DMVPN MTU Calculations
Hi,
Please can someone help me understand why I am able to transmit a 1472 Byte packet without fragmentation across DMVPN Tunnel (IPSec protection mode)..
This is what I am expecting
IPSec Overhead (Transport mode saving 20 Bytes) 52Bytes
GRE Overhead 24Bytes
Total = 76 Bytes
The Tunnel runs over Ethernet (1500 Bytes) 1500 – 76 = 1424Bytes.. So how am I able to transmit 1472Bytes, I’ve checked the Links and can see the ESP encapsulation etc.. What have I got wrong?
Thanks
Grev
You mean no fragmentation on the router, but what about reassembly on remote end.
How was this confirmed? How was it tested? What platforms? What versions? What configurations? There's lots of small bit that could add into it. :-)
At a glance it looks like DF bit was not copied over to IPsec header. Again, it's just a shot in the dark :-)
I would really suggest opening a TAC case for this, this description tickled something in my memory, but I can't put my finger on it.
Similar Messages
-
MTU calculation on CISCO routers
Hello, just wanted to clarify my knowledge on MTU.
interface commands -
IP MTU: is calculating LAYER 3 HEADER + ITS PAYLOAD, which makes max MTU of 1500.
MTU: ETHERNET HEADER + LAYER 3 HEADER + ITS PAYLOAD, which makes 1514 mtu if no mpls, no tags are used. I AM right ? Looking at some vendors other than CISCO (for example) alcatel -lucent this seems to be correct.
But i saw on some cisco routers MTU and IP MTU - 1500 bytes. Why MTU is only 1500, how CISCO calculates MTU, it doesn't count ethernet header or what ? So my calculation above is bad considering CISCO ?
Thanks!Hello,
Sorry Giuseppe, but I have to disagree with your statement that ((IOS MTU is referred to layer 3 PDU only)) and with the ((MPLS MTU)) command.
Infact, how Cisco treat MTU is what should be understood, at least from my point of view and experience.
The IOS indeed calculate the (IP MTU, Layer-2 MTU and MPLS MTU), below how its calculated:
1- The 1500 of (IP MTU) considers the layer-3 Header and the Payload.
2- The Layer-2 MTU of (1500), considers the Ethernet Header and CRC Trailer of additional 22 bytes as well, So the Default of (MTU 1500) doesnt mean the header and FCS is not considered, the fact, the total layer-2 MTU is equal to 1522, but when you see it 1500 on the IOS, it doesnt mean its not considerable, its calculated as a sum and its shown as 1500, So the 1500 considers the Ethernet header and CRC in its Calculations.
I have seen many implementation where MTU were a big issue resulting in performance degradation and frame/packet drops if not increased, Especially when having MPLS and Dot1q Tunneling.
The Layer-2 MTU from my point MUST be increased when using Dot1q Tunneling to consider the Inner VLAN tag of 4 Bytes, Like Wise, the MPLS MTU on IOS Platforms must be increased to accomodate the additional labels.
I hope this gives an idea of how Cisco Calculates its MTU ,
Regards,
Mohamed -
Hello,
we are using the following configuration to a QinQ link in the subinterface to our users:
interface GigabitEthernet0/0/0/3.900 l2transport
description To CUSTOMER - PSEUDOWIRE A
encapsulation default
l2protocol cpsv tunnel
interface TenGigE0/1/0/3.900 l2transport
description To BACKBONE - PSEUDOWIRE A
encapsulation dot1q 900 second-dot1q any
rewrite ingress tag pop 1 symmetric
Everything is working fine and frames with a payload with 1500 bytes is beeing transported. The issue is that
a ethernet frame with a payload of 1500 has a total size of 1518 bytes. I know that IOS XR MTU
concept discard 4 bytes for the ethernet trailer (FCS or CRC). So for Cisco and MTU the original frame size is 1514.
However the frame received in the GigabitEthernet0/0/0/3.900 has a VLAN TAG because we
have a trunk to our customer with multiples VLANS. So the MTU size should be 1518. But if we get the
out of the show interface command:
sh interface GigabitEthernet0/0/0/3.900
Wed Sep 12 12:56:32.130 CEST
GigabitEthernet0/0/0/3.900 is up, line protocol is up
Interface state transitions: 1
Hardware is VLAN sub-interface(s), address is 6c9c.ed09.295f
Description:To CUSTOMER - PSEUDOWIRE A
Layer 2 Transport Mode
MTU 1514 bytes, BW 1000000 Kbit (Max: 1000000 Kbit)
reliability Unknown, txload Unknown, rxload Unknown
Encapsulation Default,
Default match
Ethertype Any, MAC Match src any, dest any
loopback not set,
ARP type ARPA, ARP timeout 04:00:00
Last input never, output never
Last clearing of "show interface" counters never
1924812905 packets input, 1293208601922 bytes
3 input drops, 0 queue drops, 0 input errors
778056641 packets output, 447390756224 bytes
0 output drops, 0 queue drops, 0 output errors
sh interface TenGigE0/1/0/3.900
Wed Sep 12 13:02:26.173 CEST
TenGigE0/1/0/3.900 is up, line protocol is up
Interface state transitions: 7
Hardware is VLAN sub-interface(s), address is 4055.3968.7d2b
Description: BACKBONE - PSEUDOWIRE UPCT-FTALMO
Layer 2 Transport Mode
MTU 1518 bytes, BW 10000000 Kbit (Max: 10000000 Kbit)
reliability Unknown, txload Unknown, rxload Unknown
Encapsulation 802.1Q Virtual LAN,
Outer Match: Dot1Q VLAN 900
Inner Match: Dot1Q VLAN any
Ethertype Any, MAC Match src any, dest any
loopback not set,
ARP type ARPA, ARP timeout 04:00:00
Last input never, output never
Last clearing of "show interface" counters never
778152164 packets input, 450515418508 bytes
31813 input drops, 0 queue drops, 0 input errors
1902517045 packets output, 1287687321444 bytes
308359 output drops, 0 queue drops, 0 output errors
We have a 1514 bytes MTU instead of 1518 bytes in GigabitEthernet0/0/0/3.900 and 1518 bytes instead
1522 (there is two 4 bytes tags). Why frames are working fine?. In the following document explains that
by default the MTU are:
1514 bytes for normal frames
1518 bytes for 802.1Q tagged frames
1522 bytes for QinQ frames
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r3.9/lxvpn/configuration/guide/lesc39ethi.html#wp1200718
How can we explain the 4 bytes difference?.
