Failover DMVPN hup-spoke setup
This is the current setup:
crypto keyring LAN-to-LAN
pre-shared-key address A key 1
pre-shared-key address B key 2
pre-shared-key address C key 3
pre-shared-key address D key 4
pre-shared-key address E key 5
pre-shared-key address F key 6
pre-shared-key address G key 7
pre-shared-key address H key 8
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile DMVPN
keyring LAN-to-LAN
match identity address A 255.255.255.255
match identity address B 255.255.255.255
match identity address C 255.255.255.255
match identity address D 255.255.255.255
match identity address E 255.255.255.255
match identity address F 255.255.255.255
match identity address G 255.255.255.255
match identity address H 255.255.255.255
crypto ipsec transform-set AES256_SHA-transport esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set AES256_SHA-transport
set isakmp-profile DMVPN
interface Tunnel0
bandwidth 50000
ip address 192.168.192.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Dyn4m1c
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
load-interval 30
tunnel source Vlan10
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/1
description Verizon Ethernet Internet [10Mbps]
ip address 157.130.x.x 255.255.255.252
ip accounting output-packets
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
interface FastEthernet0/0/3
description Optimum Lightpath Internet [50Mbps]
switchport access vlan 10
load-interval 30
duplex full
speed 100
interface Vlan10
description Optimum Lightpath Internet [50Mbps]
ip address 173.251.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
router eigrp 90
network 10.192.28.0 0.0.0.255
network 10.192.29.0 0.0.0.255
network 192.168.44.0
network 192.168.192.0
ip route 0.0.0.0 0.0.0.0 157.130.x.x
ip route 10.192.29.0 255.255.255.0 10.192.28.2
ip route A 255.255.255.255 173.251.x.x
ip route B 255.255.255.255 173.251.x.x
ip route C 255.255.255.255 173.251.x.x
ip route D 255.255.255.255 173.251.x.x
ip route E 255.255.255.255 173.251.x.x
ip route F 255.255.255.255 173.251.x.x
ip route G 255.255.255.255 173.251.x.x
ip route H 255.255.255.255 173.251.x.x
Can I just double it and use IP SLA route tracking for redundancy? So I would add the following to the above:
interface Tunnel1
bandwidth 50000
ip address 192.168.192.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Dyn4m1c
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
no ip split-horizon eigrp 90
load-interval 30
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN
track 1 ip sla 1
delay down 15 up 15
ip sla 1
icmp-echo 64.106.227.1 source-interface VLAN10
frequency 5
ip sla schedule 1 life forever start-time now
ip route 10.192.29.0 255.255.255.0 10.192.28.2
ip route A 255.255.255.255 173.251.x.x track 1
ip route A 255.255.255.255 157.130.x.x 200
ip route B 255.255.255.255 173.251.x.x track 1
ip route B 255.255.255.255 157.130.x.x 200
ip route C 255.255.255.255 173.251.x.x track 1
ip route C 255.255.255.255 157.130.x.x 200
ip route D 255.255.255.255 173.251.x.x track 1
ip route D 255.255.255.255 157.130.x.x 200
ip route E 255.255.255.255 173.251.x.x track 1
ip route E 255.255.255.255 157.130.x.x 200
ip route F 255.255.255.255 173.251.x.x track 1
ip route F 255.255.255.255 157.130.x.x 200
ip route G 255.255.255.255 173.251.x.x track 1
ip route G 255.255.255.255 157.130.x.x 200
ip route H 255.255.255.255 173.251.x.x track 1
ip route H 255.255.255.255 157.130.x.x 200
1) You can't use same ip address on both tunnels.
2) I can't see any "ip nhrp nhs" or static mappings configuration on your tunnels. Configuration is not operational.
3) It is preferred to use tunnel VRFs for redundancy with two uplinks.
Please refer to
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
Please let me know if you need additional assistance with configuration.
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."
Similar Messages
-
DMVPN w/ Multicasting setup/questions
Hello
I have a lot of questions, so bare with me as i puke them out of my head.
I have been doing some testing with DMVPN inconjuction with multicasting video (Hub and spoke, w/ no spoke to spoke). The test setup is using 2 cisco 2811 w/out the vpn module. I understand the performance hit with not having the module. With that being said here are my questions.
1. With encryption on both the HUB and spoke routers are using 90-97% cpu (8Mb multicast stream). With encryption off, the Hub is around 60%, and spoke around 75%. Here is where i'm confused. If i send that same stream as a unicast stream, w/ encryption on, both the Hub and spoke are only using around 30-35% cpu. Why is there so much more cpu need when its a multicast stream?
2. In the current config i'm seeing input, throttles, and ignore errors on the Hub and spoke. The Hub has these errors on the LAN interface, and the spoke has these errors on the WAN interface. All other interfaces are totally clean. I have checked and there are no duplex or speed mismatches. Any ideas?
HUB:
Current configuration : 1837 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hub
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone Central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip name-server 8.8.8.8
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 450
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 216.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.112.64.5 255.255.248.0
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.112.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip http server
ip http authentication local
ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public RO
Spoke:
Current configuration : 1857 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Spoke
boot-start-marker
boot-end-marker
logging message-counter syslog
enable password
no aaa new-model
clock timezone central -6
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface Tunnel1
bandwidth 100000
ip address 192.168.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp map 192.168.11.1 216.x.x.x
ip nhrp map multicast 216.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 450
ip nhrp nhs 192.168.11.1
no ip route-cache cef
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 216.x.x.x
tunnel key 100000
tunnel bandwidth transmit 100000
tunnel bandwidth receive 100000
interface FastEthernet0/0 (WAN)
ip address 65.x.x.x 255.255.255.192
ip pim sparse-mode
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1 (LAN)
ip address 128.124.64.1 255.255.248.0
ip pim sparse-mode
ip igmp join-group 239.10.10.10
load-interval 30
duplex auto
speed auto
router eigrp 1
network 128.124.0.0
network 192.168.11.0
auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 65.x.x.x
no ip http server
no ip http secure-server
ip pim rp-address 128.112.64.5 10
access-list 10 permit 239.10.0.0 0.0.255.255
snmp-server community public ROJoe,
You ask the right question.
