FlexVPN Spoke to Spoke issues
Config:
Hub:
interface Virtual-Template1 type tunnel
description FlexVPN hub-to-spokes
ip unnumbered Loopback100
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
Spokes:
interface Tunnel0
description FlexVPN tunnel
ip address negotiated
ip mtu 1400
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan1
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface Virtual-Template1 type tunnel
description FlexVPN spoke-to-spoke
ip unnumbered Loopback101
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
Hub-Spoke works perfectly.
When pinging from a spoke to another spoke's LAN IP, the router misses one ping, returns 1 or two, then missing all other pings until the next reload (clear crypto session does not reset fully). The spoke used to ping will bring up a Virtual Access interface, and then immediately bing up a second Virtual Access interface, then show an invalid SPI is shown (authentication is identical).
Unfortunately, the issue is not always consistent. Sometimes, after a reload on all routers, one router will retain the ability to ping, other times no routers can ping. Here is an example:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:
Dec 21 19:38:20.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x,
prot=50, spi=0xE4981ED6(3835174614), srcaddr=x.x.x.x, input interface=Dialer0...
Success rate is 40 percent (2/5), round-trip min/avg/max = 96/100/104 ms
Thanks for any help
John,
The error means that no matching SPI was found for inbound encrypted traffic on that ingress interface.
Is that your interface towards ISP? If so and the SPI actually exists in your SADB but somehow is not associated properly.
When/if opening a case please attach:
- show crypto ipsec sa
- show crypto map
(taken ideally before and after trying to do spoke-to-spoke tunnel)
I found reference to a similar problem in our archive, but customer become unresponsive after a while and no resolution was provided.
One thing you CAN try is to go to 15.2.4M-latest. And see if the problem persists.
M.
Similar Messages
-
FlexVPN Spoke-to-Spoke Routing Override Loop
I have a Spoke Router, this Router hat a Routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the tranfer network):
ip route 192.168.1.0 255.255.255.0 10.1.1.1
After active the FlexVPN i get the Routing override, then the routing is 192.168.1.0 255.255.255.0 tunnel0 in the Soke-Router. I lost the right routing, and i get the loop from Center to 192.168.1.0.
How can i let the Spoke Router to ignore the Routing from himself from Center?One was would be to increase distance of routes received from hub.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp1846954161 -
Info Spoke - Issue with Data increasing by factor (X) fr selection
We have created an Info Spoke for our Special Ledger Cube which is extracting from a summary 'Z' table. We are doing full loads & re-loads and not utilizing a delta. The spoke is used to create a flat file containing beginning balance and ending balance(s)to be fed to a third party Tax System When we enter the selection criteria to run the spoke for Posting period (0FISCPER3) we are entering a value of from 0 to 9. The beginning balance comes in fine, but the ending balance is the beginning balance multiplied by a factor of 10.
If I just enter one criteria for date say period 12, it will bring in the ending balance increase by a similar factor.
This is a full reload everytime. What is the obvious I am missing here.
Anyone ?
Thanx,
JMMThat is the way a spoke works, In selection parameters.
-
FlexVPN Cannot Ping From Spoke LAN only
Topology:
Hub:
(hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP
Spoke:
(hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP
I have full reachability from both routers.
Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0
Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1
Partial reachability from lan hosts
Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)
Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24
Any help would be appreciatedWe've been working with these confs for a while, so they aren't as clean as they could be, but here they are
---HUB---
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname HUB
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP
server-private 10.0.1.15 key xxxxx
aaa authentication login default local
aaa authentication login xxxxxVPN_VPN_XAUTH local
aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP
aaa authorization exec default local
aaa authorization network default local
aaa authorization network xxxxxVPN_VPN_GROUP local
aaa authorization network FLEXVPN_AUTH-Z_LIST local
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
ip domain name xxxxx.net
ip name-server 166.102.165.13
ip name-server 166.102.165.11
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group VPN_GROUP
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
crypto pki trustpoint FLEXVPN_RA_TP
enrollment terminal
serial-number none
fqdn vpn.xxxxx.net
ip-address none
subject-name cn=vpn.xxxxx.net
revocation-check crl
eckeypair FLEXVPN_RA_TP-Key
crypto pki certificate chain FLEXVPN_RA_TP
certificate 460000.. nvram:xxxxx#2.cer
certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer
license udi pid CISCO1921/K9 sn xxxxx
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
redundancy
crypto ikev2 authorization policy default
pool FLEX_SPOKES_POOL
route set interface
crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY
pool FLEXVPN_RA_POOL
dns 10.0.1.15
netmask 255.255.255.0
def-domain xxxxx.net
route set access-list FLEXVPN_RA_ACL
crypto ikev2 proposal SHA1-only
encryption aes-cbc-256
integrity sha1
group 5
crypto ikev2 policy SHA1-only
match fvrf any
proposal SHA1-only
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE
match identity remote key-id xxxxx.net
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint FLEXVPN_RA_TP
dpd 60 2 on-demand
aaa authentication eap FLEXVPN_AUTH-C_LIST
aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY
virtual-template 10
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto logging session
crypto isakmp client configuration group xxxxxVPN
key xxxxx
pool xxxxxVPN_POOL
acl xxxxxVPN_ACL
netmask 255.255.255.0
crypto isakmp profile xxxxxVPN_IKE_PROFILE
match identity group xxxxxVPN
client authentication list xxxxxVPN_VPN_XAUTH
isakmp authorization list xxxxxVPN_VPN_GROUP
client configuration address respond
virtual-template 100
crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile xxxxxVPN_IPSEC_PROFILE
set transform-set xxxxxVPN_SET
set isakmp-profile xxxxxVPN_IKE_PROFILE
crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE
set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback100
ip address 172.31.100.1 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Virtual-Template1 type tunnel
description FlexVPN hub-to-spokes
ip unnumbered Loopback100
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface Virtual-Template10 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE
interface Dialer0
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password xxxxx
ppp pap sent-username [email protected] password xxxxx
no cdp enable
router eigrp 1
distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1
network 10.0.1.0 0.0.0.255
network 172.30.200.0 0.0.0.255
network 172.31.100.1 0.0.0.0
passive-interface GigabitEthernet0/0
ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254
ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254
ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.30.200.0 255.255.255.0 Null0
ip access-list standard FLEXVPN_RA_ACL
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.200.0 0.0.0.255
permit 172.31.254.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
ip access-list extended xxxxxVPN_ACL
permit ip 172.30.255.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 172.31.254.0 0.0.0.255 any
ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32
access-list 1 permit 10.0.1.0 0.0.0.255
route-map EIGRP_SUMMARY_RMAP permit 10
match ip address prefix-list EIGRP_SUMMARY_PFLIST
control-plane
banner motd Cxxxxx
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
line vty 5 15
transport input all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org prefer
end
---SPOKE---
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SPOKE
boot-start-marker
boot system flash:c880data-universalk9-mz.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
no ip bootp server
ip domain name xxxxx.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
license udi pid CISCO881-SEC-K9 sn FTX1740854N
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
crypto ikev2 authorization policy default
route set interface
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback101
ip address 172.31.101.3 255.255.255.255
interface Tunnel0
description FlexVPN tunnel
ip address negotiated
ip mtu 1400
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan1
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address dhcp
no ip unreachables
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description FlexVPN spoke-to-spoke
ip unnumbered Loopback101
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
interface Vlan1
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.1.15
no ip unreachables
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip access-list standard INTERNET_BOUND_ACL
permit 10.0.3.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.255.0 0.0.0.255
permit 172.31.100.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 172.30.200.0 0.0.0.255
access-list 99 permit 10.0.3.0
control-plane
banner motd xxxxx
line con 0
no modem enable
line aux 0
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
ntp update-calendar
ntp server 0.pool.ntp.org prefer
ntp server 1.pool.ntp.org
end -
Authorization issue in Info spoke
Hi all,
I am facing some authorization issue when executing info spoke in process chain.
Info spoke is working fine in direct Scheduling (both background and Dialog).
Am getting this error after execution of process chain
"System error: RSDRC / FORM AUTHORITY_CHECK RSDRC / FORM AUTHORITY_CHECK R"
"System error: RSDRC / FUNC RSDRC_BASIC_CUBE_DATA_GET RSDRC / FUNC RSDRC_B"
"System error: RSDRC / FORM DATA_GET RSDRC / FORM DATA_GET RSDRC / FORM DA"
"Extraction Cube : Error in DataManager API".
I dont know why this problem comes.
Can anyone tel me what went wrong and how to solve it.
Thanks in advance.