Thanks.Hello Antonio,
Here are numbers which are used for L2 MTU calculation:
"encapsulation untagged” and "encapsulation default” counts 0 tags. >> 1514
“encapsulation dot1q 900 second-dot1q any”. The any keyword used as the innermost tag match does not increase the number of tags in the calculation. This is to ensure consistency with the old style XR VLAN Id semantics. >> 1518
“encapsulation dot1q 900 second-dot1q 900”. No any keyword >> 1522
but for L2VPN we’d use payload MTU to properly transfer our data. The rationale behind the payload MTU calculation is to get the correct maximum payload size of frames that may be carried over an xconnected PW relative to the L2 MTU of the interface.
Let’s take your example:
interface TenGigE0/1/0/3.900 l2transport
description To BACKBONE - PSEUDOWIRE A
encapsulation dot1q 900 second-dot1q any
rewrite ingress tag pop 1 symmetric
sub-l2-mtu = parent-l2-mtu + (4 * encaps-tag-count)
sub-l2-mtu = 1514 + ( 4 * 1 ) = 1518
sub-l2-payload-mtu = sub-l2-mtu – (14 + (4 * (encaps-pop-tags-count – encaps-push-tags-count)))
sub-l2-payload-mtu = 1518 - (14 + (4 * (1 - 0)))= 1500
So we’d be still forwarding 1500b payload.
You should be able to find your xconnect/BD MTU using “show l2vpn xconnect detail” or “show l2vpn bridge-domain detail”.
Regards,
/A -
Recommendation for IP MTU setting with DMVPN
I have a dual DMVPN setup which works fine, apart from a performance issue. Its probable that this is a packet fragmentation issue as I'm seeing many reassambled fragments on my encryption routers. The IP MTU value on the tunnel is 1436, as recommend by R Deal in his VPN configuration guide. If I remove the IP MTU 1436 command, and let IOS select its own value that returns 1472 for IP MTU.
Reading up on Cisco.com various values are mentioned, 1400, and 1440. As this is a production network under change control I'm after recommendations from other working networks, to get this fixed.
I'm also using MSS adjustment for TCP setting a value of 1360, and have a route-map to clear the DF bit in TCP and UDP frames.
I'm using IPSec transport mode, and there are no NAT boundaries for the IPSec to cross.Hello aacole,
Although I don't have a problem with MTU as such, performance is an issue. I believe this can be improved by tuning MTU configuration even if it's a little bit. Did you manage to reach optimal working figures and settings for MTU on DMVPN?
tia
Ajaz -
Hello All,
I have a query regarding MTU over both DMVPN and MPLS.
I have been running the following command from a windows box
ping x.x.x.x -f -l yyy (yyyy being the buffer size) and x.x.x.x being my remote hosts
I am using the same destination host and have two different paths to it. One over MPLS and one over a DMVPN.
I would have expected to be able to send packets with a higher MTU over the MPLS but for both MPLS and DMVPN the maximum packet size I can send with the DF bit set is the same (1372).
Is this normal behaviour? I though MPLS would have less overhead, so my maximum packet size would be higher in my testsDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Generally, MPLS supports an increased MTU, when adding MPLS labels, while VPN tunnels, like DMVPN, don't exceed original MTU, and so, it reduces payload space. So, normally, you should see larger ping buffer DF support across MPLS than DMVPN. However, "normal" can be very much impacted by actual device configurations, including making MTU for DF packets the same for either MPLS or DMVPN. (For example, you might want to make the two paths alike so flows that for any reason need to be redirect from one media path to the other see a consistent MTU.) -
DMVPN With EIGRP - MTU adaptation
Hi all,
I am managing a Hub and Spoke network with more than 1000 Spokes. The initial MTU of the tunnel interface we've configured is 1400 (on both hubs and Spokes).
I am facing now some issue with customers that have a WAN line with a lower MTU: ping [tunnel_IP] size 1400 doesn't give any reply.
The problem is that:Two routers with MTU of 1400, but in the path between them there is apparently a hop with a smaller MTU. Hello and neighbor-ship is working (I assume that Hello are smaller than 1400)
Route from Spoke are received on Hub (displayed in sh ip route ei) but the route from Hubs are not received by the Spoke. I assume that's due to the fact that there are not a lot of route advertised by the spoke (so packet size lower) and more advertised by the hub reaching MTU size....