CPU ultization = CPU consumed by processes + IO operations (in a huge simplification - CEF)
Typically when a packet is processed by router we expect it to be be processed by CEF, i.e. very fast.
Packet is not processed by CEF:
- when there is something missing to route the packet properly (think missing ARP/CAM entry) i.e. additional lookup needs to be done.
- a feature requests that a packet is for processing/mangling
- Packet is destined to the router
(And several other, but those are the major ones).
When a packet is recived, but cannot be processed by CEF, we "punt the packet to CPU" this in turn will cause the CPU for processes to go up.
Now on the spoke this seems to be the problem:
Spoke#show ip cef switching stati Reason Drop Punt Punt2HostRP LES Packet destined for us 0 1723 0RP LES Encapsulation resource 0 1068275 0
There were also some failures on one of the buffer outputs you've attached.
Typically at this stage I would suggest:
1) "Upgrade" the device to 15.0(1)M6 or 12.4(15)T (latest image in this branch) and check if the problem persists there.
2) If it does, swing it by TAC. I don't see any obvious mistakes, but I'm just a guy in a chair same as you ;-)
Marcin -
DMVPN - One Spoke VPN tunnel flap - deleting SA reason "IKMP_ERR_NO_RETRANS"
Dear All,
Please help to find the reason for below DMVPN IP sec tunnel flap.
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x y.y.y.y MM_NO_STATE 4983 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
#sh log | i 4984
04:58:47.155: ISAKMP:(4984): OU = DE_FRA_ASR1001_R2
Feb 12 04:58:47.155: ISAKMP:(4984): processing SIG payload. message ID = 0
Feb 12 04:58:47.159: ISAKMP:(4984):SA authentication status:
Feb 12 04:58:47.159: ISAKMP:(4984):SA has been authenticated with x.x.x.x
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM5 New State = IKE_I_MM6
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_I_MM6
Feb 12 04:58:47.163: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Need XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984): initiating peer config to x.x.x.x 0. ID = -847734916
Feb 12 04:58:47.163: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.167: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 12 04:58:47.167: ISAKMP:(4984):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Feb 12 04:58:47.203: ISAKMP (4984): received packet from x.x.x.x dport 500 sport 500 Global (I) CONF_XAUTH
Feb 12 04:58:47.207: ISAKMP:(4984): processing HASH payload. message ID = -1617704027
Feb 12 04:58:47.207: ISAKMP:(4984):Processing delete with reason payload
Feb 12 04:58:47.207: ISAKMP:(4984):delete doi = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete protocol id = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete spi_size = 16
Feb 12 04:58:47.207: ISAKMP:(4984):delete num spis = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete_reason = 28
Feb 12 04:58:47.207: ISAKMP:(4984): processing DELETE_WITH_REASON payload, message ID = -1617704027, reason: Unknown delete reason!
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH (peer x.x.x.x)
Feb 12 04:58:47.207: ISAKMP:(4984):deleting node -1617704027 error FALSE reason "Informational (in) state 1"
Feb 12 04:58:47.211: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.211: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.211: ISAKMP:(4984):purging node 20363770
Feb 12 04:58:47.211: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 12 04:58:47.211: ISAKMP:(4984):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
Feb 12 04:58:47.211: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH (peer x.x.x.x)
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node 1519432799 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node -847734916 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.215: ISAKMP:(4984):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Thanks for your kind responseI gave up on fixing what was there and rebuilt from scratch including regenerating the key with the same modulus. And now it works. I don't know what fixed it, could even have been curruption of the startup-config since I replaced that, but it's working and right now that's all I care about.
-
DMVPN Per Spoke QOS ServicePolicy Limit
I want to impliment per spoke QOS using isakmp profiles and service policy.
My problem is that I have more than 64 tunnels and I understand that service policy configurations are limited to one level of nesting and only 64 classifications.
Does anyone have experience of per spoke QOS greater than 64 flows?Only if you show me yours for > 64 flows
LOL -
Can we setup FILESTREAM on Failover Cluster
I saw following point on Technet article about RBS.
The local FILESTREAM provider is supported only when it is used on local hard disk drives or an attached Internet Small Computer System Interface (iSCSI) device. You cannot use the local RBS FILESTREAM provider on remote storage devices such as network attached storage (NAS).
It looks like that we cannot use FILESTREAM on Failover Cluster because to setup Failover Cluster we need to have NAS. But then the NAS is made available locally for Failover Cluster so FILESTREAM should work right?
Found another article which talks about setting up FILESTREAM on Failover Cluster so I am a bit confused.
https://msdn.microsoft.com/en-us/library/cc645886.aspxHi Frank,
As other post, we can set up FILESTREAM on a Failover cluster.
However, FILESTREAM can't live on a network addressable storage (NAS) device unless the NAS device is presented as a local NFS volume via iSCSI. With iSCSI , it is supported by Microsoft
FILESTREAM provider.
Reference:
Description of support for network database files in SQL Server
Programming with FileStreams in SQL Server 2008
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support -
DMVPN spoke to spoke not established
In the topology attached I am advertising tunnel ip and loopbacks for the specific hub and spokes in their eigrp , there is connectivity between all but still Eigrp routes are not coming and its flapping.ISAKMP is on , tunnel is also up.I am also attaching hub and spoke configs and topology for your reference.