Kind regards,
Shanbagavalli.SHi All,
The above issue is getting due to # character in text at end(e.g ljdfsaa##). After removing # characters in text issue got resolved.
Thansk,
Manjunatha -
DMVPN split tunnling issue, not able to by pass http traffic at spoke end.
Dear all,
I would appreciate please help me out to resolve following issue.
I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but spoke router is continuously forwarding all traffic to tunnel.
Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
thanks and regards,I agree with Marcin.
At the spoke you would need to add a static default route for the internet traffic. You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric. Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down. But if they are both located off the same interface then there is no point in keeping the injected default route.
Please remember to rate and select a correct answer -
ive tried
1.1
1.2
1.3
1.42
come on msi, give me a fighting chance :(Here is the last thing I received from MSI tech support. I'll give them this much, they are much more responsive than VIA or AOpen ever were when I first got my flakey MVP3 board...lol. I hope they can figure this problem out!
Quote
So far in our own testing, we have not found any High CPU Temperature issues.
We have gone through the threads you have provided to us and we will co-work with AMD to see if anything needs to be updated from our side with the New Castle Core.
Once again, MSI appreciates all the findings/reports you have provided to us and we will update you once there is any findings becomes available.
Sincerely,
Technical Support Division
MSI Computer Corp.
http://www.msicomputer.com
MSI - Beyond Expectations!
1-626-913-0828
1-626-581-7721 Fax
Due to high volume of cases daily, we may not be able to answer question promptly. Please kindly provide your name, phone number, model number, state in which you are calling from, a brief description of your problems, and we will try to reply your issue as promptly as possible. Thanks
The information transmitted is intended only for the person or entity to which it is addressed and contained confidential and privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient are prohibited. If you receive this in error, please contact the sender and delete the material from any computer.
-----Original Message-----
From: my email deleted
Sent: Friday, August 06, 2004 8:51 AM
To: [email protected]
Subject: RE: 3 -- Customer Problem Description Form
I know you guys think you fixed the Newcastle temperature problem. But there are still a LOT of us out here who are having trouble, using latest BIOS. People are reporting this all over the MSI forums. The behavior is as follows, flashing the BIOS might help initially, but soon after the temp shoots way back up.
Please see the following threads:
Temps and BIOS 1.42
ggrrrrr, is there any that bios that fixes the temp issue? [solved]..spoke too soon [NOT SOLVED]
Possible fix for CPU temp problem found.
The same old problem with temperatures (K8N Neo Platinum)
K8N Neo Temps :( -
Routing issue for remote vpn user and spoke
Hi all,
i have configure VPN (see attached file)
before upgrading ASA from 8.3 to 8.4, SPOKES was able to communicate between them and also remote VPN users was able to access spoke site.
after upgrade ASA HUB, neither spoke-to-spoke nor remoteuser---to---spoke cannot communicate
here is NAT exemption configuration on ASA HUB. only this ASA have been upgrade. nothing have been done on other site
object network 172.17.8.0
subnet 172.17.8.0 255.255.255.0
object network 10.100.96.0
subnet 10.100.96.0 255.255.240.0
object network VPN-SUBNET
subnet 172.20.1.0 255.255.255.0
nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
same-security traffic permit intra-interface
same-security traffic permit inter-interface
Please do you know what can be the problem ?
thanks so much for your helpSince you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
Pls "clear xlate" after removing it and let us know how it goes. -
Facetime will not connect - Anyone spoke to Apple regarding the facetime issue fix
Day four and still not able to connect with Facetime. Has anyone spoke to Apple regarding the status of the fix?
No...actually I have an iPad Air and my mother has an iPad 2. I cannot connect to her on Facebook. I did not catch what device it was showing when I started the discussion. The problem started on Thursday and when you call her iPad 2, it rings and tries to connect but NO luck. She has iOS 6 on her device. It's as if Apple flipped a switch and stopped allowing some iOS devices to connect via Facetime. I can connect with other iOS devices with my iPad Air.
-
Hub and spoke VPN issue - probably simple
Hello,
I setup a Hub & Spoke VPN configuration as a temporary solution to get phones working at a client with 5 Sites.
Site A: HQ and main PBX System - Cisco ASA 5520
Sites B-E: Remote Sites with PBX systems with ASA 5505's
I configured my crypto access-lists to allow all interesting traffic to/from all sites, and it's working for the most part.
