DMVPN Issues:
Hello All
I have a strange occurence where a Router 2800 series had to be rebooted as the DMVPN session through it went down and the Router had to be rebooted in order to restore the VPN session. Initially, I thought this was due to an IOS issue.
Then another Router this time 2900 series router had the same problem and again needed a reboot to restore the DMVPN tunnel.
Anybody has faced this before and can provide some insight / advice on this.
Please let me know if you need any information on this
Many Thanks in advance.
Hi,
Were you able to capture the syslogs?
Was this on a spoke or hub router?
Sent from Cisco Technical Support iPhone App
Similar Messages
-
Hi All,
I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
The setup is in a lab environment so i can post up as much info as required but here are the important bits:
I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
A few snippets from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
and heres the config on the first spoke router:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
the following are outputs from the spoke router:
RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10 Source addr: 11.11.11.1, Dest addr: MGRE Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS: 172.17.100.1 EType:Spoke, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- ----------------- 1 1.1.1.1 172.17.100.1 IKE never S 172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98] Crypto Session Status: DOWN fvrf: (none), IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1 Active SAs: 0, origin: crypto map Outbound SPI : 0x 0, transform : Socket State: ClosedPending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire Type: static, Flags: used NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sainterface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0) current_peer 1.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 46, #recv errors 0 local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:
All of these commands show up as blank when i run them on the hub router.
Any help appreciated.
ThanksThanks for the help
I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
isakmp policy solved my issue, fixed the MTU as well.
What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
Thanks -
Hi all,
We have configured a DMVPN from our headquarter to our branch offices (let's say BR1-BR3) .
We have noticed that sometime we cannot access some of our branch office, the scenario is like this:
- sometime, BR1 and BR2 are down but BR3 is working fine
- sometime, BR2 and BR3 are down but BR1 is working fine
- sometime, BR1 and BR3 are down but BR2 is working fine
- sometime, only one branch office is down and others are working fine
the hub is a cisco 3845, the IOS is c3845-advipservicesk9-mz.124-5c.bin
from the log, we have
*Sep 7 11:28:59.260: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor x.x.x.x (Tunnel100) is down: stuck in active
*Sep 7 11:29:01.052: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 7: Neighbor x.x.x.x (Tunnel100) is up: new adjacency
we do not know why it is down, there is no problem on the connection between the headquarter and branche offices.
Any suggestion are appreciated.Hi Portu,
please, find below the answer:
Are you able to ping from tunnel interface to tunnel interface?
yes, we are able to ping tunnel interface to tunnel interface
Does the IPsec tunnel come down (show crypto isakmp sa)?
no, we see the status is ACTIVE
Does the tunnel interface come down (show interface tunnel x or show ip interface brief)?
the tunnel is UP
Any ISAKMP / IPsec related logs during the failure?
How often does it happen?
sometimes, many times in one day
sometimes, every 1 or 2 days
Does it recover by itself?
yes, it does
but after rebooting devices, it works fine again
Please, let us know if you need more information. -
Hello,
I am getting packet loss if I ping of tunnel interface IP address & when I remove the IPSEC profile, I don't get packet loss. Tunnel is configured as DMVPN SPOKE.
==============
sh run int tu2
Building configuration...
Current configuration : 561 bytes
interface Tunnel2
bandwidth 6000
ip address 11.242.81.94 255.255.240.0 >>>>>>>>>>>>>>>>>> get packet loss if I ping this IP
no ip redirects
ip mtu 1400
ip flow egress
ip nhrp authentication silver
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map 11.242.X.X X.X.X.X
ip nhrp map multicast X.X.X.X
ip nhrp map 11.242.X.X X.X.X.X
ip nhrp network-id 60436
ip nhrp holdtime 600
ip nhrp nhs 11.242.X.X
ip nhrp nhs 11.242.X.X
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN shared >>>>>>>>>>>>>>>>>>>>>>> IPSEC Profile
endHello,
See below similar thread.
https://supportforums.cisco.com/discussion/11192611/packet-loss-dmvpn-tunnel-not-across-wan
HTH.