This is the error message:
7:09.791: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:57:11.351: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.12.1, prot=50, spi=0x77DF7896(2011134102), srcaddr in use settings ={Transport, }
conn id: 29, flow_id: SW:29, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4405256/3495)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
*Mar 1 00:57:21.895: YPTO-6-PRINTABORT: deletion caused early termination of show output for identity
R1#
*Mar 1 00:09:49.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:09:50.051: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacency
*Mar 1 00:11:00.311: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:11:00.775: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.5 (Tunnel0) is up: new adjacency
*Mar 1 00:11:09.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is down: retry limit exceeded
*Mar 1 00:11:11.551: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 145: Neighbor 172.16.145.4 (Tunnel0) is up: new adjacencyFor some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end -
DMVPN - Spoke to spoke direct tunnel
For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
endFor some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end -
Hi,
Once a Spoke to Spoke tunnel is established, what happens if the Hub goes down? Does the Spoke to Spoke tunnel remain active?For some reason, my spoke to spoke tunnel doesn't stay up when my hub goes down. Not sure what I am missing. Please help!!
Hub:
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon
ip summary-address eigrp 10 10.1.0.0 255.255.0.0
tunnel source 1.1.1.1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
spoke 1:
interface Tunnel0
ip address 172.16.1.7 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.7.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end
Spoke 2:
interface Tunnel0
ip address 172.16.1.6 255.255.255.0
no ip redirects
no ip split-horizon eigrp 10
ip nhrp authentication _GW_
ip nhrp map multicast dynamic
ip nhrp map 172.16.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
ip summary-address eigrp 10 10.6.0.0 255.255.0.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn
end -
DMVPN + MPLS best-path selection
Dear Community
We're in the process of deploying DMVPN as a backup solution to MPLS. All that is working great!
The DMVPN wan is dual-cloud, with 2 hub routers in each cloud. Phase 3 (nhrp shortcut) is enabled on all the spokes.
For routing, all the customer subnets are advertised in MPLS, whereas for DMVPN hub advertises only a summary to 10.0.0.0/8. The protocol for both is BGP. For DMVPN, the hub routers resides in one AS (65002) and all the spokes another common AS 65102. DMVPN is therefore peered eBGP hub > spoke.
For customers connected to MPLS, the DMVPN serves as backup only solution. Best-path selection by longest prefix match.
We have other customers coming on board who wish to join the same WAN but don't have the $$$ for MPLS so are opting for DMVPN only.
Now, I have a requirement to enable spoke-to-spoke for a DMVPN only site (spokeA) to an MPLS site (spokeB). The problem is it doesn't seem to work properly as the hub router sees the best path to spokeB site via MPLS, not via DMVPN. The spoke-to-spoke is never formed, and remains spokeA > hub > mpls > spokeB. The return path is better = spokeB > DMVPN > hub > spokeA (this is because spokeB sees no route from MPLS for spokeA, so follows 10.0.0.0/8) route.
I look for any feedback that can help to meet this requirement?
And if any advice on the general design would be really appreciated.
Thanks a lot!
PhilPhil,
I did a short lab around this ... wanted to make sure I'm not saying something stupid.
While I can't claim it's the _optimal_ solution for your setup it seems to work in my lab.
Spoke1 LAN 192.168.101.0/24 (AS 65001)
Spoke2 LAN 192.168.102.0/24 (AS 65002)
HUB LAN 192.168.111.0/24 (AS 65000)
192.168.1.0/24 DMVPN subnet.
A single (i)VRF - DMVPN exists on hub, only and is assigned only to DMVPN tunnel interface.
Excuse a few hacks a had to use... default routed via default-originate for example :-)
Hub
R10-P#sh run int tu0
Building configuration...
Current configuration : 281 bytes
interface Tunnel0
vrf forwarding DMVPN
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile PRO
end
R10-P#sh run | s r b
router bgp 65000
bgp log-neighbor-changes
network 192.168.111.0
redistribute static
neighbor 10.112.112.1 remote-as 65001
neighbor 10.112.112.1 route-map SPOKES_MPLS in
default-information originate
address-family ipv4 vrf DMVPN
neighbor 192.168.1.101 remote-as 65001
neighbor 192.168.1.101 activate
neighbor 192.168.1.102 remote-as 65002
neighbor 192.168.1.102 activate
exit-address-family
R10-P#sh run | s vrf defini
vrf definition DMVPN
rd 1:1
route-target export 100:1
route-target import 100:1
address-family ipv4
import ipv4 unicast map DEFAULT
export ipv4 unicast map SPOKE_SUBNETS
route-target export 100:1
route-target import 100:1
exit-address-family
address-family ipv6
route-target export 100:1
route-target import 100:1
exit-address-family
Result on spoke
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 [AS 65000] 5 msec 10 msec 2 msec
2 192.168.1.102 [AS 65000] 4 msec * 5 msec
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.102 [AS 65000] 6 msec * 6 msec
routing on hub
(sanitized)
R10-P# sho ip route
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.100.100.2
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
B 192.168.101.0/24 [20/0] via 10.112.112.1, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102 (DMVPN), 00:00:03
192.168.111.0/24 is variably subnetted, 2 subnets, 2 masks
R10-P# sho ip route vrf DMVPN
Routing Table: DMVPN
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.100.100.2, 00:06:40
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
B 192.168.101.0/24 [20/0] via 192.168.1.101, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102, 00:06:25 -
DMVPN-Why received packet doesn't use UDP port 4500 but 500?
Hello everyone
I got a problem with my DMVPN. Spoke is behind a NAT device. x.x.x.x is an public IP address which hub uses. I don't know why it discovered that the hub is also inside a NAT device. And after it sends a packet using port 4500, the received packet from hub was not using port 4500 but 500. I'm confused now. Any advise would be much appreciated.