Refer to this short discussion for further reference
https://supportforums.cisco.com/message/4162268#4162268
Recently the customer started saying sometimes the call forwarding between sites isn't working correctly. Upon further testing, it seems that you have to ping to/from both ends of the Spokes before traffic will start passing through properly.
E.g.
Site B wants to talk to Site C
I need to initiate a ping on Site B to Site C which fails
Initiate a ping on Site C to Site B and the first packet drops, then the rest go through
Initiate Ping on Site B to Site C and all works just fine.
Traffic going to/from Site A to/from any remote site (Sites B-E) works fine 100% of the time.
This is happening for all remote sites. When traffic has been initiated on both ends, it works just fine, but after a specific timeout it appears to stop working.
Probably something simple I'm missing. Any help is greatly appreciated.
(Also, kind of silly but I realize that I didn't need same-security-traffic on each spoke, correct?)The purpose of doing VPN is that you want 2 or more different networks seamlessly become line 1 common network. Your class B network having 192.168.0.0 and class C networks 192.168.10.0 are in the same network sine both are in the network 192.168.x.x network. Try to consider changing the Class B network into 192.169.0.0 or you can change the Class C network into 192.169.10.0.
-
BPEL 10.1.2 hub-and-spoke or distributed architecture?
Hi,
I'm currently wrestling with the following question:BPEL 10.1.2 hub-and-spoke or distributed architecture?
Hi,
I'm currently wrestling with the following question:
An ESB as per definition of e.g. Forrester should be capable of supporting a distributed bus architecture. From my understanding this distributed bus architecture is achieved by installing some sort of ESB component(s) on all machines that are participating in this infrastructure, together forming a ‘bus’.
As I understand the BPEL 10.1.2 product basically offers two categories of functionality: orchestration and integration. Does this integration part offer ESB alike functionality and more specific allows for a distributed bus architecture? As far as I can see the BPEL 10.1.2 offers limited ESB alike functionality and only supports a hub-and-spoke architecture.
Other threads in this forum talk about using BPEL 10.1.2 together with InterConnect in order to foresee in ESB functionality. What does InterConnect add to the BPEL 10.1.2 integration functionality?
As of SOA suite 10.1.3 these products have been split up into a BPEL product and an ESB product. Is the ESB product in SOA suite 10.1.3 a combination of the integration from BPEL 10.1.2 and InterConnect? Is this new ESB product able to support a distributed architecture?
I’m very much in favor of a distributed architecture compared to hub-and-spoke, as hub-and-spoke requires a very solid and redundant system that is going to handling all message traffic and other functions. When moving towards a SOA giving an ESB a back-bone role, I’m not very keen on introducing a single system that should actually make up this ESB. Distributed would mean all machines are taking care of some basic functions resulting in a fully functional ESB, even when one or more machines are down.
Am I making sense with this? I would like to know how others are looking at these topics.
Regards,
Gershon JanssenWe are struggling with this issue too. The "all-pervasive" vision of the ESB visionaries, in my opinion, means that every node in my enterprise architecture should have access to the bus and I should be able to orchestrate anything that is running on any node in my architecture. We were told to think of an ESB as the equivalent of the hardware bus in computers. From that perspective I thought that:
(1) BPEL and ESB functions would add a marginal increment to the licensing cost of an app server - I should be able to afford an "all-pervasive" architecture.
(2) BPEL and ESB functions would add a "marginal increment" to the memory and resource foot-print. Again, I should be able to afford an "all-pervasive" architecture.
Are these two satisfied by Oracle's products ? Some vendors don't seem to support the above two. In that case there is a disconnect between the marketing and technology departments of the vendors. What am I missing ?
If BPEL engines and ESBs are priced very high, based on economics we will end up with a hub-and-spoke model.
Thanks -
DMVPN Hub and Spoke behind NAT device
Hi All,
I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
But My case i involve in both situation.
1) HUB have a Load Balancer (2 WAN Link) ISP A & B
2) Spoke have Load Balancer (2 WAN Link) ISP A & B
Now the requirement is Spoke ISP A Tunnel to HUB ISP A. Spoke ISP B tunnel to HUB ISP B
So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
Any problem will face with this setup? Any guide?
