FlexVPN Spoke to Spoke issues

Similar Messages

• FlexVPN Spoke-to-Spoke Routing Override Loop

  I have a Spoke Router, this Router hat a Routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the tranfer network):
  ip route 192.168.1.0 255.255.255.0 10.1.1.1
  After active the FlexVPN i get the Routing override, then the routing is 192.168.1.0 255.255.255.0 tunnel0 in the Soke-Router. I lost the right routing, and i get the loop from Center to 192.168.1.0.
  How can i let the Spoke Router to ignore the Routing from himself from Center?

  One was would be to increase distance of routes received from hub. 
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp1846954161

• Info Spoke - Issue with Data increasing by factor (X) fr selection

  We have created an Info Spoke for our Special Ledger Cube which is extracting from a summary 'Z' table. We are doing full loads & re-loads and not utilizing a delta. The spoke is used to create a flat file containing beginning balance and ending balance(s)to be fed to a third party Tax System  When we enter the selection criteria to run the spoke for Posting period (0FISCPER3) we are entering a value of from 0 to 9.  The beginning balance comes in fine, but the ending balance is the beginning balance multiplied by a factor of 10.
  If I just enter one criteria for date say period 12, it will bring in the ending balance  increase by a similar factor.
  This is a full reload everytime.   What is the obvious I am missing here.
  Anyone ?
  Thanx,
  JMM

  That is the way a spoke works, In selection parameters.

• FlexVPN Cannot Ping From Spoke LAN only

  Topology:
  Hub:
  (hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP
  Spoke:
  (hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP
  I have full reachability from both routers. 
  Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0
  Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1
  Partial reachability from lan hosts
  Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)
  Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24
  Any help would be appreciated