*Sep 10 08:56:02 UTC: ISAKMP:(0): beginning Main Mode exchange
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching
*Sep 10 08:56:02 UTC: ISAKMP:(0): local preshared key found
*Sep 10 08:56:02 UTC: ISAKMP : Scanning profiles for xauth ...
*Sep 10 08:56:02 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 10 08:56:02 UTC: ISAKMP: encryption 3DES-CBC
*Sep 10 08:56:02 UTC: ISAKMP: hash MD5
*Sep 10 08:56:02 UTC: ISAKMP: default group 1
*Sep 10 08:56:02 UTC: ISAKMP: auth pre-share
*Sep 10 08:56:02 UTC: ISAKMP: life type in seconds
*Sep 10 08:56:02 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 10 08:56:02 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Sep 10 08:56:02 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 10 08:56:02 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching x.x.x.x
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is Unity
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is DPD
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): speaking to another IOS box!
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): NAT found, both nodes inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): My hash no match - this node inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Send initial contact
*Sep 10 08:56:02 UTC: ISAKMP:(2746):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 10 08:56:02 UTC: ISAKMP (2746): ID payload
next-payload : 8
type : 1
address : 192.168.1.101
protocol : 17
port : 0
length : 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Total payload length: 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Sep 10 08:56:03 UTC: ISAKMP (2746): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 10 08:56:03 UTC: ISAKMP:(2746): phase 1 packet is a duplicate of a previous packet.
*Sep 10 08:56:03 UTC: ISAKMP:(2746): retransmitting due to retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH...
*Sep 10 08:56:04 UTC: ISAKMP (2746): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.This could be because the port 4500 packet that is being sent is not being received by the peer side or it is ignoring that packet.
Since the port 500 packet that you are receiving is a duplicate of the previous packet it is definitely not a reply packet for the port 4500 packet.
If you can get the debugs from the other end, then you could see if the peer side is receiving the udp port 4500 packets.
If not that then this could be a UDP port 4500 block with the ISP. -
Good day all,
I have a question about the N+1 5508 failover test:
Should I shutdown one of the primary WLC to test failover?
I just setup the N+1 bakcup WLC (5508). B
Based on: http://www.cisco.com/en/US/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide.pdf
We have two production WLCs both 5508 and one 4405.
We just purchased another HA-SKU WLC 5508.
All our four WLCs had been setup into one mobility group in version 7.4.100.6.
Their neighbors are all up.
But our test AP could not register to the Backup N+1 WLC. ( We are using option 43 in our DHCP server for all the AP boot.)
Here are the log screen:
================ From test Access Point============
*Mar 1 00:00:53.099: %CDP_PD-4-POWER_OK: Full power - INJECTOR_CONFIGURED_ON_SOURCE inline power source
*Mar 1 00:00:53.842: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.255.1.3, mask 255.255.255.0, hostname wo11-test-ap1
*Mar 1 00:00:54.188: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:55.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:00:55.279: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:56.280: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:03.820: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.254.240.5 obtained through DHCP
*Mar 1 00:01:03.820: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:01:13.823: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 2 02:30:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.254.240.5 peer_port: 5246
*Aug 2 02:31:25.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2051 Max retransmission count reached!
*Aug 2 02:31:55.001: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.254.240.5:5246
*Aug 2 02:31:55.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 2 02:30:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.254.240.23 peer_port: 5246
*Aug 2 02:30:55.490: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.254.240.23 peer_port: 5246
*Aug 2 02:30:55.493: %CAPWAP-5-SENDJOIN: sending Join Request to 10.254.240.23
*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Aug 2 02:30:55.493: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.254.240.23
*Aug 2 02:30:55.874: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Aug 2 02:30:55.931: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 2 02:30:55.987: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WG-WLC1
*Aug 2 02:30:56.041: ac_first_hop_mac - IP:10.255.1.1 Hop IP:10.255.1.1 IDB:BVI1
*Aug 2 02:30:56.041: Setting AC first hop MAC: ccef.481f.14bf
-test-ap1#sh int bvI 1
BVI1 is up, line protocol is up
Hardware is BVI, address is e8b7.489e.4645 (bia e8b7.489e.4645)
Internet address is 10.255.1.3/24
===================From backup N+1 WLC===
*spamApTask4: Aug 02 11:41:09.842: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).
*spamApTask4: Aug 02 11:41:01.889: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).
*spamApTask4: Aug 02 11:40:57.912: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).
*spamApTask4: Aug 02 11:40:55.924: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58470).
*spamApTask4: Aug 02 11:18:50.553: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).
*spamApTask4: Aug 02 11:18:42.600: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).
*spamApTask4: Aug 02 11:18:38.623: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).
*spamApTask4: Aug 02 11:18:36.636: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 64:a0:e7:40:eb:42: Failed to create DTLS connection for AP 10:255:1:3 (58469).
