID = 7,SA ID = 2):Retransmitting packet

000087: May 14 03:24:57.726 EET: IKEv2:(SESSION ID = 7,SA ID = 2):Sending Packet [To spoke1_ip:500/From spoke2_ip:500/VRF i0:f0]

Initiator SPI : F99EEE1B05876B31 - Responder SPI : E5DA75C2842D003C Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

000088: May 14 03:25:01 EET: %TUN-5-RECURDOWN: Virtual-Access1 temporarily disabled due to recursive routing

000089: May 14 03:25:01 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

000090: May 14 03:25:01.922 EET: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= spoke2_ip, sa_proto= 50,

sa_spi= 0xDD0E58B0(3708704944),

sa_trans= esp-gcm 256 , sa_conn_id= 1014

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= spoke2_ip:0, remote= spoke1_ip:0,

local_proxy= spoke2_ip/255.255.255.255/47/0,

remote_proxy= spoke1_ip/255.255.255.255/47/0

000091: May 14 03:25:01.922 EET: IPSEC(delete_sa): SA found saving DEL kmi

000092: May 14 03:25:01.922 EET: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= spoke1_ip, sa_proto= 50,

sa_spi= 0xFAC73C11(4207361041),

sa_trans= esp-gcm 256 , sa_conn_id= 1013

sa_lifetime(k/sec)= (4608000/3600)

000093: May 14 03:25:01 EET: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

000094: May 14 03:25:03.887 EET: IKEv2:(SESSION ID = 7,SA ID = 2):Retransmitting packet

000095: May 14 03:25:03.887 EET: IKEv2:(SESSION ID = 7,SA ID = 2):Sending Packet [To spoke1_ip:500/From spoke2_ip:500/VRF i0:f0]

Initiator SPI : F99EEE1B05876B31 - Responder SPI : E5DA75C2842D003C Message id: 3

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

000096: May 14 03:25:30.656 EET: IKEv2:Received Packet [From spoke1_ip:500/To spoke2_ip:500/VRF i0:f0]

Initiator SPI : 9228A8F046534DA5 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

Payload contents:

SA KE N VID

000097: May 14 03:25:42.517 EET: IKEv2:(SESSION ID = 8,SA ID = 2):Received Packet [From spoke1_ip:500/To spoke2_ip:500/VRF i0:f0]

Initiator SPI : 9228A8F046534DA5 - Responder SPI : 38DBC6DE3E92DD9B Message id: 4

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

DELETE NOTIFY(DELETE_REASON)

000098: May 14 03:25:42.517 EET: IKEv2:(SESSION ID = 8,SA ID = 2):

000099: May 14 03:25:42 EET: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down

Maksym Ozerov · ‎05-14-2020

This trouble has resolved! I changed in my spokes in unnumbered interface:

interface Virtual-Template1 type tunnel

ip unnumbered Tunnel10

View solution in original post

Rob Ingram · ‎05-14-2020

Hi,

You've got a routing loop %TUN-5-RECURDOWN: Virtual-Access1 temporarily disabled due to recursive routing

You'll learn the routes via the hub, so remove "no passive-interface Virtual-Template1" and try again.

HTH

Maksym Ozerov · ‎05-14-2020

I disabled eigrp on passive-interface Virtual-Template1 in my hub. The trouble still exist.

router eigrp 1

network 10.67.0.0 0.0.255.255

passive-interface default

no passive-interface Loopback1

There aren’t log messages on my hub when I am trying to ping one spoke from other

hub#show debugging

EIGRP:

Route Event debugging is on

EIGRP-IPv4: Address-Family:

Route Event debugging is on

IKEV2:

IKEv2 error debugging is on

IKEv2 default debugging is on

Spoke1:

Spoke1#show debugging

EIGRP:

Packet debugging is on

Route Event debugging is on

EIGRP-IPv4: Address-Family:

Route Event debugging is on

IKEV2:

IKEv2 error debugging is on

IKEv2 default debugging is on

Cryptographic Subsystem:

Crypto IPSEC debugging is on

Crypto IPSEC Error debugging is on

Spoke2:

Spoke2#show debugging

EIGRP:

Packet debugging is on

Route Event debugging is on

EIGRP-IPv4: Address-Family:

Route Event debugging is on

IKEV2:

IKEv2 error debugging is on

IKEv2 default debugging is on

Cryptographic Subsystem:

Crypto IPSEC debugging is on

Crypto IPSEC Error debugging is on

Spoke1 log:

012701: May 14 16:32:13.953 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012702: May 14 16:32:15.005 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012703: May 14 16:32:15.005 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012704: May 14 16:32:18.829 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012705: May 14 16:32:18.829 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012706: May 14 16:32:19.709 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012707: May 14 16:32:19.709 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012708: May 14 16:32:21 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

012709: May 14 16:32:21.973 EET: IKEv2-ERROR:%Invalid msg context handle

012710: May 14 16:32:21.977 EET: IPSEC(crypto_ipsec_kmi_send_message): Invalid KMI msg id: 13

012711: May 14 16:32:21.977 EET: IPSEC(crypto_ipsec_send_ready): Couldn't send KMI message

012712: May 14 16:32:21.977 EET: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb

012713: May 14 16:32:21.977 EET: IPSEC: Expand action denied, discard or forward packet.

012714: May 14 16:32:21.977 EET: IPSEC: Expand action denied, notify RP

012715: May 14 16:32:21.977 EET: IPSEC: Expand action denied, discard or forward packet.

