DMVPN Phase 3 ip nhrp short / ip nhrp redirect missing

Dear All, we are trying to setup DMVPN Phase 3 and need to enter the commands ip nhrp shortcut and ip nhrp redirect which is not possible on Cisco 1841 routers - IOS version advipservicesk9-mz.124-25f.bin
On a cisco 1812 c181x-advipservicesk9-mz.124-24.T4.bin we can enter the commands.
Out aommands 1841:
Router 1(config-if)#ip nhrp ?
authentication Authentication string
holdtime        Advertised holdtime
interest        Specify an access list
map             Map dest IP addresses to NBMA addresses
max-send        Rate limit NHRP traffic
network-id      NBMA network identifier
nhs             Specify a next hop server
record          Allow NHRP record option
registration    Settings for registration packets.
responder       Responder interface
server-only     Disable NHRP requests
trigger-svc     Create NHRP cut-through based on traffic load
use             Specify usage count for sending requests
Output commands 1812:
Router 2(config-if)#ip nhrp ?
authentication Authentication string
cache           NHRP Cache related commands.
group           NHRP group name
holdtime        Advertised holdtime
interest        Specify an access list
map             Map dest IP addresses to NBMA addresses
max-send        Rate limit NHRP traffic
network-id      NBMA network identifier
nhs             Specify a next hop server
record          Allow NHRP record option
redirect        Enable NHRP redirect traffic indication
registration    Settings for registration packets.
responder       Responder interface
server-only     Disable NHRP requests
shortcut        Enable shortcut switching
trigger-svc     Create NHRP cut-through based on traffic load
use             Specify usage count for sending requests
This is the information I found on the Cisco web page: "In Cisco IOS Software Release 12.4(6)T, DMVPN Phase 3 was introduced". Now I am wondering which software I shall use for the Cisco 1841 as we already use a higher version: advipservicesk9-mz.124-25f.bin
I appreciate your help
Thank you
Nikola

Nikola,
Let's start wit this:
http://en.wikipedia.org/wiki/Cisco_IOS#Versioning
Than what you need to understand is that T train is where we put all the new fearures. Mainline is one we rebuild with usuall no big changes, i.e. main focus is stability with less features.
That being said 12.4(25) might have a higher number than 12.4(24)T, but it will not contains some features.
Marcin

Similar Messages

DMVPN phase 3 - scalability - nhrp generates high cpu load

Hey all.
Been running into a scalability issues with DMVPN. Mainly caused (as I see it) by NHRP.
Scenario:
IOS-SLB-based DMVPN solution in a dual-cloud setup. Practically it's 2 separate solutions with spokes having 2 tunnels (one in each cloud). See attachment sketch. We're running a phase 3 hierarchy design (trying at least)
Spoke routers:
- 2500 routers in a mixture of c871, c881, c2800, c2900. Need to scale to at least twice that.
- Spoke-to-spoke is heavily used
Farm routers:
- Cisco 7201 with VAM2+. Around 1 router per 350 spokes (+1 for secondary tunnel)
Superhub:
- ASR 1004 (one for primary and one for secondary dmvpn-cloud).
We're not running any IPSEC between the farms and the superhubs. Just regular unencrypted DMVPN (mGRE).
Problem:
- NHRP is causing high CPU load on the ASRs. With around 2000 spokes up and running on DMVPN the CPU is overloaded with NHRP traffic. We're talking like 60-70% load caused by the NHRP process alone!
We're using 'ip nhrp interest' on all the spokes - and farms. We're in need of the spoke-to-spoke functionality so we allowing LAN-segments of our customers but denying everything else.
Solutions?
1. Turning off all NHRP resolutions? Basically remove any directly spoke-spoke communications (denying everything on the interest list). We can't go there since a lot of our customers are in dire need for directly spoke-spoke connectivity (due to latency). Haven't tested that it will actually give the much needed scalable solution either (we're facing around 5000 spokes in the next 2-3 years).
2. Chopping the DMVPN solution up in lesser VPN-blocks. This will administratively be a nightmare.
3. ?
Will really appreciate if anyone have a input here. It's really hard finding anything about a LARGE scale phase3 design on the web. Everything I find seems to mix stuff from small-scale phase 2 and 3 - making it rather messy cooking reciept for a small breakfast while I need a 7 course perfect dinner
When will Cisco come with an updated design guide btw?
Thanks in advance!