*mmListen: Aug 02 10:43:38.637: #LOG-3-Q_IND: spam_lrad.c:1676 Ignoring discovery request from AP e8:b7:48:9e:46:45 - maximum number of downloads (0) exceeded
*spamApTask0: Aug 02 10:43:38.500: #LWAPP-3-DISC_MAX_DOWNLOAD: spam_lrad.c:1676 Ignoring discovery request from AP e8:b7:48:9e:46:45 - maximum number of downloads (0) exceeded
==================== From one of our Primary WLC=====================
(WLC-5500) >show advanced backup-controller
AP primary Backup Controller .................... ODC-WLC1 10.254.240.5
AP secondary Backup Controller .................. 0.0.0.0
(WLC-5500) >show redundancy summary
Redundancy Mode = SSO DISABLED
Local State = ACTIVE
Peer State = N/A
Unit = Primary
Unit ID = 54:75:D0:DE:DE:40
Redundancy State = N/A
Mobility MAC = 54:75:D0:DE:DE:40
Redundancy Management IP Address................. 0.0.0.0
Peer Redundancy Management IP Address............ 0.0.0.0
Redundancy Port IP Address....................... 0.0.0.0
Peer Redundancy Port IP Address.................. 169.254.0.0
(WLC-5500) >show license capacity
Licensed Feature Max Count Current Count Remaining Count
AP Count 250 203 47
==============From the Backup N+1 WLC in DR =====================
(Cisco Controller) >show redundancy summary
Redundancy Mode = SSO DISABLED
Local State = ACTIVE
Peer State = N/A
Unit = Secondary - HA SKU
Unit ID = 6C:41:6A:5F:4C:80
Redundancy State = N/A
Mobility MAC = 6C:41:6A:5F:4C:80
Redundancy Management IP Address................. 10.254.240.3
Peer Redundancy Management IP Address............ 0.0.0.0
Redundancy Port IP Address....................... 169.254.240.3
Peer Redundancy Port IP Address.................. 169.254.0.0
(Cisco Controller) >show license capacity
Licensed Feature Max Count Current Count Remaining Count
AP Count 500 0 500Current AP High Availability Configuration:
2nd Step, shutdown the LAN Switch ports on which the Primary WLC is connected so I force the AP going to HA SKU WLC.
DC-WiFi-SVC1-LAB(config)#inter
DC-WiFi-SVC1-LAB(config)#interface por
DC-WiFi-SVC1-LAB(config)#interface port-
DC-WiFi-SVC1-LAB(config)#interface port-channel 3
DC-WiFi-SVC1-LAB(config-if)#shut
DC-WiFi-SVC1-LAB(config-if)#
Log in the AP after shutdown:
Jan 15 15:52:15.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 2)
*Jan 15 15:52:15.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:18.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 2)
*Jan 15 15:52:18.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:21.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 3)
*Jan 15 15:52:21.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:24.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 4)
*Jan 15 15:52:24.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:27.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 4)
*Jan 15 15:52:27.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:30.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 4)
*Jan 15 15:52:30.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:33.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 4)
*Jan 15 15:52:33.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:36.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 4)
*Jan 15 15:52:36.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:39.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 4)
*Jan 15 15:52:39.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:42.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 7)
*Jan 15 15:52:42.307: %CAPWAP-3-ERRORLOG: Retransmission count exceeded max, ignoring as the ethernet is overloaded
*Jan 15 15:52:45.307: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 8)
*Jan 15 15:52:45.307: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Jan 15 15:52:45.307: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.23.111.23:5246
*Jan 15 15:52:45.371: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Jan 15 15:52:45.371: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Jan 15 15:52:45.383: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 15 15:52:45.383: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 15 15:52:45.395: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 15 15:52:46.015: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 15 15:52:46.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 15 15:52:46.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 15 15:52:46.431: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 15 15:52:47.167: %CLEANAIR-6-STATE: Slot 0 down
*Jan 15 15:52:47.167: %CLEANAIR-6-STATE: Slot 1 down
*Jan 15 15:52:47.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 15 15:52:47.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 15 15:52:47.451: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 15 15:52:47.459: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 15 15:52:47.467: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 15 15:52:48.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 15 15:52:48.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 15 15:52:48.487: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 15 15:52:49.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 15 15:52:56.011: %CAPWAP-3-ERRORLOG: Selected MWAR 'DC-WiFi-WLC1-0'(index 1).
*Jan 15 15:52:56.011: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 15 15:52:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.23.111.20 peer_port: 5246
*Jan 15 15:52:44.467: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.23.111.20 peer_port: 5246
*Jan 15 15:52:44.471: %CAPWAP-5-SENDJOIN: sending Join Request to 172.23.111.20
*Jan 15 15:52:44.471: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 15 15:52:44.471: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 15 15:52:44.471: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 15 15:52:44.471: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 172.23.111.20
*Jan 15 15:52:44.927: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 15 15:52:44.995: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 15 15:52:45.003: ac_first_hop_mac - IP:10.219.96.1 Hop IP:10.219.96.1 IDB:BVI1
*Jan 15 15:52:45.007: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 15 15:52:45.075: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller DC-WiFi-WLC1-0
*Jan 15 15:52:45.223: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Jan 15 15:52:45.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 15 15:52:45.971: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 15 15:52:45.979: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 15 15:52:46.007: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 15 15:52:46.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 15 15:52:46.999: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5520 MHz for 60 seconds.
*Jan 15 15:52:47.003: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 15 15:52:47.015: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 15 15:52:47.023: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 15 15:52:48.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 15 15:52:48.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 15 15:52:48.047: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 15 15:52:49.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
APe4d3.f11e.a8e1#
3rd Step, verifying the LOG on the AP and check if it can connect to the HA SKU WLC
*Jan 15 15:52:45.075: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller DC-WiFi-WLC1-0
*Jan 15 15:52:45.223: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
CONCLUSION:
I needed to activate the EVALUATION LICENSE in the HA SKU WLC which had status = EULA NOT ACCEPTED. I will test the SSID's in order to confirm that redundancy using HA SKU WLC works fine. -
[rspan in 'hub+spoke' topology]
Hi,
I have the topology depicted in the attached drawing.
What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
The configuration in general is working and looks like this:
HUB:
monitor session 1 destination interface Gix/y
monitor session 1 source remote vlan z
SPOKES:
monitor session 1 source interface Gix/y
monitor session 1 destination remote vlan z
As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
Two questions here:
1.- Is this the way rspan is supposed to work in this environment?
2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
Thanks in advance!
c.Hello,
in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
Hope this helps! Please rate all posts.
Regards, Martin -
IPSEC Only starting from one side (Spoke side)
Hi,
I have a hub and spoke setup with IPSEC.