I did some tests with these customer Spokes connecting them to another hub router used for R&D, adapting the MTU on both size to a lower value: working !
I have now 2 solutions
- Ask all my concerned customers to contact their ISP to check if they can increase MTU or find another gateway for my router... Most of my customer doesn't have any IT people and won't understand at all what I want...
- Modify MTU on my router: modify in on the Spoke... but do I need to reconfigure it on the hub to avoid neighbor flapping... So I need to reconfigure all my 1000+ Spokes
So my question is: is there a way to adapt MTU size of the tunnel interface depending on the destination.
I tried to find a solution like a route map that will modify MTU when matching an ACL that contains my impacted Spokes but it's not possible to adapt MTU with a set in a route-map...
Any idea on your side ? workaround ?
Best regards !Great! I got this working. Not sure what the issue was. The thing is, I was using GNS3 and I had a router with a switch card acting as both SP clouds. When I tried configuring the route tracking, it wasn't behaving. I since switched it from the router-switch to a router connected to 2 of the dumb switches and route tracking started behaving properly. The failover and everything works perfectly now.
I also cleaned up some of the tunnel config so I don't know if that's actually what fixed it.
One more question though. I just discovered that the customer has no data license so there's no clean automatic failover using floating static routes. Can I get this clean failover using VRFs without route tracking or will I still need it? -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast. -
Multiple DMVPN Instances on Same WAN Interface
Hi Folks,
Is it possible to run Multiple DMVPN Instances on a single WAN Interface ? Can we for example configure 3 Tunnels on a Router using one same WAN Interface but running separate EIGRP Instances for each Tunnel ? Kindly let me know , AliouneHi Alioune,
Yes you can create DMVPN as you said with one WAN interface that is possible..... you can have multiple tunnel interfaces pointed to a WAN interface as the source interface which resides in public zone..... with different public ip's as the destination tunnel...
interface Tunnel1
description ** A-VPN Tunnel **
bandwidth 100000
ip vrf forwarding red
ip address 10.0.252.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
load-interval 60
tunnel source GigabitEthernet0/0 (WAN Interface)
tunnel destination 1.1.1.1
tunnel protection ipsec profile dmvpn
interface Tunnel1
description ** B-VPN Tunnel **
bandwidth 100000
ip vrf forwarding red
ip address 10.0.252.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1500
load-interval 60
tunnel source GigabitEthernet0/0 (WAN Interface)
tunnel destination 2.1.1.1
tunnel protection ipsec profile dmvpn
like the above..... shown sample...
Please rate if the given information helps!!! -
DMVPN phase I fails when migrating from PSK to RSIG
I am currently is the process of migrating my DMVPN network from pre-share key to certificates. Most of the spokes have come up and are working without any issues but there are several that are not making it past phase I. I have included the isakmp debugging from the hub and one of the spokes that are failing. I see that the hub is going QM_IDLE after receiving the certificate from the spoke but it does not look like the spoke ever receives the cert from the hub. I suspect an issue with the ISP but it's not as simple as filtering 500 as all the messages except the cert seem to make it. If I move the spoke back to PSK it works fine. Has anyone seen this issue before and what was the resolution?
DMVPN Hub
Oct 7 19:38:36.213: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.213: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F1AA7CC5920
Oct 7 19:38:36.213: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.213: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):found peer pre-shared key matching 2.8.51.58
Oct 7 19:38:36.214: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.214: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.214: ISAKMP: hash MD5
Oct 7 19:38:36.214: ISAKMP: default group 1
Oct 7 19:38:36.214: ISAKMP: auth RSA sig
Oct 7 19:38:36.214: ISAKMP: life type in seconds
Oct 7 19:38:36.214: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.214: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.214: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.214: ISAKMP:(0): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 7 19:38:36.214: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 7 19:38:36.240: ISAKMP (0): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 7 19:38:36.240: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.240: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 7 19:38:36.240: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants cert issued by cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is DPD
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): speaking to another IOS box!
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID seems Unity/DPD but major 209 mismatch
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is XAUTH
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): His hash no match - this node outside NAT
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): No NAT Found for self or peer
Oct 7 19:38:36.242: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.242: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP (38618): constructing CERT_REQ for issuer cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.243: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.243: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.243: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.243: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 7 19:38:36.484: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 7 19:38:36.484: ISAKMP:(38618): processing ID payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.484: ISAKMP:(38618): processing CERT payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP:(38618): processing a CT_X509_SIGNATURE cert
Oct 7 19:38:36.484: ISAKMP:(38618): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): peer's pubkey is cached
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): Unable to get DN from certificate!
Oct 7 19:38:36.485: ISAKMP:(38618): processing SIG payload. message ID = 0
Oct 7 19:38:36.486: ISAKMP:received payload type 17
Oct 7 19:38:36.486: ISAKMP:(38618): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x7F1AA7CC5920
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618):SA has been authenticated with 2.8.51.58
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
authenticated
Oct 7 19:38:36.486: ISAKMP:(38618): Process initial contact,
bring down existing phase 1 and 2 SA's with local 15.18.1.1 remote 2.8.51.58 remote port 500
Oct 7 19:38:36.486: ISAKMP:(38617):received initial contact, deleting SA
Oct 7 19:38:36.486: ISAKMP:(38617):peer does not do paranoid keepalives.