Please rate helpful post. -
I have a phase 2 DMVPN network with approx 40 spoke routers and dual hub routers. 90% of this is working very well. However I have 3 or 4 spoke routers that are unable to communicate with each other directly (traffic goes via the hub router between these specific sites) however they are able to coomunicate directly with the other 35 or so routers. I think this is an NHRP issue as when I do show ip nhrp detail on one of these 4 routers, the other 3 routers display a (no socket) entry. I am able to clear this "sometimes" by clear ip nhrp. Whenever the (no scoket) entry is there spoke to spoke communication does not work. Any help would be greatly appreciated.
pradeepde,
Thank you very much for your response. I think you may be right, I have upgraded the IOS to a maintenance release 12.4.15T9 and this does appear to have fixed the problem.
Thanks again -
dear all,
am trying to connect a dynamic vpn between hq with public static ip 82.114.179.120 and branch with dynamic ip 46.35.80.59.
state is varying between CONF_XAUTH and MM_NO_STATE.
please can you go through the debug files to help solving the issue. Tunnel interface is 10. show run is after the debug.
thanks for your support.
regards,Hi Mr. Freak again,
below is the latest config with MM_NO_STATE state.
HQ which is configured to accecpt remote vpn client using crypto map is configured for dynamic vpn with branch.
HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0
Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.
Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....
HQ:
aaa authentication login acs local
aaa authorization network acs local
aaa session-id common
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
redundancy
controller VDSL 0/1/0
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60
crypto isakmp client configuration group NAMA
key namanama
pool mypool
acl 101
save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
set isakmp-profile ccp-dmvpn-isakmprofile
crypto dynamic-map map 10
set transform-set test
reverse-route
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map
interface Tunnel10
bandwidth 1000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
shutdown
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface ATM0/1/0
description DSL Interface
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface Dialer0
no ip address
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname nama20004
ppp chap password 0 220004
ppp pap sent-username nama20004 password 0 220004
crypto map i-map
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)
Branch show run:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
crypto ipsec profile To-Taiz-Profile
set transform-set To-Taiz
interface Tunnel0
bandwidth 1000
ip address 172.16.0.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.0.1 82.114.179.105
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.105
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
interface Tunnel10
bandwidth 1000
ip address 172.16.10.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.10.1 82.114.179.120
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.10.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.120
tunnel key 22334455
tunnel protection ipsec profile To-Taiz-Profile
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet1
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet2
description ## CONNECT TO LAN ##
no ip address
interface FastEthernet3
description ## CONNECT TO LAN ##
no ip address
interface Vlan1
description ## LAN INTERFACE ##
ip dhcp client hostname none
ip address 192.168.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname mohammadaa
ppp chap password 0 123456
ppp pap sent-username mohammadaa password 0 123456
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
ip sla auto discovery
dialer-list 1 protocol ip permit
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 MM_NO_STATE 2061 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted) -
DMVPN split tunnling issue, not able to by pass http traffic at spoke end.
Dear all,
I would appreciate please help me out to resolve following issue.
I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but spoke router is continuously forwarding all traffic to tunnel.
Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
thanks and regards,I agree with Marcin.
At the spoke you would need to add a static default route for the internet traffic. You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric. Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down. But if they are both located off the same interface then there is no point in keeping the injected default route.
Please remember to rate and select a correct answer -
I have over 250 sites in a hub-and-spoke desing, each remote site has a frame-relay and an IPSec tunnel to the office, we are running Eigrp but ever since we deployed DMVPN we've been getting many SIA messages...is this a normal behavior for a DMVPN design? should I just decrease how often EIGRP queries are sent or increase EIGRP timers, or should I just leave it alone...has anyone seen DMVPN in over 200 sites working flawlessly using eigrp? just curious...
GTS = Generic Traffic Shaping.
