DMVPN & GRE over IPsec on the same physical interface

Similar Messages

• DMVPN GRE over IPSEC Packet loss

  I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
  %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
  %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
  The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
  Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
  When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
  You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
  interface Tunnel111
  description **DPN VPN**
  bandwidth 1000
  ip address 172.31.111.107 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1300
  ip pim sparse-dense-mode
  ip nhrp authentication XXXX
  ip nhrp map multicast dynamic
  ip nhrp map multicast X.X.X.X
  ip nhrp map X.X.X.X X.X.X.X
  ip nhrp network-id 100002
  ip nhrp holdtime 360
  ip nhrp nhs 172.31.111.254
  ip route-cache flow
  ip tcp adjust-mss 1260
  ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
  qos pre-classify
  tunnel source GigabitEthernet0/0
  tunnel mode gre multipoint
  tunnel key XXXX
  tunnel protection ipsec profile X.X.X.X
  interface GigabitEthernet0/0
  description **TO DPNVPN**
  ip address 10.X.X.X 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nbar protocol-discovery
  ip pim sparse-dense-mode
  ip virtual-reassembly
  duplex full
  speed 100
  no snmp trap link-status
  no mop enabled
  Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
  Brenden

  Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
  It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

• Two contexts sharing the same physical interface

  Hi,
  I have been looking for a configuration guide on how to set up one physical trunked interface to be shared between two contexts.  I am sure I am just using the wrong search words but have as of yet been unable to find anything on this. Anyone able to provide a link please?
  Thanks           

  Hi,
  I have not linked (or have the need to) 3 Security Contexts before but I would imagine you could modify the above configuration a bit to achieve that also
  interface GigabitEthernet0/0
  description TRUNK
  interface GigabitEthernet0/0.100
  description SC1 - OUTSIDE
  vlan 100
  interface GigabitEthernet0/0.200
  description SC2 - OUTSIDE
  vlan 200
  interface GigabitEthernet0/0.10
  description SC1 - INSIDE
  vlan 10
  interface GigabitEthernet0/0.20
  description SC2 - INSIDE
  vlan 20
  interface GigabitEthernet0/0.12
  description SC1 - TRANSIT
  vlan 12
  interface GigabitEthernet0/0.21
  description SC2 - TRANSIT
  vlan 21
  context TRANSIT
    description SC1 to SC2 TRANSIT SC
    allocate-interface GigabitEthernet0/0.12
    allocate-interface GigabitEthernet0/0.21
    config-url disk0:/TRANSIT.cfg
  context SC1
    description SC1
    allocate-interface GigabitEthernet0/0.100
    allocate-interface GigabitEthernet0/0.10
    allocate-interface GigabitEthernet0/0.12
    config-url disk0:/SC1.cfg
  context SC2
    description SC2
    allocate-interface GigabitEthernet0/0.200
    allocate-interface GigabitEthernet0/0.20
    allocate-interface GigabitEthernet0/0.21
    config-url disk0:/SC2.cfg
  I am not sure if this would be the way but that is how I imagined at the moment.
  The setup should look something like this
  Totally different matter would there be a better way to achieve the same as above
  - Jouni

• How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

  Hi,
  I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/10.3122 l2transport
  description CUSTOMER A CORE
  encapsulation dot1q 3122
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/10.3122
  When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/5.22 l2transport
  description CUSTOMER A WAN2
  encapsulation dot1q 22
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/5.22
  If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
  Is this because tag rewrites are not happening since packets don't leave the physical interface?
  How can I work around this and establish a L2 connection between the two subinterfaces?
  Thank you

  a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
  If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
  you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
  that might give a hint to what the precise issue in your forwarding is.
  regards
  xander

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Jose,
  It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
  Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
  HTH,
  Frank

• GRE OVER IPSec vpn

  ACC
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#diag
  this is lab i did, today,and  offcouse i am able to understand this lab bus the confusion are
  1 . why we use crypto map on both interface (phiycal interface or tunnel interface)
  2.  when i remove crypto map from tunnel interface i recieve this message
  ( R2691#*Mar  1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )
     please tell me what is meaning of this message
  3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa
  R2691#sh crypto ipsec sa
  interface: Serial0/0
      Crypto map tag: vpn, local addr 30.1.1.21
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (30.1.1.21/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
     current_peer 10.1.1.1 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
      #pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 2, #recv errors 0
       local crypto endpt.: 30.1.1.21, remote crypto endpt.: 10.1.1.1
       path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
       current outbound spi: 0xDBF65B0E(3690355470)
       inbound esp sas:
        spi: 0x44FF512B(1157583147)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          conn id: 5, flow_id: SW:5, crypto map: vpn
          sa timing: remaining key lifetime (k/sec): (4598427/3368)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xDBF65B0E(3690355470)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          conn id: 6, flow_id: SW:6, crypto map: vpn
          sa timing: remaining key lifetime (k/sec): (4598427/3368)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  R2691#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id slot status
  30.1.1.21       10.1.1.1        QM_IDLE           1002    0 ACTIVE
  IPv6 Crypto ISAKMP SA.
  4 . how do i know it is useing GRE over IPsec.
  i am also attach my topology on which i did lab