If interesting traffic comes from the spoke, the IPSEC SA starts and works perfectly. However, once the link idles out and there is no more traffic, the hub shows this with the sh crypto isa sa command
196.47.133.38 185.20.242.61 QM_IDLE 1017 ACTIVE
sh cryp ips sa peer 196.47.133.38 shows nothing at all.
I have checked my routing and NAT deny's to make sure that is not the issue.
I then checked the crypto ACL's when i send traffic, i see the crypto ACL's are incrementing correctly but still the SA wont activate. If i look at the ipsec debug i also see nothing.
I am using a dynamic map with each spoke end on its own ACL, as follows;
crypto dynamic-map dynmap 5
set peer 111.116.206.92
set transform-set des-transform
match address 171
crypto dynamic-map dynmap 10
set peer 111.47.132.38
set transform-set des-transform
match address 172
crypto dynamic-map dynmap 15
set peer 111.174.150.47
set transform-set des-transform
match address 173
crypto dynamic-map dynmap 20
set peer 111.166.108.250
set transform-set des-transform
match address 174
crypto dynamic-map dynmap 100
set transform-set des-transform
match address 170
c2800nm-adventerprisek9_ivs_li-mz.151-4.m6.bin on a 2811
Any ideas?
Thanks
AlanHere you go Sachin
Edge routers are 1801's
Hub is a 2811
Edge ACL's are a mirror of what is in the ACL's associated to each map line
As far as I can see the default route is correct and that all the crypo traffic should not be NAT'd or go elsewhere but hit po1.100 on the way out.
Symptoms are that a person pinging from say 10.192.112.5 (spoke) to the dest 10.192.40.10 (hub) will work perfectly, but the same user 10.192.112.5 wont be able to ping 10.192.73.10 (spoke) or 10.192.113.5 (spoke)
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname c2811-test
boot-start-marker
boot system flash:/c2800nm-adventerprisek9_ivs_li-mz.151-4.m6.bin
boot-end-marker
no logging console
aaa session-id common
dot11 syslog
no ip source-route
ip cef
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1226746475
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1226746475
revocation-check none
rsakeypair TP-self-signed-1226746475
crypto pki certificate chain TP-self-signed-1226746475
certificate self-signed 01
quit
license udi pid CISCO2811 sn FCZ1047729M
archive
log config
hidekeys
redundancy
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key address 196.47.132.38
crypto isakmp key address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 360
crypto ipsec transform-set des-transform esp-des esp-md5-hmac
crypto dynamic-map dynmap 100
set transform-set des-transform
match address 170
crypto map dyntrans 10 ipsec-isakmp
set peer 81.174.150.47
set transform-set des-transform
match address 173
crypto map dyntrans 20 ipsec-isakmp
set peer 196.47.132.38
set transform-set des-transform
set reverse-route tag 1
match address 172
crypto map dyntrans 30 ipsec-isakmp
set peer 62.116.206.92
set transform-set des-transform
match address 171
crypto map dyntrans 40 ipsec-isakmp
set peer 95.166.108.250
set transform-set des-transform
match address 174
crypto map dyntrans 50 ipsec-isakmp
set peer 78.193.137.76
set transform-set des-transform
match address 175
crypto map dyntrans 100 ipsec-isakmp dynamic dynmap
interface Port-channel1
no ip address
hold-queue 150 in
interface Port-channel1.8
encapsulation dot1Q 8
ip address 10.192.8.1 255.255.255.0
interface Port-channel1.16
encapsulation dot1Q 16
ip address 10.192.16.1 255.255.255.0
ip information-reply
ip nat inside
ip virtual-reassembly in
interface Port-channel1.32
encapsulation dot1Q 32
ip address 10.192.32.1 255.255.255.0
ip information-reply
interface Port-channel1.40
encapsulation dot1Q 40
ip address 10.192.40.1 255.255.255.0
ip information-reply
ip nat inside
ip virtual-reassembly in
interface Port-channel1.100
encapsulation dot1Q 100
ip address 185.20.242.61 255.255.255.248
ip access-group WORLD-IN in
ip nat outside
ip virtual-reassembly in
crypto map dyntrans
interface FastEthernet0/0
no ip address
duplex auto
speed auto
channel-group 1
interface FastEthernet0/1
no ip address
duplex auto
speed auto
channel-group 1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 115 interface Loopback2 overload
ip nat inside source list 116 interface Loopback0 overload
ip nat inside source list 161 interface Port-channel1.100 overload
ip nat inside source static tcp 10.192.16.11 25 185.20.242.50 25 extendable
ip nat inside source static tcp 10.192.16.11 143 185.20.242.50 143 extendable
ip nat inside source static tcp 10.192.16.11 993 185.20.242.50 993 extendable
ip nat inside source static tcp 10.192.16.11 25 185.20.242.50 1025 extendable
ip nat inside source static tcp 10.192.16.11 80 185.20.242.51 80 extendable
ip nat inside source static tcp 10.192.16.11 443 185.20.242.51 443 extendable
ip nat inside source static udp 10.192.16.2 5060 185.20.242.52 5060 extendable
ip nat inside source static tcp 10.192.16.32 80 185.20.242.53 80 extendable
ip nat inside source static tcp 10.192.16.31 8081 185.20.242.54 8081 extendable
ip route 0.0.0.0 0.0.0.0 185.20.242.57
ip route 185.20.242.32 255.255.255.240 185.20.242.58
ip access-list standard OAM-IN
permit 10.209.2.0 0.0.0.255 log
permit 10.29.32.0 0.0.3.255
permit 10.192.0.0 0.0.255.255 log
ip access-list extended WORLD-IN
remark General Stuff
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any administratively-prohibited