We just use the easier to use, traffic-shape rate command, but the likely cisco answer would be to create policy-map/class-maps for the tunnel interfaces.
Our Tunnel interfaces have the following additional commands. cut-edited-paste.
Site with a T1
interface Tunnel111
description VPN sitea to siteb
bandwidth 1536
ip unnumbered Loopback0
ip access-group whattoblockin in
ip access-group whattoblockout out
ip mtu 1600
ip hello-interval eigrp 111 2
ip hold-time eigrp 111 8
ip pim sparse-mode
ip route-cache flow
ip tcp adjust-mss 1280
load-interval 30
delay 1001
traffic-shape rate 1536000 8192 8192 2048
cdp enable
tunnel source a.a.a.a
tunnel destination b.b.b.b
end
The traffic-shape command is just there to keep the outside interface from being over run and dropping packets after encryption. This isn't "QOS" by Cisco's book, but when we implemented this, Cisco didn't have a pre-qualify that worked properly with DMVPN.
If we start having problems with a site having heavy utilization, we'll change the traffic-shape statement to smooth out the traffic and control the heavy users. (refer to effects of WFQ).
Do a search for WFQ and GTS on Cisco.com
(oh, and if anyone tells you that the ip mtu command is a bad idea, tell 'em to stick it in their ear...)
Rob -
Hi,
I may be a million miles off but i'm trying to route all traffic at our spoke sites through to our hub site and subsequently through a firewall etc. so I obviously need the gateway to change when a dmvpn is established. I am considering using policy based routing to pickup internal traffic and change the next hop to the hub site. However how will this affect the spoke to spoke routing of the dmvpn? will nhrp take precedence over the PBR to ensure that spoke to spoke communication happens directly?
thanksJust to follow up, here's a sample configuration of what I'm talking about for the spoke.
ip vrf VRF_LAN
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key {pre-shared-key} address 0.0.0.0 0.0.0.0 no-xauth
crypto ipsec transform-set IPSec_TS_AES256SHA1ESP_T esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile IPSec_Profile_VPN
set transform-set IPSec_TS_AES256SHA1ESP_T
interface Tunnel0
ip vrf forwarding VRF_LAN
ip address 172.31.255.10 255.255.255.0
ip nhrp authentication 31240
ip nhrp map 172.31.255.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 31240
ip nhrp holdtime 600
ip nhrp nhs 172.31.255.1
ip nhrp shortcut
ip nhrp redirect
cdp enable
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSec_Profile_VPN
interface FastEthernet0/0
ip vrf forwarding VRF_LAN
ip address 172.31.128.1 255.255.255.0
interface FastEthernet0/1
ip address dhcp
router eigrp 1
passive-interface default
no passive-interface Tunnel0
no auto-summary
address-family ipv4 vrf VRF_LAN
network 172.31.128.1.0 0.0.0.0.0
network 172.31.255.10.0 0.0.0.0.0
no auto-summary
autonomous-system 1
eigrp router-id 172.31.255.10
eigrp stub connected summary
exit-address-family
As you can see, this works almost identically to a standard DMVPN setup, except that the tunnel interface, the LAN (FastEthernet0/0) interface and EIGRP processes all run in the VRF_LAN virtual routing and forwarding instance.
The primary routing table gets its default route from DHCP in this case, though it could just as easily be static. The VRF, on the other hand, gets a default route from the DMVPN hub and shortcut switches for spoke-to-spoke communications. At no point does the default route in the global routing table factor into the DMVPN network's routing table or vice versa, eliminating the need for PBR entirely. -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast. -
Dual-DMVPN Design with Dual Hubs on a single router ??
Hi All,
In DMVPN, in Dual-DMVPN Design with Dual Hubs , can a single router perform the role of dual hubs.
The router has two different internet links. It is intended that when one link goes down, spokes shud connect to the same router onto the other active internet connection. Is this possible ?Since no one has answered yet, I'll give you the practical answer.