  MR. Anuj here is my config
  R7200#sh ip int b
  Interface                  IP-Address      OK? Method Status                Protocol
  Serial1/0                  10.1.1.1        YES NVRAM  up                    up
  Loopback1                  50.1.1.1        YES NVRAM  up                    up
  Loopback2                  50.1.2.1        YES NVRAM  up                    up
  Tunnel0                    40.1.1.2        YES NVRAM  up                    up
  Tunnel1                    40.1.2.2        YES NVRAM  up                    up
  Tunnel2                    40.1.3.2        YES NVRAM  up                    up
  =========================================================
  R7200#sh int tunnel 0
  Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Internet address is 40.1.1.2/24
    MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 10.1.1.1 (Serial1/0), destination 30.1.1.1
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255
    Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 00:00:04, output 00:00:04, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       2229 packets input, 213651 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       2292 packets output, 220520 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  ===============================================================
  my cryto acl
  is
  access-list 101 permit gre host 10.1.1.1 host 30.1.1.1

• High cpu consumption with GRE over IPSEC

  Hi all,
       After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).
  Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and
  Cisco CISCO2921/K9 Version 15.0(1)M3.
  Config of the tunnet is as follow :
  - authentication pre-share
  - encryption aes 256
  - hash : sha
  - transform set : esp-aes esp-sha-hmac mode transport
  Routing process is eigrp.
  Could anyone please help me on solving this issue?

  Cool, good start.
  Check "show ip traffic" on both sides, it would be interesting to see what's going on.
  BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that).

• I am unable to connect my ipad to the internet via wifi, when asked for my password I get message "unable toI ge join network" however my laptop is able to access the internet using similar procedures and in the same physical location.?

  I am unable to connect my IPad to the internet via WiFi, when asked for a password then attempt to join I get the messag "unable to join the network" however  if I use my laptop in  the same physical locationand using similar procedures I am able to conect.?

  What router are you using? make/model/version
  What security type are you using? If it is WEP then symbolic (non hex) keys may be converted to hex in different ways by different operating systems. Is your laptop a Windows PC?
  If you are using WEP then drop it and move to WPA2. WEP has been deprecated by the WiFi alliance since 2004 as insecure (it can be hacked in seconds).

• Duplicate entries in iTunes display, but both entries point to the same physical location.

  I've seen lots of discussion about how to remove duplicate copies of the same song, but my issue is different.
  iTunes has duplicate entries in its database, but if I do show in finder, then both entries point to the same physical location.
  If I delete one entry, then the other entry becomes unusable.
  Any idea how I could clean this up? Its annoying because if I select an album to play, then each song gets played twice.

  @zoo_bink I too have exactly the same issue however it's not affecting all my files.
  One solution, which I'm contemplating, is to backup the iTunes Media folder, delete files, uninstall/reinstall iTunes then re-import the files. The issue may have arisen during initial import. (I'm not sure at this stage if Apple allow iTunes to be uninstalled.)
  iTunes music collection is showing 58.95GB versus 57.11GB in Finder so it's not a massive deal but annoying nonetheless as deleting entries isn't an option.
  Any suggestions welcome.
  MacBook Pro, OS X 10.9.1, iTunes 11.1.3 (8)

• Since Apple already has a SMS/MMS app for the iPhone, which can be used over WiFi, can the same app be installed on the iPad 2?

  I have an iPhone 3GS, and realized I do most of my SMS/MMS messaging at home, when connected to my WiFi. Then I began to think, if I'm using the messaging app over WiFi, can the SAME app (which, personally I like much better than the third party apps) be installed on the iPad 2 (which I'm still waiting from back order)?

  Incorrect.
  SMS/MMS is exchanged over the same network as calls.
  "Dumb" phones or phones not in the smart category that don't have internet access in any shape, form, or fashion can exchange SMS/MMS.
  Since SMS/MMS (a poor man's email with cell phones since it is very limited) is a cash cow for carriers and very profitable, why wouldn't cell phone carriers be interested in including SMS/MMS as an additional option (and of course at an additional expense) with a data plan only for the iPad? They certainly are interested in it but they can't since SMS/MMS is exchanged over the same network as calls.
  Get me the IPAD SMS app
  Take your whining someplace else. The self-entitlement displayed here by some is laughable.