Oct 7 19:38:36.486: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.486: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.486: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 7 19:38:36.487: ISAKMP: set new node 2177251913 to QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.487: ISAKMP:(38617):purging node 2177251913
Oct 7 19:38:36.487: ISAKMP:(38617):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 7 19:38:36.487: ISAKMP:(38617):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.487: ISAKMP:(38618):Using FQDN as My ID
Oct 7 19:38:36.487: ISAKMP:(38618):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.487: ISAKMP (38618): ID payload
next-payload : 6
type : 2
FQDN name : selurt-dmvpn-01.nvv.net.company.com
protocol : 17
port : 500
length : 44
Oct 7 19:38:36.487: ISAKMP:(38618):Total payload length: 44
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.488: ISAKMP:(38618): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for hostname=selurt-dmvpn-01.nvv.net.company.com,serialNumber=4279180096
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.489: ISAKMP:(38618): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.494: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.494: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38617):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.494: ISAKMP:(38617):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 7 19:38:36.494: ISAKMP:(38618):IKE_DPD is enabled, initializing timers
Oct 7 19:38:36.494: ISAKMP:(38618): IKE->PKI End PKI Session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618): PKI->IKE Ended PKI session state (R) QM_IDLE (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:46.492: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:46.492: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:46.492: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:46.992: ISAKMP (38618): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:46.992: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:46.992: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:38:56.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:56.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:56.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:38:56.981: ISAKMP (38618): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:56.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:56.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:06.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:06.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:06.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:06.981: ISAKMP (38618): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:06.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:06.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:09.880: ISAKMP:(38616):purging SA., sa=7F1AA7721158, delme=7F1AA7721158
selurt-dmvpn-01#
Oct 7 19:39:16.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:16.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:16.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:16.980: ISAKMP (38618): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:16.980: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:16.980: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:26.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:26.482: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:26.482: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE ...
Oct 7 19:39:26.981: ISAKMP (38618): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:26.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:26.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:36.493: ISAKMP:(38617):purging SA., sa=7F1AA79AD9E0, delme=7F1AA79AD9E0
DMVPN Spoke
Oct 7 19:38:36.181: ISAKMP:(0): SA request profile is (NULL)
Oct 7 19:38:36.181: ISAKMP: Created a peer struct for 15.18.1.1, peer port 500
Oct 7 19:38:36.181: ISAKMP: New peer created peer = 0x2B1F480C peer_handle = 0x80001DF4
Oct 7 19:38:36.181: ISAKMP: Locking peer struct 0x2B1F480C, refcount 1 for isakmp_initiator
Oct 7 19:38:36.181: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:38:36.181: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B16C9FC
Oct 7 19:38:36.181: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 7 19:38:36.181: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.181: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 7 19:38:36.181: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 7 19:38:36.181: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 7 19:38:36.181: ISAKMP:(0): beginning Main Mode exchange
Oct 7 19:38:36.181: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 7 19:38:36.181: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.205: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 7 19:38:36.205: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.205: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.205: ISAKMP : Scanning profiles for xauth ...
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.205: ISAKMP: encryption 3DES-CBC
Oct 7 19:38:36.205: ISAKMP: hash MD5
Oct 7 19:38:36.205: ISAKMP: default group 1
Oct 7 19:38:36.205: ISAKMP: auth RSA sig
Oct 7 19:38:36.205: ISAKMP: life type in seconds
Oct 7 19:38:36.205: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.205: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.205: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP (0): constructing CERT_REQ for issuer cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.209: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 7 19:38:36.209: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.209: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.209: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 7 19:38:36.233: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 7 19:38:36.233: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.233: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 7 19:38:36.233: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants cert issued by cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.249: Choosing trustpoint TP_NAD_CA as issuer
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is Unity
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is DPD
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): speaking to another IOS box!
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): His hash no match - this node outside NAT
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): No NAT Found for self or peer
Oct 7 19:38:36.249: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.249: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 7 19:38:36.249: ISAKMP:(8329):Send initial contact
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.249: ISAKMP:(8329):Using FQDN as My ID
Oct 7 19:38:36.249: ISAKMP:(8329):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.249: ISAKMP (8329): ID payload
next-payload : 6
type : 2
FQDN name : lvrirt-s2s-01.nvv.net.company.com
protocol : 17
port : 500
length : 42
Oct 7 19:38:36.249: ISAKMP:(8329):Total payload length: 42
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP:(8329): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP (8329): constructing CERT payload for hostname=lvrirt-s2s-01.nvv.net.company.com,serialNumber=FCZ163860KW
Oct 7 19:38:36.253: ISKAMP: growing send buffer from 1024 to 3072
Oct 7 19:38:36.253: ISAKMP:(8329): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:36.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.449: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.449: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 7 19:38:36.481: ISAKMP (8328): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:46.449: ISAKMP (8329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:54.709: ISAKMP:(8327):purging node 1841056658
Oct 7 19:38:54.709: ISAKMP:(8327):purging node -57107868
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:56.449: ISAKMP (8329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:04.709: ISAKMP:(8327):purging SA., sa=3169E824, delme=3169E824
Oct 7 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:39:06.181: ISAKMP:(8329):SA is still budding. Attached new ipsec request to it. (local 2.8.51.58, remote 15.18.1.1)
Oct 7 19:39:06.181: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 7 19:39:06.181: ISAKMP: Error while processing KMI message 0, error 2.