Thank you for your quick reply.
Our ASRs (rp1) are acting as BGP RR while the farm routers are setup as RR clients.
We haven't tried connecting spokes directly to the ASRs but we have seen the same symptoms on the 7613s (sup720) and the 7200-platform.
Earlier the 7600 had the same role the ASRs have today. We were expecting that the ASRs should be doing "a better job" in terms of CPU load but we were wrong (NHRP generated around 10% more cpu load on the ASRs in comparison).
We concluded that the ASRs have a less optimized OS (coding) being rather new and all. Further we're not all happy about the stability of the platform (clear ip nhrp or taking a shutdown on the tunnel in the current situation will crash the router. 15.1(2)S1 and 15.1(3)S0a adv ip services). Haven't made a TAC case of it yet but will (has to be a bug as I see it since the 7200/7600 is handling this just fine).
Due to what I mentioned above I don't dare to debug the problem in production time and have to wait until the next scheduled maintenance window for some decent debug output (24. Oct).
We've contacted Cisco AS for assistance since it's hard to find local consultants (Norway) with enough knowledge of such scenario.
I just hope it's a config-issue and not a design issue, but we're willing to to whatever for this to scale to the thousands.

DMVPN and %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) Error

%DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7)
I had pre-allocated tunnel ip's to remote spokes , some of them were implemented and put into production. Some of them got the config but the tunnel interfaces were left at shut.
Its because of this reason that the DMVPN HUB keeps getting nhrp request from one of the inactive spokes. Following is the sh ip nhrp extract :-
10.x.x22/32
   Tunnel0 created 00:02:58, expire 00:00:06
   Type: incomplete, Flags: negative
   Cache hits: 7
I just cant seem to find the spoke WAN ip to identify it. I tried debugs but just cant get it.
From HUB:-
Nov 30 10:36:31: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.x.x.1 NBMA: 20.x.x.x)
Nov 30 10:36:32: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 86
Nov 30 10:36:32: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
Nov 30 10:36:32:      shtl: 4(NSAP), sstl: 0(NSAP)
Nov 30 10:36:32:      pktsz: 86 extoff: 52
Nov 30 10:36:32: (M) flags: "router auth src-stable nat ", reqid: 46113
Nov 30 10:36:32:      src NBMA: 20.x.x.x.
Nov 30 10:36:32:      src protocol: 10.x.x.1, dst protocol: 10.x.x.22
Nov 30 10:36:32: (C-1) code: no error(0)
Nov 30 10:36:32:        prefix: 32, mtu: 17912, hd_time: 360
Nov 30 10:36:32:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0 Nov 30 10:36:31: %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel0: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel: 10.x.x.1 NBMA: 20.x.x.x)
So my question is , How do i find out the spoke wan ip , so i can do something about it. For now, its just filling up my logs on HUb router...not good ;-))

Hello Marcin,
If tunnel interface is shut no NHRP activity should be going, on top, in debugs you point the hub is sending resolution request, not receiving it.
Agree, I expected the same, but unfortunately this is not the case. Spoke does sent out NHRP requests even with Tunnel status as admin shut.
If your hub does not have NHS, it will not know where to send it's resolution request.
I am still on DMVPN Phase 1, so Spokes dont talk to other spokes yet.
Are you positive that there is nothing that is sending packets towards 10.x.x.22 on hub side (sniffer trace of classyfing ACL on "LAN")?
Other then a spoke, it cant be anthing, as the subnet is dedicted for tunnel interface's.
If you know it's not a misconfig and there is no traffic on hub side initiated to 10.x.x.22, try removing and adding full tunnel configuration. i.e. we want to make sure that crypto socket gets closed and restrated.
I can do this over weekend, but i am sure this is not going to fix the problem, reason being, that the HUB was setup before anything else and then we started migrating spokes from primary legacy gre tunnels to dmvpn tunnel as primary and legacy as a backup.
Guess, I am still looking for the answer...Is there a WAN acl that i can use to filter the successfully migrated spokes and log the deny message as in to know what remote wan ip carries along the tunnel ip of .22 or any other debug ??

Does 7206VXR (NPE-G2) with c7200p-advipservicesk9-mz.150-1.M7 supports DMVPN phase 3?

Hello,
We have a cisco 7206VXR (NPE-G2) with IOS c7200p-advipservicesk9-mz.150-1.M7.bin.
We want to implement DMVPN phase 3 but the command "show ip nhrp shortcut" is not included.
does 7206VXR (NPE-G2) with c7200p-advipservicesk9-mz.150-1.M7 supports DMVPN phase 3?
Is there any other command to verify the DMVPN phase 3 implementation?
Thank you in advance!