Sample config at HUB.
interface Tunnel0
bandwidth 1000
ip address 172.16.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.1 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 600
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile cisco
Spoke Config
interface Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.1.1 199.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 172.16.1.1
delay 1000
tunnel source FastEthernet0/0
tunnel destination 199.1.1.1
tunnel key 0
tunnel protection ipsec profile cisco
interface Tunnel1
bandwidth 1000
ip address 172.17.1.2 255.255.255.0
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.17.1.1 200.1.1.1
ip nhrp network-id 2
ip nhrp holdtime 300
ip nhrp nhs 172.17.1.1
delay 1500
tunnel source FastEthernet0/0
tunnel destination 200.1.1.1
tunnel key 1
tunnel protection ipsec profile ciscoHi Marcin,
thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below is TAC's explanation. All is good now. Thanks
. Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum. Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check. In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT." -
In info spoke customer details generating in two lines
Hi All,
In Info spoke after file trigerring job background, file creating in AL11 but in that file for each customer details generating in two lines.
Eg:
Correct reocrd : 1212|dsfsdfd|ddf|fdf||dfsdf
Error record: 1212|dsfsdfd
|ddf|fdf||dfsdf
Thanks,
ManjunathaHi All,
The above issue is getting due to # character in text at end(e.g ljdfsaa##). After removing # characters in text issue got resolved.
Thansk,
Manjunatha -
"sh ip ospf nei" on spokes shows only HUBS
Hi there!
Not so long I've built Single-HUB-Single-cloud DmVPN with 12 spokes. Everything was working file until I decided to configure one of the spokes as a BDR in the same cloud.
Now sh ip ospf nei on HUBS shows all of routers as FULL/DROTHER and FULL/DR/BDR respectively. But on each of spokes it shows records about HUBS only. Almost all of SPOKES can ping each other. But even after this there no changes in sh ip ospf nei output, still HUBS only.
In most cases traffic from SPOKE to SPOKE goes through DR and it does not have any matter how much times i'm running the ping, trace or other traffic
SPOKE7#trace 172.18.15.1
Type escape sequence to abort.
Tracing the route to 172.18.15.1
1 172.255.255.1.rdns.as15003.net (172.255.255.1) 44 msec
172.255.255.11.rdns.as15003.net (172.255.255.11) 144 msec 148 msec
and still
SPOKE7#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.0.1 10 FULL/DR 00:00:36 172.255.255.1 Tunnel0
1.2.1.1 5 FULL/BDR 00:00:34 172.255.255.5 Tunnel0
=============================================================
I would much appreciate for any assistance in solving of this issue.
The configs and debug outputs are attached in txt-files to make the post more readable. If it's require I'll paste the data as a plain text.
Please do not hesitate to request additional debugging information.Roman,
I did manage to find one of my old labs and transfer config to OSPF from EIGRP.
Spoke_R4#debug nhrp packet
NHRP activity debugging is on
Spoke_R4#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:04:08, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:04:08, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
Spoke_R4#traceroute 192.168.133.1 source l0
Type escape sequence to abort.
Tracing the route to 192.168.133.1
VRF info: (vrf in name/id, vrf out name/id)
1
*Apr 22 12:58:54.872: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 72
*Apr 22 12:58:54.872: src: 172.16.0.104, dst: 172.16.0.1
*Apr 22 12:58:54.872: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Apr 22 12:58:54.872: shtl: 4(NSAP), sstl: 0(NSAP)
*Apr 22 12:58:54.872: pktsz: 72 extoff: 52
*Apr 22 12:58:54.872: (M) flags: "router auth src-stable nat ", reqid: 4
*Apr 22 12:58:54.872: src NBMA: 10.0.0.104
*Apr 22 12:58:54.872: src protocol: 172.16.0.104, dst protocol: 172.16.0.103
*Apr 22 12:58:54.872: (C-1) code: no error(0)
*Apr 22 12:58:54.872: prefix: 32, mtu: 17916, hd_time: 600
Apr 22 12:58:54.872: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Apr 22 12:58:54.936: CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.103:500 Id: 10.0.0.103
*Apr 22 12:58:54.956: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 120
*Apr 22 12:58:54.956: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Apr 22 12:58:54.956: shtl: 4(NSAP), sstl: 0(NSAP)
*Apr 22 12:58:54.956: pktsz: 120 extoff: 60