You'll have issues with IPSec and static routing. "DMVPN" itself probably wouldn't have an issue, but it would depend on IPSec and routing to work.
It is easier, by far, to put in a second router. And when you factor in your time to try to make it work (and it may not work), the second router is less expensive.
Rob -
DMVPN phase I fails when migrating from PSK to RSIG
I am currently is the process of migrating my DMVPN network from pre-share key to certificates. Most of the spokes have come up and are working without any issues but there are several that are not making it past phase I. I have included the isakmp debugging from the hub and one of the spokes that are failing. I see that the hub is going QM_IDLE after receiving the certificate from the spoke but it does not look like the spoke ever receives the cert from the hub. I suspect an issue with the ISP but it's not as simple as filtering 500 as all the messages except the cert seem to make it. If I move the spoke back to PSK it works fine. Has anyone seen this issue before and what was the resolution?
DMVPN Hub
Oct 7 19:38:36.213: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.213: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F1AA7CC5920
Oct 7 19:38:36.213: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.213: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):found peer pre-shared key matching 2.8.51.58
Oct 7 19:38:36.214: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.214: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.214: ISAKMP: hash MD5
Oct 7 19:38:36.214: ISAKMP: default group 1
Oct 7 19:38:36.214: ISAKMP: auth RSA sig
Oct 7 19:38:36.214: ISAKMP: life type in seconds
Oct 7 19:38:36.214: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.214: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.214: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.214: ISAKMP:(0): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 7 19:38:36.214: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 7 19:38:36.240: ISAKMP (0): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 7 19:38:36.240: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.240: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 7 19:38:36.240: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants cert issued by cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is DPD
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): speaking to another IOS box!
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID seems Unity/DPD but major 209 mismatch
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is XAUTH
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): His hash no match - this node outside NAT
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): No NAT Found for self or peer
Oct 7 19:38:36.242: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.242: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP (38618): constructing CERT_REQ for issuer cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.243: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.243: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.243: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.243: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 7 19:38:36.484: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 7 19:38:36.484: ISAKMP:(38618): processing ID payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.484: ISAKMP:(38618): processing CERT payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP:(38618): processing a CT_X509_SIGNATURE cert
Oct 7 19:38:36.484: ISAKMP:(38618): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): peer's pubkey is cached
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): Unable to get DN from certificate!
Oct 7 19:38:36.485: ISAKMP:(38618): processing SIG payload. message ID = 0
Oct 7 19:38:36.486: ISAKMP:received payload type 17
Oct 7 19:38:36.486: ISAKMP:(38618): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x7F1AA7CC5920
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618):SA has been authenticated with 2.8.51.58
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618): Process initial contact,
bring down existing phase 1 and 2 SA's with local 15.18.1.1 remote 2.8.51.58 remote port 500
Oct 7 19:38:36.486: ISAKMP:(38617):received initial contact, deleting SA
Oct 7 19:38:36.486: ISAKMP:(38617):peer does not do paranoid keepalives.