Hi Inayath,
We are applying policy-map on user virtual-interface via radius attributes.
Cisco-Avpair+="lcp:interface-config#1=service-policy input 256k"
Cisco-Avpair+="lcp:interface-config#2=service-policy output 256k"
Below is the relevant configuration for cisco router.
aggri03#sh policy-map 256k
Policy Map 256k
    Class 256k
     police cir 520000 bc 32000
       conform-action transmit
       exceed-action drop
aggri03#sh run int virtual-te1
Building configuration...
Current configuration : 398 bytes
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback100
no ip redirects
no ip unreachables
no ip proxy-arp
no logging event link-status
peer default ip address pool poolname
no snmp trap link-status
keepalive 60
ppp authentication pap callin
ppp ipcp dns 203.187.x.y 203.187.x.y
ppp timeout ncp 30
ppp timeout authentication 20
ppp timeout idle 480
end
Below is the complete log line on router.
Sep 3 16:41:31: %SW_MGR-3-CM_ERROR_FEATURE_CLASS: Connection Manager Feature Error: Class SSS: (QoS) - install error, ignore.
-Traceback= 4A9C88 4AAC20 4AB350 12B6040 12C8B38 2C2F24C 2C2F2FC 12C8E0C 12C9000 12C94D0 12B4788 12B4D40 12B4E84 12AFEB0 12B02FC
Please let me know if you want further information & thanks for your inputs.
Thanks,
Nilesh.

12.4(11) or 12.4(15) for DMVPN Phase 3

Hi
We are to plan a migration from DMVPN Phase 2 12.3(11) to a DMVPN Phase 3 architecture (about 300 spokes).
Does someone have experience any issues with the following IOS version in a DMVPN Phase 3 architecture ?
12.4 (11) or
12.4 (15).
Thank you very much for your help

Are you referring to 12.4 Mainline code or 12.4T code. The reason I ask is, I have not seen a 12.4(11) 12.4(15) on cisco.com.
If you are referring to 12.4(11)T or 12.4(15)T, you may want to look at CSCsj34699 which is resolved in 12.4(15)T1. Also, take a look at the 12.4T release notes for additional information.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124relnt/xprn124t/124tcavs.htm
Regards,
Arul

DMVPN Phase 3 dual cloud Spoke-to-Spoke communication

Hello,
I'd like to confirm/verify if Phase 3 allows Spokes in different DMVPN domains to communicate directly or is traffic from Spoke-DMVPN-A routed across the Hubs to Spoke-DMVPN-B? Any authoritative documentation on CCO on this specific scenario is greatly appreciated.
Thanks.
-Mike

Mike,
I might be off, not working with VPNs for a year now, but here goes.
It really depends on what is a domain for you. Remember that NHRP network ID is locally significant.
Ultimately same network ID allows NHRP resolution requests to jump between different tunnels.
If network ID is different then the "domain" is different and NHRP should not flow between.
For the rest it's all based on routing, it's just a question of making conscious design choices before deploying and a bit of testing.
M.

DMVPN phase 3 migration with Central hub

I am looking at migrating my phase 2 DMVPN network to phase 3. The current network contains 3 regional hubs each serving approx 100 spokes. The end goal is to be able to build spoke to spoke tunnels between sites that are homed to hubs in different regions. I understand from reading the document "Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3" that phase 3 regional hubs can be linked in a heirarchy via a cental hub but there is no detail in the doc and I have not been able to find a white paper that deals with this specifically. Does anyone have experience with this topology or have documention that deals with central hub configuration and deployment?
Regards,
Mike

Mike,
Might be a good idea to run this by your SE.
In general phase 3 design with phase 3 images you need to remember you will follow routing for NHRP, i.e. if you summarize properly you will scale pretty decently (with or without regional hub).
What are the benefits of phase 3 design comapred to phase 2 design that you're trying to achieve?
Marcin.
P.S. If we're talking about same migtation document
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
it's an un-maintained marketing document, all our efforts to correct some of the problems there (ip ospf network point-to-multipoint for example) so far have not come to fruition.