*pr 22 12:58:54.956: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 4
*Apr 22 12:58:54.956: src NBMA: 10.0.0.104
*Apr 22 12:58:54.956: src protocol: 172.16.0.104, dst protocol: 172.16.0.103
*Apr 22 12:58:54.956: (C-1) code: no error(0)
*Apr 22 12:58:54.956: prefix: 32, mtu: 17916, hd_time: 600
Apr 22 12:58:54.956: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Apr 22 12:58:54.956: client NBMA: 10.0.0.103
*Apr 22 12:58:54.956: client protocol: 172.16.0.103 *
172.16.0.103 12 msec *
Spoke_R4#
Spoke_R4#sh ip nhr
Spoke_R4#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:04:28, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:04:28, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
172.16.0.103/32 via 172.16.0.103
Tunnel0 created 00:00:16, expire 00:09:44
Type: dynamic, Flags: router used
NBMA address: 10.0.0.103
Spoke_R4#
Spoke_R4#
Spoke_R4#sh ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:04:31, never expire
Type: static, Flags: used
NBMA address: 10.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:04:31, never expire
Type: static, Flags: used
NBMA address: 10.0.0.2
172.16.0.103/32 via 172.16.0.103
Tunnel0 created 00:00:18, expire 00:09:41
Type: dynamic, Flags: router used
NBMA address: 10.0.0.103
Spoke_R4#
Spoke_R4#
Spoke_R4#traceroute 192.168.133.1 source l0
Type escape sequence to abort.
Tracing the route to 192.168.133.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.0.103 20 msec * 12 msec
Spoke_R4#
Spoke_R4#sh ip route 192.168.133.1
Routing entry for 192.168.133.1/32
Known via "ospf 1", distance 110, metric 1001, type intra area
Last update from 172.16.0.103 on Tunnel0, 00:05:53 ago
Routing Descriptor Blocks:
* 172.16.0.103, from 192.168.133.1, 00:05:53 ago, via Tunnel0
Route metric is 1001, traffic share count is 1
Routing on spoke4 shows that one should go to spoke3 (172.16.0.3).
This will trigger NHRP resolution process - demonstrated in debugs. -
Full Mesh to Hub Spoke Connectivity
I have implemented MPLS VPN. Currently running as a full mesh connectivity. I
need to implement and configure a hub and spoke connectivity due to the
business requirement.
I have 4 spokes and 1 hub. For each spokes, they shouldn't communicate
with spoke, only to hub and vice-versa.
What is the appropriate and best practise for me to implement and configuring for such scenario?
Appreciate your feedbacks and opinion.
regards,
maherok keep all your config in as it is just now. The only issue (personal one I believe) is that you shall be using the same RD everywhere but that shouldnt matter. On your hub site add under the vrf something like Route-target export 99:1. On a your spoke sites add route-target export 99:2 then on the other spoke site route-target export 99:3 until you do them all to 99:x. Then go back to the hub site and do route-target import 99:2 all the way through to x. You can now remove your original route-targets and all shall be fine. A cleaner method would be to completely remove the vrf but thats prolly too much hassle and downtime for your liking :-)
HTH
Maybe you are looking for
-
WSUS Keeps failing on SCCM 2012 R2
Hello all I am hoping I could get some help with this strange issue: I am trying to install WSUS on my sccm server prior to the software update point. This what I have done so far:<o:p></o:p> In server manger I select to install the WSUS role>Click
-
Storing Portal Roles in LDAP server
Hi, I want to use an LDAP server for user authentication to my portal. The documents I got from help.sap.com says about keeping an LDAP server for storing normal user attributes and the portal db for storing roles. Is there any way to store thr por
-
Error -39 When Trying to Watch a Film That Is Still Downloading?
I keep getting this and it's really starting to annoy me now. The title is pretty self explanitory. After I dismiss the error -39 window and resume the download a few minutes later I'll get error -50 and have to re-open iTunes and re-start the downlo
-
Considering Upgrading From PS Elements to full blown CS 4
Hi, I'm a web site designer who currently uses Photoshop Elements. I don't do print design, and I don't usually create graphics from scratch (I have an asscoaite who does my artwork when I need customstuff). What I do is purchase graphics from StockX
-
Hello, We have just implemented the "My Spend" Application, it is working , but it is "not exactly beautiful" on Desktop and Tablet (not supposed to run on smartphone according to SAP Documentation), and the navigation experience is quite poor when r