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:06.449: ISAKMP (8329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:10.261: ISAKMP:(8328):purging node -1445247076
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:16.449: ISAKMP (8329): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:20.261: ISAKMP:(8328):purging SA., sa=2AD85BD0, delme=2AD85BD0
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:26.449: ISAKMP (8329): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:36.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:36.449: ISAKMP:(8329):peer does not do paranoid keepalives.
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)Mike,
Hub sends its cert but spoke never recives that, this is typically a problem with fragmentation handling in transit networks.
Sniff both end you control and check whether you're not missing any fragments on spoke end.
Could be as simple as an MTU problem on your end or could be something in the path attempting reassambly.
Multiple ways to go, check your end, if fragments are missing in transit - start investigating with ISP(s).
M. -
DMVPN w/ Multicasting setup/questions
Hello
I have a lot of questions, so bare with me as i puke them out of my head.
I have been doing some testing with DMVPN inconjuction with multicasting video (Hub and spoke, w/ no spoke to spoke). The test setup is using 2 cisco 2811 w/out the vpn module. I understand the performance hit with not having the module. With that being said here are my questions.
1. With encryption on both the HUB and spoke routers are using 90-97% cpu (8Mb multicast stream). With encryption off, the Hub is around 60%, and spoke around 75%. Here is where i'm confused. If i send that same stream as a unicast stream, w/ encryption on, both the Hub and spoke are only using around 30-35% cpu. Why is there so much more cpu need when its a multicast stream?
2. In the current config i'm seeing input, throttles, and ignore errors on the Hub and spoke. The Hub has these errors on the LAN interface, and the spoke has these errors on the WAN interface. All other interfaces are totally clean. I have checked and there are no duplex or speed mismatches. Any ideas?
HUB:
Current configuration : 1837 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hub
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone Central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip name-server 8.8.8.8
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 450
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 216.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.112.64.5 255.255.248.0
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.112.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip http server
ip http authentication local
ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public RO
Spoke:
Current configuration : 1857 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Spoke
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp map 192.168.11.1 216.x.x.x
ip nhrp map multicast 216.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 192.168.11.1
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 216.x.x.x
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 65.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.124.64.1 255.255.248.0
ip pim sparse-mode
ip igmp join-group 239.10.10.10
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.124.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.x.x.x
no ip http server
no ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public ROJoe,
You ask the right question.
CPU ultization = CPU consumed by processes + IO operations (in a huge simplification - CEF)
Typically when a packet is processed by router we expect it to be be processed by CEF, i.e. very fast.
Packet is not processed by CEF:
- when there is something missing to route the packet properly (think missing ARP/CAM entry) i.e. additional lookup needs to be done.
- a feature requests that a packet is for processing/mangling
- Packet is destined to the router
(And several other, but those are the major ones).
When a packet is recived, but cannot be processed by CEF, we "punt the packet to CPU" this in turn will cause the CPU for processes to go up.
Now on the spoke this seems to be the problem:
Spoke#show ip cef switching stati Reason Drop Punt Punt2HostRP LES Packet destined for us 0 1723 0RP LES Encapsulation resource 0 1068275 0
There were also some failures on one of the buffer outputs you've attached.
Typically at this stage I would suggest:
1) "Upgrade" the device to 15.0(1)M6 or 12.4(15)T (latest image in this branch) and check if the problem persists there.
2) If it does, swing it by TAC. I don't see any obvious mistakes, but I'm just a guy in a chair same as you ;-)
Marcin -
Failover DMVPN hup-spoke setup
This is the current setup:
crypto keyring LAN-to-LAN
pre-shared-key address A key 1
pre-shared-key address B key 2
pre-shared-key address C key 3
pre-shared-key address D key 4
pre-shared-key address E key 5
pre-shared-key address F key 6
pre-shared-key address G key 7
pre-shared-key address H key 8
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile DMVPN
keyring LAN-to-LAN
match identity address A 255.255.255.255
match identity address B 255.255.255.255
match identity address C 255.255.255.255
match identity address D 255.255.255.255
match identity address E 255.255.255.255
match identity address F 255.255.255.255
match identity address G 255.255.255.255
match identity address H 255.255.255.255
crypto ipsec transform-set AES256_SHA-transport esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set AES256_SHA-transport
set isakmp-profile DMVPN
interface Tunnel0
bandwidth 50000
ip address 192.168.192.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Dyn4m1c
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
load-interval 30
tunnel source Vlan10
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/1
description Verizon Ethernet Internet [10Mbps]
ip address 157.130.x.x 255.255.255.252
ip accounting output-packets
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
interface FastEthernet0/0/3
description Optimum Lightpath Internet [50Mbps]
switchport access vlan 10
load-interval 30
duplex full
speed 100
interface Vlan10
description Optimum Lightpath Internet [50Mbps]
ip address 173.251.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
router eigrp 90
network 10.192.28.0 0.0.0.255
network 10.192.29.0 0.0.0.255
network 192.168.44.0
network 192.168.192.0
ip route 0.0.0.0 0.0.0.0 157.130.x.x
ip route 10.192.29.0 255.255.255.0 10.192.28.2
ip route A 255.255.255.255 173.251.x.x
ip route B 255.255.255.255 173.251.x.x
ip route C 255.255.255.255 173.251.x.x
ip route D 255.255.255.255 173.251.x.x
ip route E 255.255.255.255 173.251.x.x
ip route F 255.255.255.255 173.251.x.x
ip route G 255.255.255.255 173.251.x.x
ip route H 255.255.255.255 173.251.x.x
Can I just double it and use IP SLA route tracking for redundancy? So I would add the following to the above:
interface Tunnel1
bandwidth 50000
ip address 192.168.192.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Dyn4m1c
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
load-interval 30
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
track 1 ip sla 1
delay down 15 up 15
ip sla 1
icmp-echo 64.106.227.1 source-interface VLAN10
frequency 5
ip sla schedule 1 life forever start-time now
ip route 10.192.29.0 255.255.255.0 10.192.28.2
ip route A 255.255.255.255 173.251.x.x track 1
ip route A 255.255.255.255 157.130.x.x 200
ip route B 255.255.255.255 173.251.x.x track 1
ip route B 255.255.255.255 157.130.x.x 200
ip route C 255.255.255.255 173.251.x.x track 1
ip route C 255.255.255.255 157.130.x.x 200
ip route D 255.255.255.255 173.251.x.x track 1
ip route D 255.255.255.255 157.130.x.x 200
ip route E 255.255.255.255 173.251.x.x track 1
ip route E 255.255.255.255 157.130.x.x 200
ip route F 255.255.255.255 173.251.x.x track 1
ip route F 255.255.255.255 157.130.x.x 200
ip route G 255.255.255.255 173.251.x.x track 1
ip route G 255.255.255.255 157.130.x.x 200
ip route H 255.255.255.255 173.251.x.x track 1
ip route H 255.255.255.255 157.130.x.x 2001) You can't use same ip address on both tunnels.