012716: May 14 16:32:21.977 EET: IPSEC: Expand action denied, discard or forward packet.

012717: May 14 16:32:23.425 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012718: May 14 16:32:23.425 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012719: May 14 16:32:24.013 EET: IKEv2:(SESSION ID = 191,SA ID = 2):Retransmitting packet

012720: May 14 16:32:24.013 EET: IKEv2:(SESSION ID = 191,SA ID = 2):Sending Packet [To spoke2_ip:500/From spoke1_ip:500/VRF i0:f0]

Initiator SPI : 584162B685FD3660 - Responder SPI : 5F758222BB7B3F31 Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

012721: May 14 16:32:27.853 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012722: May 14 16:32:27.853 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012723: May 14 16:32:27.953 EET: IKEv2:(SESSION ID = 191,SA ID = 2):Retransmitting packet

012724: May 14 16:32:27.953 EET: IKEv2:(SESSION ID = 191,SA ID = 2):Sending Packet [To spoke2_ip:500/From spoke1_ip:500/VRF i0:f0]

012725: May 14 16:32:28.685 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012726: May 14 16:32:28.685 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012727: May 14 16:32:31 EET: %TUN-5-RECURDOWN: Virtual-Access3 temporarily disabled due to recursive routing

012728: May 14 16:32:31 EET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

012729: May 14 16:32:31.969 EET: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= spoke1_ip, sa_proto= 50,

sa_spi= 0x31A70158(833028440),

sa_trans= esp-gcm 256 , sa_conn_id= 1406

sa_lifetime(k/sec)= (4608000/3600),

(identity) local= spoke1_ip:0, remote= spoke2_ip:0,

local_proxy= spoke1_ip/255.255.255.255/47/0,

remote_proxy= spoke2_ip/255.255.255.255/47/0

012730: May 14 16:32:31.969 EET: IPSEC(delete_sa): SA found saving DEL kmi

012731: May 14 16:32:31.969 EET: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= spoke2_ip, sa_proto= 50,

sa_spi= 0x557FBC1B(1434434587),

sa_trans= esp-gcm 256 , sa_conn_id= 1405

sa_lifetime(k/sec)= (4608000/3600)

012732: May 14 16:32:31 EET: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

012733: May 14 16:32:33.349 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012734: May 14 16:32:33.349 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012735: May 14 16:32:33.805 EET: IKEv2:(SESSION ID = 191,SA ID = 2):Retransmitting packet

012736: May 14 16:32:33.805 EET: IKEv2:(SESSION ID = 191,SA ID = 2):Sending Packet [To spoke2_ip:500/From spoke1_ip:500/VRF i0:f0]

Initiator SPI : 584162B685FD3660 - Responder SPI : 5F758222BB7B3F31 Message id: 3

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

ENCR

012737: May 14 16:32:37.126 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012738: May 14 16:32:37.126 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012739: May 14 16:32:37.902 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012740: May 14 16:32:37.902 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012741: May 14 16:32:42.002 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012742: May 14 16:32:42.002 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012743: May 14 16:32:42.350 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012744: May 14 16:32:42.350 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012745: May 14 16:32:46.858 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012746: May 14 16:32:46.858 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012747: May 14 16:32:46.982 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

Spoke2 log:

012703: May 14 16:32:12.105 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012704: May 14 16:32:12.105 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012705: May 14 16:32:12.769 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012706: May 14 16:32:12.769 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012707: May 14 16:32:16.982 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012708: May 14 16:32:16.982 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012709: May 14 16:32:17.326 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012710: May 14 16:32:17.326 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012711: May 14 16:32:21.714 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012712: May 14 16:32:21.714 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012713: May 14 16:32:21.986 EET: IKEv2:Received Packet [From spoke1_ip:500/To spoke2_ip:500/VRF i0:f0]

Initiator SPI : 584162B685FD3660 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST

012714: May 14 16:32:26.038 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012715: May 14 16:32:26.038 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012716: May 14 16:32:27.086 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012717: May 14 16:32:27.086 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012718: May 14 16:32:30.822 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012719: May 14 16:32:30.822 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012720: May 14 16:32:31.662 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012721: May 14 16:32:31.662 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012722: May 14 16:32:33.810 EET: IKEv2:(SESSION ID = 190,SA ID = 2):Received Packet [From spoke1_ip:500/To spoke2_ip:500/VRF i0:f0]

Initiator SPI : 584162B685FD3660 - Responder SPI : 5F758222BB7B3F31 Message id: 3

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

DELETE

012723: May 14 16:32:33.810 EET: IKEv2:(SESSION ID = 190,SA ID = 2):Building packet for encryption.

012724: May 14 16:32:35.666 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012725: May 14 16:32:35.666 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012726: May 14 16:32:36.558 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012727: May 14 16:32:36.558 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012728: May 14 16:32:40.447 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012729: May 14 16:32:40.451 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012730: May 14 16:32:41.547 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012731: May 14 16:32:41.547 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012732: May 14 16:32:44.883 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

012733: May 14 16:32:44.883 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

012734: May 14 16:32:45.839 EET: EIGRP: Sending HELLO on Tu20 - paklen 20

012735: May 14 16:32:45.839 EET: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

012736: May 14 16:32:49.427 EET: EIGRP: Received HELLO on Tu20 - paklen 20 nbr 10.67.0.2

If you require any further information, feel free to contact me.

Maksym Ozerov · ‎05-14-2020

This trouble has resolved! I changed in my spokes in unnumbered interface:

interface Virtual-Template1 type tunnel

ip unnumbered Tunnel10