Oct 7 19:38:36.486: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.486: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.486: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 7 19:38:36.487: ISAKMP: set new node 2177251913 to QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.487: ISAKMP:(38617):purging node 2177251913
Oct 7 19:38:36.487: ISAKMP:(38617):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 7 19:38:36.487: ISAKMP:(38617):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.487: ISAKMP:(38618):Using FQDN as My ID
Oct 7 19:38:36.487: ISAKMP:(38618):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.487: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : selurt-dmvpn-01.nvv.net.company.com
protocol : 17
port : 500
length : 44
Oct 7 19:38:36.487: ISAKMP:(38618):Total payload length: 44
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.488: ISAKMP:(38618): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for hostname=selurt-dmvpn-01.nvv.net.company.com,serialNumber=4279180096
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.489: ISAKMP:(38618): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.494: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.494: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38617):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.494: ISAKMP:(38617):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 7 19:38:36.494: ISAKMP:(38618):IKE_DPD is enabled, initializing timers
Oct 7 19:38:36.494: ISAKMP:(38618): IKE->PKI End PKI Session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618): PKI->IKE Ended PKI session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:46.492: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:46.492: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:46.492: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:46.992: ISAKMP (38618): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:46.992: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:46.992: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:38:56.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:56.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:56.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:56.981: ISAKMP (38618): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:56.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:56.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:06.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:06.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:06.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:06.981: ISAKMP (38618): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:06.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:06.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:09.880: ISAKMP:(38616):purging SA., sa=7F1AA7721158, delme=7F1AA7721158
selurt-dmvpn-01#
Oct 7 19:39:16.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:16.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:16.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:16.980: ISAKMP (38618): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:16.980: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:16.980: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:26.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:26.482: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:26.482: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:26.981: ISAKMP (38618): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:26.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:26.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:36.493: ISAKMP:(38617):purging SA., sa=7F1AA79AD9E0, delme=7F1AA79AD9E0
DMVPN Spoke
Oct 7 19:38:36.181: ISAKMP:(0): SA request profile is (NULL)
Oct 7 19:38:36.181: ISAKMP: Created a peer struct for 15.18.1.1, peer port 500
Oct 7 19:38:36.181: ISAKMP: New peer created peer = 0x2B1F480C peer_handle = 0x80001DF4
Oct 7 19:38:36.181: ISAKMP: Locking peer struct 0x2B1F480C, refcount 1 for isakmp_initiator
Oct 7 19:38:36.181: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:38:36.181: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B16C9FC
Oct 7 19:38:36.181: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 7 19:38:36.181: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.181: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 7 19:38:36.181: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 7 19:38:36.181: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 7 19:38:36.181: ISAKMP:(0): beginning Main Mode exchange
Oct 7 19:38:36.181: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 7 19:38:36.181: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.205: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 7 19:38:36.205: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.205: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.205: ISAKMP : Scanning profiles for xauth ...
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.205: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.205: ISAKMP: hash MD5
Oct 7 19:38:36.205: ISAKMP: default group 1
Oct 7 19:38:36.205: ISAKMP: auth RSA sig
Oct 7 19:38:36.205: ISAKMP: life type in seconds
Oct 7 19:38:36.205: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.205: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.205: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP (0): constructing CERT_REQ for issuer cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.209: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 7 19:38:36.209: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.209: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.209: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 7 19:38:36.233: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 7 19:38:36.233: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.233: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 7 19:38:36.233: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants cert issued by cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.249: Choosing trustpoint TP_NAD_CA as issuer
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is Unity
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is DPD
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): speaking to another IOS box!
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): His hash no match - this node outside NAT
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): No NAT Found for self or peer
Oct 7 19:38:36.249: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.249: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 7 19:38:36.249: ISAKMP:(8329):Send initial contact
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.249: ISAKMP:(8329):Using FQDN as My ID
Oct 7 19:38:36.249: ISAKMP:(8329):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.249: ISAKMP (8329): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.249: ISAKMP:(8329):Total payload length: 42
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP:(8329): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP (8329): constructing CERT payload for hostname=lvrirt-s2s-01.nvv.net.company.com,serialNumber=FCZ163860KW
Oct 7 19:38:36.253: ISKAMP: growing send buffer from 1024 to 3072
Oct 7 19:38:36.253: ISAKMP:(8329): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:36.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.449: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.449: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 7 19:38:36.481: ISAKMP (8328): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:46.449: ISAKMP (8329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:54.709: ISAKMP:(8327):purging node 1841056658
Oct 7 19:38:54.709: ISAKMP:(8327):purging node -57107868
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:56.449: ISAKMP (8329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:04.709: ISAKMP:(8327):purging SA., sa=3169E824, delme=3169E824
Oct 7 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:39:06.181: ISAKMP:(8329):SA is still budding. Attached new ipsec request to it. (local 2.8.51.58, remote 15.18.1.1)
Oct 7 19:39:06.181: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 7 19:39:06.181: ISAKMP: Error while processing KMI message 0, error 2.