DMVPN phase I fails when migrating from PSK to RSIG

I am currently is the process of migrating my DMVPN network from pre-share key to certificates. Most of the spokes have come up and are working without any issues but there are several that are not making it past phase I. I have included the isakmp debugging from the hub and one of the spokes that are failing. I see that the hub is going QM_IDLE after receiving the certificate from the spoke but it does not look like the spoke ever receives the cert from the hub. I suspect an issue with the ISP but it's not as simple as filtering 500 as all the messages except the cert seem to make it. If I move the spoke back to PSK it works fine. Has anyone seen this issue before and what was the resolution?
DMVPN Hub
Oct 7 19:38:36.213: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.213: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F1AA7CC5920
Oct 7 19:38:36.213: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.213: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):found peer pre-shared key matching 2.8.51.58
Oct 7 19:38:36.214: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.214: ISAKMP:      encryption 3DES-CBC
Oct 7 19:38:36.214: ISAKMP:      hash MD5
Oct 7 19:38:36.214: ISAKMP:      default group 1
Oct 7 19:38:36.214: ISAKMP:      auth RSA sig
Oct 7 19:38:36.214: ISAKMP:      life type in seconds
Oct 7 19:38:36.214: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.214: ISAKMP:(0):atts are acceptable. Next payload is 3
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.214: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.214: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 2.8.51.58)
Oct 7 19:38:36.214: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.214: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Oct 7 19:38:36.214: ISAKMP (0): vendor ID is NAT-T v7
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v3
Oct 7 19:38:36.214: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 7 19:38:36.214: ISAKMP:(0): vendor ID is NAT-T v2
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 7 19:38:36.214: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.214: ISAKMP:(0): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 7 19:38:36.214: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.214: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.214: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 7 19:38:36.240: ISAKMP (0): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_SA_SETUP
Oct 7 19:38:36.240: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.240: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 7 19:38:36.240: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.242: ISAKMP:(38618): peer wants cert issued by cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is DPD
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): speaking to another IOS box!
Oct 7 19:38:36.242: ISAKMP:(38618): processing vendor id payload
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID seems Unity/DPD but major 209 mismatch
Oct 7 19:38:36.242: ISAKMP:(38618): vendor ID is XAUTH
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): His hash no match - this node outside NAT
Oct 7 19:38:36.242: ISAKMP:received payload type 20
Oct 7 19:38:36.242: ISAKMP (38618): No NAT Found for self or peer
Oct 7 19:38:36.242: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.242: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP:(38618): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.243: ISAKMP (38618): constructing CERT_REQ for issuer cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.243: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.243: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.243: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.243: ISAKMP:(38618):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 7 19:38:36.484: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) MM_KEY_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.484: ISAKMP:(38618):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 7 19:38:36.484: ISAKMP:(38618): processing ID payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP (38618): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : lvrirt-s2s-01.nvv.net.company.com
        protocol     : 17
        port         : 500
        length       : 42
Oct 7 19:38:36.484: ISAKMP:(38618): processing CERT payload. message ID = 0
Oct 7 19:38:36.484: ISAKMP:(38618): processing a CT_X509_SIGNATURE cert
Oct 7 19:38:36.484: ISAKMP:(38618): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): peer's pubkey is cached
Oct 7 19:38:36.485: ISAKMP:(38618): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.485: ISAKMP:(38618): Unable to get DN from certificate!
Oct 7 19:38:36.485: ISAKMP:(38618): processing SIG payload. message ID = 0
Oct 7 19:38:36.486: ISAKMP:received payload type 17
Oct 7 19:38:36.486: ISAKMP:(38618): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0x7F1AA7CC5920
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
        authenticated
Oct 7 19:38:36.486: ISAKMP:(38618):SA has been authenticated with 2.8.51.58
Oct 7 19:38:36.486: ISAKMP:(38618):SA authentication status:
        authenticated
Oct 7 19:38:36.486: ISAKMP:(38618): Process initial contact,
bring down existing phase 1 and 2 SA's with local 15.18.1.1 remote 2.8.51.58 remote port 500
Oct 7 19:38:36.486: ISAKMP:(38617):received initial contact, deleting SA
Oct 7 19:38:36.486: ISAKMP:(38617):peer does not do paranoid keepalives.
Oct 7 19:38:36.486: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.486: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.486: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 7 19:38:36.487: ISAKMP: set new node 2177251913 to QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
Oct 7 19:38:36.487: ISAKMP:(38617):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.487: ISAKMP:(38617):purging node 2177251913
Oct 7 19:38:36.487: ISAKMP:(38617):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 7 19:38:36.487: ISAKMP:(38617):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.487: ISAKMP:(38618):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.487: ISAKMP:(38618):Using FQDN as My ID
Oct 7 19:38:36.487: ISAKMP:(38618):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.487: ISAKMP (38618): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : selurt-dmvpn-01.nvv.net.company.com
        protocol     : 17
        port         : 500
        length       : 44
Oct 7 19:38:36.487: ISAKMP:(38618):Total payload length: 44
Oct 7 19:38:36.487: ISAKMP:(38618): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.488: ISAKMP:(38618): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 2.8.51.58)
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for hostname=selurt-dmvpn-01.nvv.net.company.com,serialNumber=4279180096
Oct 7 19:38:36.489: ISAKMP (38618): constructing CERT payload for cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.489: ISAKMP:(38618): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.494: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 7 19:38:36.494: ISAKMP:(38618):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 7 19:38:36.494: ISAKMP:(38617):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38617):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.494: ISAKMP:(38617):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 7 19:38:36.494: ISAKMP:(38618):IKE_DPD is enabled, initializing timers
Oct 7 19:38:36.494: ISAKMP:(38618): IKE->PKI End PKI Session state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618): PKI->IKE Ended PKI session state (R) QM_IDLE       (peer 2.8.51.58)
Oct 7 19:38:36.494: ISAKMP:(38618):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:36.494: ISAKMP:(38618):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
selurt-dmvpn-01#
Oct 7 19:38:46.492: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:46.492: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:46.492: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:38:46.992: ISAKMP (38618): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.992: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:46.992: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:46.992: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:38:56.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:38:56.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:38:56.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:38:56.981: ISAKMP (38618): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:38:56.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:38:56.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:06.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:06.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:06.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:39:06.981: ISAKMP (38618): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:06.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:06.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:09.880: ISAKMP:(38616):purging SA., sa=7F1AA7721158, delme=7F1AA7721158