2) I can't see any "ip nhrp nhs" or static mappings configuration on your tunnels. Configuration is not operational.
3) It is preferred to use tunnel VRFs for redundancy with two uplinks.
Please refer to
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
Please let me know if you need additional assistance with configuration.
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer." -
Problem when applying IPSEC to DMVPN
Hi i have some trouble with DMVPN
i configured NHRP between a HUB and aSPOKE:
HUB
tu0 tu1
| |
ISP
|
tu0,tu1
SPOKE
the HUB has two physical interfaces and two logical interfaces.
The SPOKE has one physical interface and two logical interfaces.
in configured NHRP correctly, the tunnels are detected in the HUB and the SPOKE.
when i add the profile IPSEC to the intefaces i lose tunnel1.
SPOKE1#sh ip nhrp
10.1.1.4/32 via 10.1.1.4, Tunnel0 created 02:22:01, never expire
Type: static, Flags: authoritative used
NBMA address: 190.1.1.1
10.2.2.4/32 via 10.2.2.4, Tunnel1 created 02:18:21, never expire
Type: static, Flags: authoritative used
NBMA address: 190.1.2.1
SPOKE1#debug ip nhrp
tunnel0
*Mar 1 03:50:09.399: NHRP: Attempting to send packet via DEST 10.1.1.4
*Mar 1 03:50:09.399: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.1.1
*Mar 1 03:50:09.399: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 82
*Mar 1 03:50:09.403: src: 10.1.1.1, dst: 10.1.1.4
*Mar 1 03:50:09.403: NHRP: 82 bytes out Tunnel0
*Mar 1 03:50:09.519: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 102
*Mar 1 03:50:09.519: NHRP: netid_in = 0, to_us = 1
tunnel 1
*Mar 1 03:50:30.575: NHRP: Attempting to send packet via DEST 10.2.2.4
*Mar 1 03:50:30.575: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
*Mar 1 03:50:30.575: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 03:50:30.579: src: 10.2.2.1, dst: 10.2.2.4
*Mar 1 03:50:30.579: NHRP: 82 bytes out Tunnel1
*Mar 1 03:50:30.579: NHRP: Resetting retransmit due to hold-timer for 10.2.2.4
no reply from the HUB.
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:05:05, expire 00:08:29
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.11
just tunnel0 is there !
i have also this on the HUB :
*Mar 1 03:58:54.519: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 191.1.1.11 (physical adress of SPOKE1)
configs :
HUB :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key techservices address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 10000
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 123
ip nhrp authentication dmvpn1
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 10000
ip address 10.2.2.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 124
ip nhrp authentication dmvpn2
ip nhrp map multicast dynamic
ip nhrp network-id 124
no ip split-horizon eigrp 124
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
SPOKE1:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key techservices address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 10000
ip address 10.1.1.1 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 10000
ip address 10.2.2.1 255.255.255.0
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
regardsbut when i add an other SPOKE there is a problem :
HUB
| |
SPOKE1___ ISP__SPOKE2
HUB:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 123
ip nhrp authentication dmvpn1
ip nhrp map multicast dynamic
ip nhrp network-id 123
no ip split-horizon eigrp 123
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN
interface Tunnel1
bandwidth 1000
ip address 10.2.2.4 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 124
ip nhrp authentication dmvpn2
ip nhrp map multicast dynamic
ip nhrp network-id 124
no ip split-horizon eigrp 124
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.4.0 0.0.0.255
no auto-summary
SPOKE1 :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
interface Tunnel1
bandwidth 1000
ip address 10.2.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN shared
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
SPOKE2 :
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec profile DMVPN
set transform-set AES_MD5
interface Tunnel0
bandwidth 1000
ip address 10.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn1
ip nhrp map multicast 190.1.1.1
ip nhrp map 10.1.1.4 190.1.1.1
ip nhrp network-id 123
ip nhrp holdtime 600
ip nhrp nhs 10.1.1.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile DMVPN shared
interface Tunnel1
bandwidth 1000
ip address 10.2.2.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn2
ip nhrp map multicast 190.1.2.1
ip nhrp map 10.2.2.4 190.1.2.1
ip nhrp network-id 124
ip nhrp holdtime 600
ip nhrp nhs 10.2.2.4
ip nhrp registration timeout 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 124
tunnel protection ipsec profile DMVPN shared
router eigrp 123
network 10.1.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
no auto-summary
router eigrp 124
network 10.2.2.0 0.0.0.255
network 172.16.2.0 0.0.0.255
no auto-summary
HUB:
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:15:17, expire 00:09:21
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.11
10.1.1.2/32 via 10.1.1.2, Tunnel0 created 00:12:09, expire 00:07:50
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
10.2.2.1/32, Tunnel1 created 00:02:57, expire 00:00:07
Type: incomplete, Flags: negative
Cache hits: 7
10.2.2.2/32 via 10.2.2.2, Tunnel1 created 00:12:00, expire 00:07:58
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
HUB can't have the NBMA adress for 10.2.2.1 for SPOKE1
HUB#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
*Mar 1 00:45:18.431: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 124
*Mar 1 00:45:18.435: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:45:18.435: NHRP: No node found..