• It is possible to charge an iPad3 over USB and transmit data over USB at the same time?

  Hello,
  it is possible to charge an iPad3 over USB and transmit data over USB at the same time?
  If yes, how?
  Thanks
  Best regards

  OK!?
  That is right that the USB data oins are not connected to +5V pin.
  But i found a description for a self built power supply for iPad.
  http://timothyb.net/DIY_iPad_2_USB_Charger.html
  and
  https://www.mikrocontroller.net/topic/262610?goto=2726627#2726627
  The description say: data pin D- need a voltage level of 2V and D+ 2,857V
  when the data pins have this special voltage levels and VCC has +5V only then the iPad is charging.
  The voltage "D+/D- coding" is the key for the iPad to charge.
  OK now back to my problem.
  The regular USB data pin voltage level is 0,3 - 3.,0 voltage. When the iPad is charging the data pins have this special voltage level. Now i try to transmit data over the usb data pins with the. Normaly the USB port transmit the data with a voltage level of max. 3V.
  And here my problem. The higher voltage level at the data pins cares therefor that the iPad stop the charging.
  Is that correct?

• Can one installation of SSIS be shared by multiple instances on the same physical box?

  Hello everyone, 
  I hope I'm posting this question on the correct forum. 
  We are short on money this year and we decided to purchase one physical system to represent Development and QA. 
  I am designing an architecture around my systems where I would have a two SQL Server Instances (2014, Enterprise Ed), one for each environment: 
  DVSV-ODS01\DEV
  DVSV-ODS01\QA
  The only possible problem is SSIS, which I cannot have multiple installations of SSIS on the same box.
  Is it possible to have the SSIS service serving the two SQL Server instances installed on the same physical box?
  Thanks for your help. 

  Not on the same physical box, but you can go with running say the QA environment on a Virtual Machine.
  E.g. the very free VirtualBox should do it. And then you can install two SSIS instances.
  You can even access them simultaneously this way.
  Arthur
  MyBlog
  Twitter

• Oracle XE on multiple virtual machines on the same physical machine?

  hi,
  does oracle's licensing for 11g express edition prohibit running XE databases on multiple virtual machines on the same physical machine? if not, does the machine have to be "hard partitioned" per oracle specifications (link below) to make it legal?
  http://www.oracle.com/us/corporate/pricing/partitioning-070609.pdf
  i found a similar question regarding 10g express edition in the forum (link below), but it doesn't seem like the question was ever definitively answered.
  Oracle XE on multiple virtual machines on the same physical machine?
  thanks

  I thought until I just checked that this was a clear cut no in that it specifies 'a single server'. Now I'm not sure as 'server' is an amibuous term. I at least know that as soon as you start giving developers access to theor own XE instance for dev/testing that there are many VM environments where you can't really know what physical macine your VM is running on to actually be able to tell if you had multiple XE instances running on a single 'Physical' server. I'm not sure the question has been answered by Oracle though.

• Two environments to the same physical location

  May I open two environments (one readonly and one with write access) to the same physical location on the disk?
  I think to use the one with readonly access as consumer of data but the second as manager and provider of data.
  Both environments will be established by different processes (applications) or VMs.
  Is there any special order (sequence) to open them or there is not any.
  Thanks.

  Hi,
  First, please see this documentation about read-only processes:
  http://www.oracle.com/technology/documentation/berkeley-db/je/GettingStartedGuide/multiprocess.html
  Read-only processes are very limited because changes made by the writer process are not automatically seen by the reader process, as described in the 3rd bullet of the documentation. To get around this limitation, replication can be used. Replica processes do see changes made by the writer process. For information on replication see:
  http://www.oracle.com/technology/documentation/berkeley-db/je/ReplicationGuide/index.html
  --mark                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Vrf lite and PBR on the same sub interface

  Hi,
  I have a connection point to point on subinterface between PE and CE and use EBGP as routing protocol. The CE are router Cisco7609 and on the subinterface i apply "ip vrf forwarding WAP". Inside this vpn / vrf that I defined before I want to do pbr, so to route the traffic based on the source Ip address. I cannot use the "vrf select" because it is not supported on this platform. So I would like to know if I can do pbr on this subinterface and how can I do it, just only configuring the "ip policy route-map WAP" under the same sub interface where I confgure ip vrf forwarding?
  Thanks
  Ira

  Use the route map as a noraml thing.
  To match the all the ip address there should not be any match statement in the route map.