selurt-dmvpn-01#
Oct 7 19:39:16.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:16.481: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:16.481: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:39:16.980: ISAKMP (38618): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.980: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:16.980: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:16.980: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:26.481: ISAKMP (38618): received packet from 2.8.51.58 dport 500 sport 500 Global (R) QM_IDLE
Oct 7 19:39:26.482: ISAKMP:(38618): phase 1 packet is a duplicate of a previous packet.
Oct 7 19:39:26.482: ISAKMP:(38618): retransmitting due to retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE      ...
Oct 7 19:39:26.981: ISAKMP (38618): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.981: ISAKMP:(38618): retransmitting phase 1 QM_IDLE
Oct 7 19:39:26.981: ISAKMP:(38618): sending packet to 2.8.51.58 my_port 500 peer_port 500 (R) QM_IDLE
selurt-dmvpn-01#
Oct 7 19:39:26.981: ISAKMP:(38618):Sending an IKE IPv4 Packet.
selurt-dmvpn-01#
Oct 7 19:39:36.493: ISAKMP:(38617):purging SA., sa=7F1AA79AD9E0, delme=7F1AA79AD9E0
DMVPN Spoke
Oct 7 19:38:36.181: ISAKMP:(0): SA request profile is (NULL)
Oct 7 19:38:36.181: ISAKMP: Created a peer struct for 15.18.1.1, peer port 500
Oct 7 19:38:36.181: ISAKMP: New peer created peer = 0x2B1F480C peer_handle = 0x80001DF4
Oct 7 19:38:36.181: ISAKMP: Locking peer struct 0x2B1F480C, refcount 1 for isakmp_initiator
Oct 7 19:38:36.181: ISAKMP: local port 500, remote port 500
Oct 7 19:38:36.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:38:36.181: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B16C9FC
Oct 7 19:38:36.181: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 7 19:38:36.181: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.181: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 7 19:38:36.181: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 7 19:38:36.181: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 7 19:38:36.181: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 7 19:38:36.181: ISAKMP:(0): beginning Main Mode exchange
Oct 7 19:38:36.181: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 7 19:38:36.181: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.205: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 7 19:38:36.205: ISAKMP:(0): processing SA payload. message ID = 0
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):found peer pre-shared key matching 15.18.1.1
Oct 7 19:38:36.205: ISAKMP:(0): local preshared key found
Oct 7 19:38:36.205: ISAKMP : Scanning profiles for xauth ...
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
Oct 7 19:38:36.205: ISAKMP:      encryption 3DES-CBC
Oct 7 19:38:36.205: ISAKMP:      hash MD5
Oct 7 19:38:36.205: ISAKMP:      default group 1
Oct 7 19:38:36.205: ISAKMP:      auth RSA sig
Oct 7 19:38:36.205: ISAKMP:      life type in seconds
Oct 7 19:38:36.205: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 7 19:38:36.205: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Acceptable atts:life: 0
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 7 19:38:36.205: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 7 19:38:36.205: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 15.18.1.1)
Oct 7 19:38:36.205: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 7 19:38:36.205: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 7 19:38:36.205: ISAKMP:(0): processing vendor id payload
Oct 7 19:38:36.205: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 7 19:38:36.205: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 7 19:38:36.205: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.205: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 15.18.1.1)
Oct 7 19:38:36.209: ISAKMP (0): constructing CERT_REQ for issuer cn=Tetra Pak Root CA - G1
Oct 7 19:38:36.209: ISAKMP:(0): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 7 19:38:36.209: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.209: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.209: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 7 19:38:36.233: ISAKMP (0): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 7 19:38:36.233: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 7 19:38:36.233: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 7 19:38:36.233: ISAKMP:(0): processing KE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): processing CERT_REQ payload. message ID = 0
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants a CT_X509_SIGNATURE cert
Oct 7 19:38:36.245: ISAKMP:(8329): peer wants cert issued by cn=Tetra Pak Issuing NAD CA 01 - G1,dc=tp1,dc=ad1,dc=tetrapak,dc=com
Oct 7 19:38:36.249: Choosing trustpoint TP_NAD_CA as issuer
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is Unity
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): vendor ID is DPD
Oct 7 19:38:36.249: ISAKMP:(8329): processing vendor id payload
Oct 7 19:38:36.249: ISAKMP:(8329): speaking to another IOS box!
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): His hash no match - this node outside NAT
Oct 7 19:38:36.249: ISAKMP:received payload type 20
Oct 7 19:38:36.249: ISAKMP (8329): No NAT Found for self or peer
Oct 7 19:38:36.249: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 7 19:38:36.249: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 7 19:38:36.249: ISAKMP:(8329):Send initial contact
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.249: ISAKMP:(8329):My ID configured as IPv4 Addr, but Addr not in Cert!
Oct 7 19:38:36.249: ISAKMP:(8329):Using FQDN as My ID
Oct 7 19:38:36.249: ISAKMP:(8329):SA is doing RSA signature authentication using id type ID_FQDN
Oct 7 19:38:36.249: ISAKMP (8329): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : lvrirt-s2s-01.nvv.net.company.com
        protocol     : 17
        port         : 500
        length       : 42
Oct 7 19:38:36.249: ISAKMP:(8329):Total payload length: 42
Oct 7 19:38:36.249: ISAKMP:(8329): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP:(8329): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:38:36.253: ISAKMP (8329): constructing CERT payload for hostname=lvrirt-s2s-01.nvv.net.company.com,serialNumber=FCZ163860KW
Oct 7 19:38:36.253: ISKAMP: growing send buffer from 1024 to 3072
Oct 7 19:38:36.253: ISAKMP:(8329): using the TP_NAD_CA trustpoint's keypair to sign
Oct 7 19:38:36.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:36.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:36.449: ISAKMP:(8329):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 7 19:38:36.449: ISAKMP:(8329):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 7 19:38:36.481: ISAKMP (8328): received packet from 15.18.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:46.449: ISAKMP (8329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 7 19:38:46.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:46.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:38:54.709: ISAKMP:(8327):purging node 1841056658
Oct 7 19:38:54.709: ISAKMP:(8327):purging node -57107868
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:38:56.449: ISAKMP (8329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 7 19:38:56.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:38:56.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:04.709: ISAKMP:(8327):purging SA., sa=3169E824, delme=3169E824
Oct 7 19:39:06.181: ISAKMP: set new node 0 to QM_IDLE
Oct 7 19:39:06.181: ISAKMP:(8329):SA is still budding. Attached new ipsec request to it. (local 2.8.51.58, remote 15.18.1.1)
Oct 7 19:39:06.181: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 7 19:39:06.181: ISAKMP: Error while processing KMI message 0, error 2.
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:06.449: ISAKMP (8329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 7 19:39:06.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:06.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:10.261: ISAKMP:(8328):purging node -1445247076
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:16.449: ISAKMP (8329): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 7 19:39:16.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:16.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:20.261: ISAKMP:(8328):purging SA., sa=2AD85BD0, delme=2AD85BD0
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:26.449: ISAKMP (8329): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 7 19:39:26.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329): sending packet to 15.18.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 7 19:39:26.449: ISAKMP:(8329):Sending an IKE IPv4 Packet.
Oct 7 19:39:36.449: ISAKMP:(8329): retransmitting phase 1 MM_KEY_EXCH...
Oct 7 19:39:36.449: ISAKMP:(8329):peer does not do paranoid keepalives.
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)
Oct 7 19:39:36.449: ISAKMP:(8329):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 15.18.1.1)