*Mar 1 00:45:07.131: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 124
*Mar 1 00:45:07.131: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:48:30.759: NHRP: Checking for delayed event 0.0.0.0/10.2.2.1 on list (Tunnel1).
*Mar 1 00:48:30.763: NHRP: No node found.
*Mar 1 00:48:30.763: NHRP: Attempting to send packet via DEST 10.2.2.1
*Mar 1 00:48:30.767: NHRP: Send Resolution Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 00:48:30.771: src: 10.2.2.4, dst: 10.2.2.1
*Mar 1 00:48:30.771: NHRP: Encapsulation failed for destination 10.2.2.1 out Tunnel1
SPOKE1#
*Mar 1 00:53:38.695: NHRP: Setting retrans delay to 64 for nhs dst 10.2.2.4
*Mar 1 00:53:38.699: NHRP: Attempting to send packet via DEST 10.2.2.4
*Mar 1 00:53:38.699: NHRP: Encapsulation succeeded. Tunnel IP addr 190.1.2.1
*Mar 1 00:53:38.703: NHRP: Send Registration Request via Tunnel1 vrf 0, packet size: 82
*Mar 1 00:53:38.711: src: 10.2.2.1, dst: 10.2.2.4
*Mar 1 00:53:38.715: NHRP: 82 bytes out Tunnel1
no reply from the HUB
SPOKE1#ping 10.2.2.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.4, timeout is 2 seconds:
Success rate is 0 percent (0/5)
the SPOKE can't reach 10.2.2.4
after a few time :
HUB#sh ip nhrp
10.1.1.1/32 via 10.1.1.1, Tunnel0 created 00:25:03, expire 00:09:35
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 191.1.1.11
10.1.1.2/32 via 10.1.1.2, Tunnel0 created 00:21:55, expire 00:08:03
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
10.2.2.2/32 via 10.2.2.2, Tunnel1 created 00:21:47, expire 00:08:12
Type: dynamic, Flags: authoritative unique registered
NBMA address: 191.1.1.12
only 3 tunnels -
DMVPN GRE over IPSEC Packet loss
I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
BrendenHave you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ? -
DMVPN Performance vs Latency best practice
I am currently investigating an issue which I find rather difficult to "catch" and find information about.
We are running a DMVPN environment based on 2951 HUB routers & 1941 Spoke routers all over the globe (20 locations).
HUB routers are connected on 200Mbit Internet lines, the spokes are connected on lots of different speeds most of them 10Mbit / 20Mbit, and 95% are performing well (getting 80 to 90% of the offered internet line over the VPN)
Recently we added a new location which is having performance issues. From my perspective it's a problem with the local ISP. But it also made me a bit more aware of having a quite high latency 220ms which might ask for tweaking the TCP window size.
I did find some info about setting the ip tcp window-size on the routers, but this made absolutely no change in performance what so ever. (and I tried lots of different calculations / values)
So this gives me the impression there is already a mechanism active which optimizes the TCP window size.
Trying to find more information in regard to optimize DMVPN connections vs latency as our new locations is connected via a 30Mbit line but via the VPN we do not even get 5 to 7 Mbit.
We did some serious testing with the ISP and from my perspective it is still an issue from their side / the routing / peering we are getting from these guys. But the ISP keeps pointing out the latency v.s. performance and advises to adjust the TCP windows size.
As performance has never being an issue, and worked to our expectations makes me new to the debugging of our VPN networks in regard to performance.
I would love to share some thoughts here, or pointed into the right directions / to the right place to find documentation. I want to be able to give an educated answer to my ISP that it is an issue on their / the internet side.anything you push it to DB(SQL), will be the faster than processing outside.
-
Hello All,
I am trying to build a DMVPN solution for two sites each with secondary ISPs.
The solution works "sort of", but doesn't seem very robust (sometimes a router reload is required if VPN doesn't come up after ISP failover)
I was wondering if anyone had any suggestions to my config below?
Thanks!