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:06.449: ISAKMP (8329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:10.261: ISAKMP:(8328):purging node -1445247076
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:16.449: ISAKMP (8329): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:20.261: ISAKMP:(8328):purging SA., sa=2AD85BD0, delme=2AD85BD0
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:26.449: ISAKMP (8329): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:36.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:36.449: ISAKMP:(8329):peer does not do paranoid keepalives.
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)Mike,
Hub sends its cert but spoke never recives that, this is typically a problem with fragmentation handling in transit networks.
Sniff both end you control and check whether you're not missing any fragments on spoke end.
Could be as simple as an MTU problem on your end or could be something in the path attempting reassambly.
Multiple ways to go, check your end, if fragments are missing in transit - start investigating with ISP(s).
M. -
Config certificate and log issues
I config certificate and use it to connect ipsec vpn , I just config
jinan-neusoft(config)#ip domain-name neusoft.com
jinan-neusoft(config)#crypto key generate rsa general-keys
The name for the keys will be: jinan-neusoft.neusoft.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
jinan-neusoft(config)#
Nov 16 01:05:44.435: RSA key size needs to be atleast 768 bits for ssh version 2
jinan-neusoft(config)#
Nov 16 01:05:44.435: %SSH-5-ENABLED: SSH 1.5 has been enabled
jinan-neusoft(config)#crypto pki trustpoint CA1
jinan-neusoft(ca-trustpoint)# enrollment url http://59.44.43.217:80
jinan-neusoft(ca-trustpoint)# revocation-check crl
jinan-neusoft(ca-trustpoint)# rsakeypair DMVPN-SY-KEY
jinan-neusoft(ca-trustpoint)# auto-enrol
jinan-neusoft(config)#crypto pki authenticate CA1
Certificate has the following attributes:
Fingerprint MD5: D5F9D56B 4D9A4260 43F21D39 811D7AD5
Fingerprint SHA1: 1E49B228 DD57F4DB 43DD2C2F 03870C18 840DA12A
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
then I have log issues like below ,even I config auto-enroll , I don t get certificate pending information from my certificate server ,
my device is C3925 and ios is c3900-universalk9-mz.SPA.151-4.M4.bin ,how to deal with it ,top players , THX~~~~
Nov 16 01:07:54.871: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:07:54.951: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6
jinan-neusoft(config)#D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:07:55.119: %SYS-2-MALLOCFAIL: Memory allocation of 40 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 731143916 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "<interrupt level>", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)#
Nov 16 01:08:09.719: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
jinan-neusoft(config)#
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)# Nov 16 01:07:54.871: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:07:54.951: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:07:55.115: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6
jinan-neusoft(config)#D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:07:55.119: %SYS-2-MALLOCFAIL: Memory allocation of 40 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 731143916 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "<interrupt level>", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z
Nov 16 01:07:55.119: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)#
Nov 16 01:08:09.719: %PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint CA1
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint MD5: 939AF8C1 854DDA90 8FE03058 5635468F
Nov 16 01:08:09.879: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 50F869D2 C0814317 7EB2ECC9 90461F3A 353E7089
jinan-neusoft(config)#
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D43018z 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
Nov 16 01:08:09.883: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 4127784z
jinan-neusoft(config)#I do not have the answer but have exactly the same issue, looks as if it is a bug of some kind :
Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 980992K/67584K bytes of memory.