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark Drop SMB/Netbios noise
deny tcp any any eq 445
deny tcp any any eq 137
permit tcp any any established
remark Nianet/TDC NTP servers
permit udp host 83.136.89.6 any eq ntp
permit udp host 83.136.89.4 any eq ntp
permit udp host 193.162.159.194 any eq ntp
remark Nianet DNS
permit udp host 83.136.89.6 eq domain any
permit udp host 83.136.89.4 eq domain any
remark Any DNS to infon
permit udp any eq domain host 185.20.242.61
remark Services
permit tcp any host 185.20.242.50 eq smtp
permit tcp any host 185.20.242.50 eq 143
permit tcp any host 185.20.242.50 eq 993
permit tcp any host 185.20.242.51 eq www
permit tcp any host 185.20.242.51 eq 443
permit tcp any host 185.20.242.54 eq 8081
permit esp host 62.116.206.92 host 185.20.242.61
permit ip host 62.116.206.92 host 185.20.242.61
permit esp host 81.174.150.47 host 185.20.242.61
permit ip host 81.174.150.47 host 185.20.242.61
permit ip host 92.26.172.37 host 185.20.242.61
permit esp host 92.26.172.37 host 185.20.242.61
permit ip 78.147.0.0 0.0.255.255 host 185.20.242.61
permit ip host 78.193.137.76 host 185.20.242.61
permit esp 78.147.0.0 0.0.255.255 host 185.20.242.61
permit ip host 95.166.108.250 host 185.20.242.61
permit esp host 95.166.108.250 host 185.20.242.61
permit ip host 78.147.99.41 host 185.20.242.61
permit tcp any host 185.20.242.61 eq 443
permit udp any host 185.20.242.61 eq netbios-ns
permit ip host 79.170.187.234 host 185.20.242.55
permit tcp any host 185.20.242.61 eq 1723
permit gre any host 185.20.242.61
permit udp host 194.247.61.32 host 185.20.242.52
permit udp host 194.247.61.31 host 185.20.242.52
permit udp 62.41.83.0 0.0.0.255 host 185.20.242.52
permit udp 77.72.168.0 0.0.0.255 host 185.20.242.52
permit udp 77.192.32.0 0.0.0.255 host 185.20.242.52
permit udp 80.239.235.0 0.0.0.255 host 185.20.242.52
permit udp 194.120.0.0 0.0.0.255 host 185.20.242.52
permit udp 195.219.64.0 0.0.0.255 host 185.20.242.52
permit udp 203.192.180.224 0.0.0.15 host 185.20.242.52
permit udp 208.176.230.112 0.0.0.15 host 185.20.242.52
permit tcp any host 185.20.242.50 eq 1025
permit tcp any host 185.20.242.53 eq www
permit udp any eq non500-isakmp host 185.20.242.61 eq non500-isakmp
permit udp any eq isakmp host 185.20.242.61 eq isakmp
permit esp any host 185.20.242.61
deny ip any any log
access-list 1 permit 196.47.132.38
access-list 15 permit 10.192.16.2
access-list 80 permit 10.192.69.0 0.0.0.255
access-list 115 deny ip host 10.192.16.2 10.192.0.0 0.0.255.255
access-list 115 permit ip host 10.192.16.2 any
access-list 116 permit tcp 10.192.0.0 0.0.255.255 any eq smtp
access-list 161 deny ip any 10.0.0.0 0.255.255.255
access-list 161 permit ip 10.192.40.0 0.0.0.255 any
access-list 161 permit ip 10.192.16.0 0.0.0.255 any
access-list 170 permit ip 10.209.0.0 0.0.255.255 10.192.72.0 0.0.3.255
access-list 170 permit ip 10.209.0.0 0.0.255.255 10.192.112.0 0.0.15.255
access-list 170 permit ip 10.192.0.0 0.0.63.255 10.192.72.0 0.0.3.255
access-list 170 permit ip 10.192.0.0 0.0.63.255 10.192.112.0 0.0.15.255
access-list 170 permit ip 10.192.72.0 0.0.7.255 10.192.112.0 0.0.15.255
access-list 170 permit ip 10.192.112.0 0.0.15.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.209.0.0 0.0.255.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.0.0 0.0.63.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.64.0 0.0.31.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.112.0 0.0.15.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.128.0 0.0.15.255 10.192.72.0 0.0.3.255
access-list 172 permit ip 10.192.0.0 0.0.63.255 10.192.128.0 0.0.0.63
access-list 172 permit ip 10.192.112.0 0.0.15.255 10.192.128.0 0.0.0.63
access-list 172 permit ip 10.192.72.0 0.0.7.255 10.192.128.0 0.0.0.63
access-list 172 permit ip 10.209.2.0 0.0.0.255 10.192.128.0 0.0.0.63
access-list 173 permit ip 10.192.0.0 0.0.63.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.192.64.0 0.0.31.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.192.112.0 0.0.15.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.192.128.0 0.0.15.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.209.0.0 0.0.255.255 10.192.112.64 0.0.0.63
access-list 174 permit ip 10.192.0.0 0.0.63.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.192.64.0 0.0.31.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.192.112.0 0.0.15.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.192.128.0 0.0.15.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.209.0.0 0.0.255.255 10.192.112.0 0.0.0.63
access-list 175 permit ip 10.192.0.0 0.0.63.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.192.64.0 0.0.31.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.192.112.0 0.0.15.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.192.128.0 0.0.15.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.209.0.0 0.0.255.255 10.192.113.64 0.0.0.63
access-list 185 permit udp any any eq 1813
access-list 185 permit udp any any eq 1646
nls resp-timeout 1
cpd cr-id 1
control-plane
bridge 1 protocol ieee
mgcp profile default
gatekeeper
shutdown
line con 0
line aux 0
line vty 0 4
access-class OAM-IN in
password hasldfhohdsah
transport input all
scheduler allocate 20000 1000
ntp master
ntp server 193.162.159.194
c2811-test# -
Hi all,
The scenario I'm trying to solve is for a managed internet access product we are building where by we want to roll out the 867VAE on a mass scale to smaller sites.