Mike,
Hub sends its cert but spoke never recives that, this is typically a problem with fragmentation handling in transit networks.
Sniff both end you control and check whether you're not missing any fragments on spoke end.
Could be as simple as an MTU problem on your end or could be something in the path attempting reassambly.
Multiple ways to go, check your end, if fragments are missing in transit - start investigating with ISP(s).
M.

IOS version to do DMVPN Phase 2 on 831

What version of IOS is needed to do phase 2 DMVPN on a Cisco 831?

We currently running 12.4 (11) T4 for 1 year with about 300 spokes on phase 2 and everythings works perfectly

Urgent: Data Loading error(Load failed with Short Dump) caller 70 missing

Hi please go through the error occured.
<b>"Request is still running.
Diagnosis:
No error could be found. The current process has probably not finished yet.
System Response:
The ALE Inbox of the SAP BW is identical to ALE Outbox of the source System and /or the maximum wait time for this request has not yet run out and/or the batch job in the cource system has not ended.
current status
in the source sytem."</b>
Update mode: Full, processing Online.
I think we processed the infopackage in the online. if we process it in the back ground then we won't face any problem. Singal turns to Red.
Please guide us. we need to load it immidiately.
Thanks in advance.
Regards,
Nagesh.
Message was edited by: Nagesh Ganisetti
Message was edited by: Nagesh Ganisetti

