FlexVPN Spoke to Spoke issues

John McNumara · ‎12-21-2013

Config:

Hub:

interface Virtual-Template1 type tunnel

description FlexVPN hub-to-spokes

ip unnumbered Loopback100

ip mtu 1400

ip nhrp network-id 1

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel path-mtu-discovery

tunnel protection ipsec profile default

Spokes:

interface Tunnel0

description FlexVPN tunnel

ip address negotiated

ip mtu 1400

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

delay 1000

tunnel source Vlan1

tunnel destination x.x.x.x

tunnel path-mtu-discovery

tunnel protection ipsec profile default

interface Virtual-Template1 type tunnel

description FlexVPN spoke-to-spoke

ip unnumbered Loopback101

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

ip nhrp redirect

tunnel protection ipsec profile default

--

Hub-Spoke works perfectly.

When pinging from a spoke to another spoke's LAN IP, the router misses one ping, returns 1 or two, then missing all other pings until the next reload (clear crypto session does not reset fully). The spoke used to ping will bring up a Virtual Access interface, and then immediately bing up a second Virtual Access interface, then show an invalid SPI is shown (authentication is identical).

Unfortunately, the issue is not always consistent. Sometimes, after a reload on all routers, one router will retain the ability to ping, other times no routers can ping. Here is an example:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:

!!

Dec 21 19:38:20.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x,

prot=50, spi=0xE4981ED6(3835174614), srcaddr=x.x.x.x, input interface=Dialer0...

Success rate is 40 percent (2/5), round-trip min/avg/max = 96/100/104 ms

Thanks for any help

Marcin Latosiewicz · ‎12-23-2013

John,

Since the input interface (dialer0) is not referenced in any of listings you provided, I think it might make sense to open a TAC case to make a deep dive.

_COULD_ be a programming issue.

M.

John McNumara · ‎12-23-2013

Both spoke router interfaces:

Virtual-Template1

Loopback 101

Tunnel0

Dialer0

FastEthernet4

--

As we are using NHRP, what should exactly be happening? My goal is to have direct spoke-to-spoke connectivity, so shouldn't it use Dialer0 on both spokes to bring up a new tunnel?

Marcin Latosiewicz · ‎12-24-2013

John,

The error means that no matching SPI was found for inbound encrypted traffic on that ingress interface.

Is that your interface towards ISP? If so and the SPI actually exists in your SADB but somehow is not associated properly.

When/if opening a case please attach:

- show crypto ipsec sa

- show crypto map

(taken ideally before and after trying to do spoke-to-spoke tunnel)

I found reference to a similar problem in our archive, but customer become unresponsive after a while and no resolution was provided.

One thing you CAN try is to go to 15.2.4M-latest. And see if the problem persists.

M.

John McNumara · ‎12-27-2013

Marcin,

I upgraded to 12.2.4M5(MD). Unfortunately it made no difference. I've also tried removing MTU/MSS restrictions.

Any other ideas besides calling TAC (I don't have SMARTnet for these device)?

Thanks

Marcin Latosiewicz · ‎12-28-2013

John,

12.2? :O Tell me it's the boot image.

I can't promise much but I can have a look at your full config, maybe I can spot something.

M.