!!!!HUB!!!!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile dmvpn set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!crypto ipsec profile dmvpn2 set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!!interface Tunnel0 ip address 10.255.255.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 6 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 545 tunnel protection ipsec profile dmvpn shared!interface Tunnel1 ip address 10.255.254.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 7 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 546 tunnel protection ipsec profile dmvpn2 shared!interface Tunnel2 ip address 10.255.253.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 8 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 547 tunnel protection ipsec profile dmvpn shared!interface Tunnel3 ip address 10.255.252.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 9 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 548 tunnel protection ipsec profile dmvpn2 shared!interface FastEthernet0/0/0 description Secondary ISP ip address 199.1.1.1 255.255.255.0 duplex auto speed auto!interface VLAN1 description LAN ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet0/1 description Primary ISP ip address 200.1.1.1 255.255.255.0 duplex auto speed auto!router eigrp 53 network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 192.168.1.0 eigrp stub connected no auto-summary!!ip route 0.0.0.0 0.0.0.0 199.1.1.2 5ip route 0.0.0.0 0.0.0.0 200.1.1.2 !!control-plane!line con 0line aux 0line vty 0 4 login!!end
!!!SPOKE!!!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile dmvpn set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!crypto ipsec profile dmvpn2 set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!!!interface VLAN1 ip address 192.168.0.1 255.255.255.0 no ip redirects!interface Tunnel0 ip address 10.255.255.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret1 ip nhrp map 10.255.255.1 200.1.1.1 ip nhrp map multicast 200.1.1.1 ip nhrp network-id 6 ip nhrp holdtime 300 ip nhrp nhs 10.255.255.1 ip nhrp registration timeout 30 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 545 tunnel protection ipsec profile dmvpn shared!interface Tunnel1 ip address 10.255.254.5 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication secret1 ip nhrp map 10.255.254.1 199.1.1.1 ip nhrp map multicast 199.1.1.1 ip nhrp network-id 7 ip nhrp holdtime 300 ip nhrp nhs 10.255.254.1 delay 1500 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 546 tunnel protection ipsec profile dmvpn shared!interface Tunnel2 ip address 10.255.253.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret1 ip nhrp map multicast 200.1.1.1 ip nhrp map 10.255.253.1 200.1.1.1 ip nhrp network-id 8 ip nhrp holdtime 300 ip nhrp nhs 10.255.253.1 ip nhrp registration timeout 30 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 547 tunnel protection ipsec profile dmvpn2 shared!interface Tunnel3 ip address 10.255.252.5 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication secret1 ip nhrp map multicast 199.1.1.1 ip nhrp map 10.255.252.1 199.1.1.1 ip nhrp network-id 9 ip nhrp holdtime 300 ip nhrp nhs 10.255.252.1 delay 1500 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 548 tunnel protection ipsec profile dmvpn2 shared!interface FastEthernet0/0/0description Secondary Internet ip address 201.1.1.1 255.255.255.0 duplex auto speed auto!interface GigabitEthernet0/1 description Primary Internet ip address 201.2.2.1 255.255.255.0 duplex auto speed auto!router eigrp 53 distribute-list 1 out network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 192.168.0.0 offset-list 1 out 12800 Tunnel1 eigrp stub connected no auto-summary!!ip route 0.0.0.0 0.0.0.0 201.2.2.2ip route 0.0.0.0 0.0.0.0 201.1.1.2 5!!access-list 1 permit 192.168.0.0access-list 1 permit 10.255.255.0 0.0.0.255access-list 1 permit 10.255.254.0 0.0.0.255access-list 1 permit 10.255.253.0 0.0.0.255access-list 1 permit 10.255.252.0 0.0.0.255!!control-plane!!line con 0line aux 0line vty 0 4 login!!endHello,
Thanks for the response!
I left the stub on the hub while troubleshooting, it has since been removed.
By DPD, do you mean "crypto isakmp keepalive 10 periodic"?
I've since added that (spoke and hub) and while the tunnels work great (they fail over, can ping 10.255.25x.x) the routes do not update which lead me to believe it's an EIGRP problem. Is there something else I should do for DPD?
Thanks again
Will
Can't edit the original post, so:
!Hub
crypto isakmp keepalive 10 periodic
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.1.0
no auto-summary
!Spoke
crypto isakmp keepalive 10 periodic
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.0.0
eigrp stub connected
no auto-summary
Maybe you are looking for
-
Problem with C++ parser V2 (XDK 9.0.1.2.0)
Hi, The problem describe in a previous message (id=416237, march 2001) with the C++ XDK 8.1.7.1 still remains with the new XDK! I can't use the function print to a FILE* on a Node. I try to print to stdout or a file => [Linstruction ` + 0x77F7CE4C ;
-
Hi guys, I just installed Oracle 8i personal Edition so that I can practice PL/SQL. I have three system created accounts (INTERNAL, SYS AND SYSTEM)and their passwords. But when I connect to SQLPlus, it also asks me Host String alongwith userid and pa
-
We have a 1200 Aironet just go down hard for no reason through out the day, we replaced the Power Injector with a C2960 POE Switch, we also replaced the cabiling. When it goes down hard all three lights are still green as if the AP is still up. We ve
-
After Effects Text missing from project view (yet renders)
I am new to the CC but have played with Adobe in earlier versions (mostly CS3). I have purchased some project files from videoden to give me a starting point (I learn best when playing with something that already works, picking it apart and rebuildi
-
Start up issues/ disk utility question
I can't get my iMac to start up past the grey apple screen. I booted off my Tiger disk and ran disk utility. My permissions were ok, but when I try and verify and repair the HD I get the following errors: 'invalid key length invalid node structure re