IPSEC DMVPN

cunhalg · ‎07-08-2004

Hello,

I have implemented a IPSEC DMVPN with 15 adsl sites.

The network was build using c836 as CPE and two redundant 7206 vxr as PE where the IPSEC+GRE tunnels from the CPE are terminated. Today i am using an access list to process all the packet to and from this tunnels on the PE's. When i disconfigure the process switch at the tunnel interface and activate CEF on the PE, the customer applications stop to work.(Eg. Outlook from each site is unable to syncronize with the server.)

As soon as i insert the process access-list again the traffic normalizes.

To have the solution working i have CEF active on the CPE's and a process access-list on the tunnel interface at the PE.

Doesn't CEF work with DMVPN??? Ist there a known problem.

Thank you

Luis

ehirsel · ‎07-08-2004

What version of IOS software are running on the C836 and 7206 routers? Are you explicitly setting the path mtu? Are you implementing the DF override function?

If you are not explicitly setting the mtu, it may be that after IPSec processing then fragmentation is needed again, and this may cause your problem. There may be newer IOS code that will pre-frament prior to IPSec that will allow CEF to work.

cunhalg · ‎07-09-2004

What version of IOS software are running on the C836 and 7206 routers?

I am using 12.3(2)XC2 on the c836 and 12.3(9) on the 7206.

I have on the tunnel interfaces the path-mtu-discovery on both 7206 and c836.

I have the DF override on both 7206 and c836.

Why when i have the process switch on the 7206 tunnel the customer has no problem and when i take it out (CEF activated) things stop to work?