Hi Friends,
   at last the load has Terminated with Short Dump. Can any one guide me how can i reslove this. we could see the data in PSA.
i'm sending the part of the short dump.
Too many parameters specified with PERFORM.
What happened?
In a subroutine call, there were more parameters than in the routinedefinition.
Error in ABAP application program.
The current ABAP program "GP3KGSUXARXPB2F9YCR4B3MFPT6 " had to be terminated because one of statements could not be executed.
This is probably due to an error in the ABAP program.
What can you do?
Print out the error message (using the "Print" function)
and make a note of the actions and input that caused the
error.
To resolve the problem, contact your SAP system administrator.
You can use transaction ST22 (ABAP Dump Analysis) to view and administer
termination messages, especially those beyond their normal deletion
date.
is especially useful if you want to keep a particular message.
Error analysis
A PERFORM was used to call the routine "VALUE_TO_SID_CONVERT_DB" of the program
"GP3KGSUXARXPB2F9YCR4B3MFPT6 ".
This routine contains exactly 7 formal parameters, but the current
call contains 8 actual parameters.
parameters.
How to correct the error
Correct the PERFORM call. You can find out where the call occurs in the section "Active calls / events".
You may able to find an interim solution to the problem
in the SAP note system. If you have access to the note system yourself,
use the following search criteria:
Please guide me.
Regards,
Nagesh.
Message was edited by: Nagesh Ganisetti

Adobe App short cut for Android missing

I have an HTC evo design and I have the adobe reader installed and I cannot find that apps short cut in any of the settings nor in the app settings. I have never had an app do this and I am an advanced user. I would like to know if anyone else had this issue or if there is a fix I can download or what might of happened to make the short cut disappear. I am having to launch it through the app play store, Android market, and I want to have a short cut to put on my home screen. Please help, thank you.

hello Raj,
After you are done with your SAP WAS installation, go to programs there you can find the related tools.
if not there's some problem with your installation.
Hope its solves your Qn
Reward with suitable points*
Regards,
C

SPAM short dumps in CHECK_REQUIREMENTS phase

Hi All,
I am importing support packages SAPKE60028 - 35 (SAP_HR) and SAPKGPHD28 - 35 (EA-HR) into my ECC 6.00 DEV system. When the process moves to the CHECK_REQUIREMENTS phase, I get a short dump as shown:
The current ABAP program "SAPLSPAM" had to be terminated because it has
come across a statement that unfortunately cannot be executed.
The following syntax error occurred in program
"CL_HRPAY00_CLC_UTILITIES======CP " in include
"CL_HRPAY00_CLC_UTILITIES======CO " in
line 5:
"The type "ABAP_BOOL" is unknown."
I have reviewed all SP notes and Basis 7.00 issues and applied the suggested notes prior to beginning. SPAM level is version 7.00/0030, which I upgraded before starting. SAP_BASIS and SAP_ABA are at level 14.
I checked the application and found the offending line. I compared with our sandbox system and found that the problem does not exist there.
Has anyone encountered this problem? I have logged with OSS as well, but couldn't find any related notes.
Thanks in advance!
Mike

Hi,
According to not 1270841 you have to deimplement note 1258824 and reimplement it again in SNOTE.
We had the same problem and solved it this way.

DMVPN + MPLS best-path selection

Dear Community
We're in the process of deploying DMVPN as a backup solution to MPLS. All that is working great!
The DMVPN wan is dual-cloud, with 2 hub routers in each cloud. Phase 3 (nhrp shortcut) is enabled on all the spokes.
For routing, all the customer subnets are advertised in MPLS, whereas for DMVPN hub advertises only a summary to 10.0.0.0/8. The protocol for both is BGP. For DMVPN, the hub routers resides in one AS (65002) and all the spokes another common AS 65102. DMVPN is therefore peered eBGP hub > spoke.
For customers connected to MPLS, the DMVPN serves as backup only solution. Best-path selection by longest prefix match.
We have other customers coming on board who wish to join the same WAN but don't have the $$$ for MPLS so are opting for DMVPN only.
Now, I have a requirement to enable spoke-to-spoke for a DMVPN only site (spokeA) to an MPLS site (spokeB). The problem is it doesn't seem to work properly as the hub router sees the best path to spokeB site via MPLS, not via DMVPN. The spoke-to-spoke is never formed, and remains spokeA > hub > mpls > spokeB. The return path is better = spokeB > DMVPN > hub > spokeA (this is because spokeB sees no route from MPLS for spokeA, so follows 10.0.0.0/8) route.
I look for any feedback that can help to meet this requirement?
And if any advice on the general design would be really appreciated.
Thanks a lot!
Phil