For every one of our customers at present we have them all on a full DMVPN with spoke to spoke firewalled except from internal networks (so we can see our customers from multiple sites, but customers can't see each other).
The 867VAE does not support DMVPN though, but we still need a simple remote access/management solution.
My thinking is:
Head End
1. Create mGRE interface with NO NHRP but still enable encryption
2. Enable RIP (only choice on 867VAE)
867VAE CPE:
1. Create PtP GRE interface with encryption and RIP.
Before I spend hours testing this - can anyone see a reason why it wouldn't work?
Our requirement here is that we want full visibility of the customer's network (PC's/servers) so it needs encryption but we are not running voice over this or anything that would need the full DMVPN features.
Thanks,
ScottScott,
Probably not the only options but here goes.
NHRP registration is the way hub learns how to get to spoke, i.e. this tunnel address is hidden behind this public ip.
The alternative is to use static mappings on hub or p2p interfaces on hub sides (provided there is no dynamic IP address).
And if different solututoins are an option:
1) if 867 supports IKEv2/FlexVPN you should be able to push routing information via IKE/IPsec and not have registtration problem.
2) similar to 1) but in IKEv1 world - SVTI-DVTI solution.
HTH,
Marcin -
Help! My 2691xm router is deaf to ISAKMP
Hello.
I am trying to set up a DMVPN.
The setup is the following:
1751-V is a spoke - c1700-advsecurityk9-mz.124-15.T14.bin
2691xm is a hub - c2691-advsecurityk9-mz.124-15.T14.bin
As I stated in the title, my clients' 2691xm router is deaf to ISAKMP. It is configured as a hub for DMVPN, and doesn't show that it is receiving anything VPN-related. The 1751-V on the other hand is very noisy sending out alot of IKE requests to the 2691xm.
I made the 1751-V talk to my home's 1751-V with a slightly modified version of the 2691xm's config without any problems. I didn't get access through the VPN quite yet, but they at least got through ISAKMP.
I turned on "debug dmvpn all all" and "term mon", and I get NO ouput from the 2691xm.
I also get nothing from "show crypto isakmp sa".
I thought the traffic might be blocked by the ISP. I called and asked, and it isn't.
I thought the traffic might be stopped at the firewall, so I set the relevant ports to log traffic as evident in the next paste.
router-1#show access-list INTERNET_IN
Extended IP access list INTERNET_IN
70 permit udp any any eq isakmp log (2576 matches)
80 permit gre any any log
90 permit esp any any log
So I AM getting traffic through to the router, but my router isn't reacting to it?
Below are snippets of relevant configs.
HUB:
Internet: int fa0/1 - T1 w/ static IP through ethernet
LAN : int fa0/0 - lan 192.168.20.1
ip multicast-routing
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source fa0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0 0.0.0.255
no auto-summary
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface fa0/1 overload
SPOKE:
Internet: int dialer0 - DSL, PPPoE, DHCP
LAN : int vlan0 - 192.168.22.1
ip multicast-routing
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.22 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source d0
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map 10.0.20.20 2691_WAN_IP
ip nhrp map multicast 2691_WAN_IP
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.0.20.20
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.22.0 0.0.0.255
no auto-summary
eigrp stub connected
ip access-list extended NAT_TRAFFIC
deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface Dialer0 overload
As I previously said, 2691xm DOES NOT REACT. Only thing I have been able to determine is the router DOES NOT block traffic on port 500 UDP.
Here is some output from 1751-v (spoke router).
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1751_WAN_IP, remote 2691_WAN_IP)
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
router-1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted)
The 1751-v works with another 1751-v (to an extent), just not the 2691xm I need it to work with.
Please help as this is driving me CRAZY!!!!
I would appreciate ANY suggestions/comments/critisicms/hypotheses/requests/ANYTHING!!!!
-VittorioHere is the requested information:
interface Tunnel0
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp authentication ABADCADS
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
interface FastEthernet0/1
ip address INTERNET_ADDRESS 255.255.255.248
ip access-group INTERNET_IN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0
no auto-summary
ip access-list extended INTERNET_IN
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any any established
permit udp any eq domain any
permit udp any any eq ntp
permit udp any any eq isakmp log
permit gre any any log
permit esp any any log
permit udp any eq ntp any
permit tcp any any eq 22
deny ip any any log-input
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
ip nat inside source route-map NONAT interface FastEthernet0/1 overload
Thank you, please tell me if you need anything else
-Vittorio
Maybe you are looking for
-
IPhone 3G - Can I open a shared calendar on my exchange server?
Active sync on the iPhone works great for contacts, email, my calendar, accepting/declining invitations, etc. I am not sure if it is possible or if I just don't know how to navigate the device to do this; can I open a shared calendar in my organizati
-
I need a phone number to ring for help
I been a phone number to ring for help to got started with my new iPad thanks
-
About a trace log level of Oracle VSS Writer.
I verified the backup using the Oracle VSS Writer of Oracle11gR2. In order to check the behavior of the Oracle VSS Writer, I want to output the trace log of Oracle VSS Writer. However, there is the following description in the document, there is no d
-
Hello, when trying to access one specific website, I either get a Micorsoft VB script error (below), or the blue bar stops part way in and stays there. I used to be able to get to this site fine. All other sites work fine. My daughter and son can get
-
Photoshop CC Camera RAW and 32bit files problem
The new Camera RAW from Photoshop CC has problem with 32bit EXR,HDR files when camera calibration is set to 2012 mode. Very bright tones like specular highlights are flattened and there is no possibility to bring them back. Old modes (2010, 2003) are