Processor board ID FCZ163371P3
6 FastEthernet interfaces
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
System image file is "flash0:c3900-universalk9-mz.SPA.151-4.M4.bin"
Nov 16 07:37:16.611: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 358FF778 7C2E66AE 895BF088 BF022442
.Nov 16 07:37:16.615: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 5F7A4300 20B62132 83D08C6E 2D315DF4 51EFE94D
.Nov 16 07:37:16.623: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 412
7784z
.Nov 16 07:37:16.623: %SYS-2-MALLOCFAIL: Memory allocation of 72 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 704933204 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4AC
B9F4z Nov 16 07:37:16.611: CRYPTO_PKI: Signature Certificate Request Fingerprint MD5: 358FF778 7C2E66AE 895BF088 BF022442
.Nov 16 07:37:16.615: CRYPTO_PKI: Signature Certificate Request Fingerprint SHA1: 5F7A4300 20B62132 83D08C6E 2D315DF4 51EFE94D
.Nov 16 07:37:16.623: %SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 5564384z 68B3034z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4ACB9F4z 412
7784z
.Nov 16 07:37:16.623: %SYS-2-MALLOCFAIL: Memory allocation of 72 bytes failed from 0x6D05DEC, alignment 0
Pool: Processor Free: 704933204 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: Interrupt level allocation
-Process= "", ipl= 3
-Traceback= 5564384z 6892328z 68B3064z 945A8D0z 6D05DF0z 6D05F70z 6D06B50z 6D07268z 6D4308Cz 6D25044z 6D1988Cz 6D4CCE0z 91F0154z 91F0CC4z 91F0DA4z 4AC
B9F4z -
Hello,
We've running into an issue where a DMVPN spoke is not setting up an NHRP session with the HUB.
The situation: our spoke router (R1) get its internet connection from an average DSL router. This router has a common 192.168.1.0/24 subnet with DHCP on it. So our Spoke router gets 192.168.1.2 from the DHCP server. Next it sets up ISAKMP and a NHRP session with the hub and all is working well.
Next up is the second spoke (R2). Different location but same DSL router with the same 192.168.1.0/24 with DHCP on the inside. The spoke router connects to the LAN, gets 192.168.1.2, sets up an ISAKMP tunnel and next it wants to set up the NHRP session. Then we hit the following error:
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:7,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
2 UNKNOWN 10.255.11.2 NHRP never IX
0 UNKNOWN 10.255.11.7 NHRP never IX
1 192.168.1.2 10.255.11.4 UP 1d06h D
1 192.168.2.100 10.255.11.5 UP 2d22h D
The session will not establish because the hub already has an association with a peer that has 192.168.1.2 as its NBMA address. A workaround is to set a different fixed IP or use a different MAC to get another IP.
This is a different problem than the one that "ip nhrp registration no-unique" fixes. That happens when the same spoke connects to the hub but with a different IP address than before. In this case we have two spokes with identical NBMA addresses (allthough they are behind different public IP's).I may not be completely up to date on this. But NHRP should make a differentiation based on NBMA address even if claimed IP address is the same (didn't test it).
So a couple of questions:
- What version on spoke/hub
- Is transport mode configured and operational.
- Show us "show ip nhrp" from hub. -
DMVPN GRE over IPSEC Packet loss
I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
BrendenHave you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?
Maybe you are looking for
-
Update for Nokia 5530? Read this please.
Hi all! I bought my (first) Nokia smartphone in January this year: Nokia 5530. Since then, no updates was released for my device. Nokia forget 5530 as like 5800. Now only C / E series, N8, N9, and low-price like 52xx. Recently new update was released
-
Why do I always get redirected with customer support?
So today I went on the phone with Verizon just to figure out why my internet speed has been slow because I finally got the time too. I used to get around a 2.5 - 3 Mbps speed connection and now I only get a 1.5 Mbps or so connection. This originally
-
How to setup catalog database for backup
In order to use RMAN, catalog can be put in a controlfile, one of the database if we have many database, or in a special catalog database, is that right? So, I am wondering about the special catalog database, should we setup a totally new oracle data
-
Is there is any licensing issue on number of message in/our from PI
Hi Experts, There is one query from our client. Is there any license implications on number of messages that PI receives or sends out. Appreciate your help on this. Thanks, Shriram.
-
I use hierarchical keywords a lot. For example, World/Europe/Austria/Tirol/specific location. I sometimes assign only an upper level keyword (example: Austria) to an image when I don't know more specifics. How can I then view only those images tha