Phil,
I did a short lab around this ... wanted to make sure I'm not saying something stupid.
While I can't claim it's the _optimal_ solution for your setup it seems to work in my lab.
Spoke1 LAN 192.168.101.0/24 (AS 65001)
Spoke2 LAN 192.168.102.0/24 (AS 65002)
HUB LAN 192.168.111.0/24 (AS 65000)
192.168.1.0/24 DMVPN subnet.
A single (i)VRF - DMVPN exists on hub, only and is assigned only to DMVPN tunnel interface.
Excuse a few hacks a had to use... default routed via default-originate for example :-)
Hub
R10-P#sh run int tu0
Building configuration...
Current configuration : 281 bytes
interface Tunnel0
vrf forwarding DMVPN
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile PRO
end
R10-P#sh run | s r b
router bgp 65000
bgp log-neighbor-changes
network 192.168.111.0
redistribute static
neighbor 10.112.112.1 remote-as 65001
neighbor 10.112.112.1 route-map SPOKES_MPLS in
default-information originate
address-family ipv4 vrf DMVPN
neighbor 192.168.1.101 remote-as 65001
neighbor 192.168.1.101 activate
neighbor 192.168.1.102 remote-as 65002
neighbor 192.168.1.102 activate
exit-address-family
R10-P#sh run | s vrf defini
vrf definition DMVPN
rd 1:1
route-target export 100:1
route-target import 100:1
address-family ipv4
import ipv4 unicast map DEFAULT
export ipv4 unicast map SPOKE_SUBNETS
route-target export 100:1
route-target import 100:1
exit-address-family
address-family ipv6
route-target export 100:1
route-target import 100:1
exit-address-family
Result on spoke
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 [AS 65000] 5 msec 10 msec 2 msec
2 192.168.1.102 [AS 65000] 4 msec * 5 msec
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.102 [AS 65000] 6 msec * 6 msec
routing on hub
(sanitized)
R10-P# sho ip route
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.100.100.2
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
B 192.168.101.0/24 [20/0] via 10.112.112.1, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102 (DMVPN), 00:00:03
192.168.111.0/24 is variably subnetted, 2 subnets, 2 masks
R10-P# sho ip route vrf DMVPN
Routing Table: DMVPN
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.100.100.2, 00:06:40
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
B 192.168.101.0/24 [20/0] via 192.168.1.101, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102, 00:06:25

DMVPN shortcut and redirect

Hello,
I'm trying to understand the DVMPN Phase 3 and I'm trying get some clarification on the two commands:
ip nhrp redirect
ip nhrp shortcut
Based on what I have read (Shortcut Switching Enhancements for NHRP in DMVPN Networks) one thing i don't understand from this article:
"When using this feature, we recommend configuring the ip nhrp redirect command on all the DMVPN nodes. This configuration would be useful in the event the data traffic takes a spoke-to-spoke-hub-spoke path."
Why would you need redirect on all dmvpn nodes? How would you have a situation where traffic comes and leaves from the same interfaces on a spoke if the NHS and the summary route is pointing to the Hub router?
Is there some configuration i'm missing?
thank you in advance for your help.

Hi
for a simple structured topology (See Diagram 1 below) I agree with your observation. Namely configure all hubs with ip nhrp redirect only and all spoke sites with ip nhrp shortcut.
(Diagram 1 - Simple Topology)
Hub 1 ------- Hub 2
S1 S2 S3 S4 S5 S6
Hub 1 and 2 configured with ip nhrp redirect only
Spoke S1 to S6 configured with ip nhrp shortcut only
However to cater for more complex topologies such as where the spoke may also be acting as a hub to other spokes, then I would imagine both ip nhrp redirect and ip nhrp shortcut would be required on these spoke/hub.
(Diagram 2 - Complex topology)
Hub 1---------Hub 2
S1 S2 S3 S4
S5 S6
S1 is a spoke to Hub 1
S1 is a hub to S5 and S6
Hence S1 would have ip nhrp redirect as well as ip nhrp shortcut enabled.
cheers
george

DMVPN tunnel uptime

Hi guys,
I've configured a DMVPN (phase 2) with IPSec network and ran the 'show dmvpn' command and got the following output..
R1# show dmvpn
Tunnel0, Type:Hub, NHRP Peers:3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.25.2 192.168.0.2 UP 00:35:28 D
1 172.16.35.2 192.168.0.3 UP 00:32:26 D
My question is, how long will a tunnel stay 'up' assuming the physical link & remote site is stable and we do not manually force the tunnel to drop.
Does the tunnel automatically time-out after a 'certain' time interval? If yes, what conditions will cause it to time-out?
Thanks for your time.

I dont think they do timeout once they have formed and everything is stable , i have seen them up for weeks when i check that command , if your unsure you could create a simple ip sla icmp-echo to keep traffic going accross the tunnel to the far end , once the other factors it relies on are stable it would never drop

DMVPN Phase 3 ip nhrp short / ip nhrp redirect missing

Similar Messages

Maybe you are looking for