  We've been working with these confs for a while, so they aren't as clean as they could be, but here they are
  ---HUB---
  version 15.2
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname HUB
  boot-start-marker
  boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  enable secret xxxxx
  aaa new-model
  aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP
  server-private 10.0.1.15 key xxxxx
  aaa authentication login default local
  aaa authentication login xxxxxVPN_VPN_XAUTH local
  aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP
  aaa authorization exec default local
  aaa authorization network default local
  aaa authorization network xxxxxVPN_VPN_GROUP local
  aaa authorization network FLEXVPN_AUTH-Z_LIST local
  aaa session-id common
  clock timezone CST -6 0
  clock summer-time CDT recurring
  clock calendar-valid
  no ip source-route
  no ip gratuitous-arps
  ip cef
  no ip bootp server
  ip domain name xxxxx.net
  ip name-server 166.102.165.13
  ip name-server 166.102.165.11
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip name-server 4.2.2.1
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group VPN_GROUP
  key chain EIGRP_KEY_CHAIN
  key 1
    key-string xxxxx
  crypto pki trustpoint FLEXVPN_RA_TP
  enrollment terminal
  serial-number none
  fqdn vpn.xxxxx.net
  ip-address none
  subject-name cn=vpn.xxxxx.net
  revocation-check crl
  eckeypair FLEXVPN_RA_TP-Key
  crypto pki certificate chain FLEXVPN_RA_TP
  certificate 460000.. nvram:xxxxx#2.cer
  certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer
  license udi pid CISCO1921/K9 sn xxxxx
  archive
  path ftp://xxxxx
  write-memory
  username xxxxx privilege 15 password xxxxx
  redundancy
  crypto ikev2 authorization policy default
  pool FLEX_SPOKES_POOL
  route set interface
  crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY
  pool FLEXVPN_RA_POOL
  dns 10.0.1.15
  netmask 255.255.255.0
  def-domain xxxxx.net
  route set access-list FLEXVPN_RA_ACL
  crypto ikev2 proposal SHA1-only
  encryption aes-cbc-256
  integrity sha1
  group 5
  crypto ikev2 policy SHA1-only
  match fvrf any
  proposal SHA1-only
  crypto ikev2 keyring FLEX_KEY
  peer ALL
    address 0.0.0.0 0.0.0.0
    pre-shared-key local xxxxx
    pre-shared-key remote xxxxx
  crypto ikev2 profile FLEX_IKEv2
  match identity remote address 0.0.0.0
  authentication remote pre-share
  authentication local pre-share
  keyring local FLEX_KEY
  aaa authorization group psk list default default
  virtual-template 1
  crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE
  match identity remote key-id xxxxx.net
  identity local dn
  authentication remote eap query-identity
  authentication local rsa-sig
  pki trustpoint FLEXVPN_RA_TP
  dpd 60 2 on-demand
  aaa authentication eap FLEXVPN_AUTH-C_LIST
  aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY
  virtual-template 10
  crypto ikev2 dpd 30 5 on-demand
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  crypto logging session
  crypto isakmp client configuration group xxxxxVPN
  key xxxxx
  pool xxxxxVPN_POOL
  acl xxxxxVPN_ACL
  netmask 255.255.255.0
  crypto isakmp profile xxxxxVPN_IKE_PROFILE
     match identity group xxxxxVPN
     client authentication list xxxxxVPN_VPN_XAUTH
     isakmp authorization list xxxxxVPN_VPN_GROUP
     client configuration address respond
     virtual-template 100
  crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set IKEv2 esp-gcm
  mode transport
  crypto ipsec profile xxxxxVPN_IPSEC_PROFILE
  set transform-set xxxxxVPN_SET
  set isakmp-profile xxxxxVPN_IKE_PROFILE
  crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE
  set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE
  crypto ipsec profile default
  set transform-set IKEv2
  set ikev2-profile FLEX_IKEv2
  interface Loopback100
  ip address 172.31.100.1 255.255.255.255
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 10.0.1.1 255.255.255.0
  no ip unreachables
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface Virtual-Template1 type tunnel
  description FlexVPN hub-to-spokes
  ip unnumbered Loopback100
  ip mtu 1400
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  interface Virtual-Template10 type tunnel
  ip unnumbered GigabitEthernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE
  interface Dialer0
  mtu 1492
  ip address negotiated
  no ip unreachables
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1450
  dialer pool 1
  dialer idle-timeout 0
  dialer persistent
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname [email protected]
  ppp chap password xxxxx
  ppp pap sent-username [email protected] password xxxxx
  no cdp enable
  router eigrp 1
  distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1
  network 10.0.1.0 0.0.0.255
  network 172.30.200.0 0.0.0.255
  network 172.31.100.1 0.0.0.0
  passive-interface GigabitEthernet0/0
  ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254
  ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254
  ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 172.30.200.0 255.255.255.0 Null0
  ip access-list standard FLEXVPN_RA_ACL
  permit 10.0.1.0 0.0.0.255
  permit 10.0.2.0 0.0.0.255
  permit 10.0.3.0 0.0.0.255
  permit 10.0.4.0 0.0.0.255
  ip access-list standard MGMT_ACL
  permit 172.30.200.0 0.0.0.255
  permit 172.31.254.0 0.0.0.255
  permit 10.0.1.0 0.0.0.255
  ip access-list extended xxxxxVPN_ACL
  permit ip 172.30.255.0 0.0.0.255 any
  permit ip 10.0.1.0 0.0.0.255 any
  permit ip 172.31.254.0 0.0.0.255 any
  ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24
  ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24
  ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32
  access-list 1 permit 10.0.1.0 0.0.0.255
  route-map EIGRP_SUMMARY_RMAP permit 10
  match ip address prefix-list EIGRP_SUMMARY_PFLIST
  control-plane
  banner motd  Cxxxxx
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  access-class MGMT_ACL in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  transport input all
  scheduler allocate 20000 1000
  ntp update-calendar
  ntp server 1.pool.ntp.org
  ntp server 0.pool.ntp.org prefer
  end
  ---SPOKE---
  version 15.2
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname SPOKE
  boot-start-marker
  boot system flash:c880data-universalk9-mz.152-4.M5.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  enable secret xxxxx
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  memory-size iomem 10
  clock timezone CST -6 0
  clock summer-time CDT recurring
  clock calendar-valid
  no ip source-route
  no ip gratuitous-arps
  no ip bootp server
  ip domain name xxxxx.net
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip name-server 4.2.2.1
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  key chain EIGRP_KEY_CHAIN
  key 1
    key-string xxxxx
  license udi pid CISCO881-SEC-K9 sn FTX1740854N
  archive
  path ftp://xxxxx
  write-memory
  username xxxxx privilege 15 password xxxxx
  crypto ikev2 authorization policy default
  route set interface
  crypto ikev2 keyring FLEX_KEY
  peer ALL
    address 0.0.0.0 0.0.0.0
    pre-shared-key local xxxxx
    pre-shared-key remote xxxxx
  crypto ikev2 profile FLEX_IKEv2
  match identity remote address 0.0.0.0
  authentication remote pre-share
  authentication local pre-share
  keyring local FLEX_KEY
  aaa authorization group psk list default default
  virtual-template 1
  crypto ikev2 dpd 30 5 on-demand
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  crypto ipsec transform-set IKEv2 esp-gcm
  mode transport
  crypto ipsec profile default
  set transform-set IKEv2
  set ikev2-profile FLEX_IKEv2
  interface Loopback101
  ip address 172.31.101.3 255.255.255.255
  interface Tunnel0
  description FlexVPN tunnel
  ip address negotiated
  ip mtu 1400
  ip nhrp network-id 1
  ip nhrp shortcut virtual-template 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  delay 1000
  tunnel source Vlan1
  tunnel destination x.x.x.x
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  ip address dhcp
  no ip unreachables
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  description FlexVPN spoke-to-spoke
  ip unnumbered Loopback101
  ip nhrp network-id 1
  ip nhrp shortcut virtual-template 1
  ip nhrp redirect
  tunnel protection ipsec profile default
  interface Vlan1
  ip address 10.0.3.1 255.255.255.0
  ip helper-address 10.0.1.15
  no ip unreachables
  ip nat inside
  ip virtual-reassembly in
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 dhcp
  ip access-list standard INTERNET_BOUND_ACL
  permit 10.0.3.0 0.0.0.255
  ip access-list standard MGMT_ACL
  permit 172.30.255.0 0.0.0.255
  permit 172.31.100.0 0.0.0.255
  permit 10.0.1.0 0.0.0.255
  permit 10.0.3.0 0.0.0.255
  permit 172.30.200.0 0.0.0.255
  access-list 99 permit 10.0.3.0
  control-plane
  banner motd  xxxxx
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  access-class MGMT_ACL in
  privilege level 15
  transport input telnet ssh
  ntp update-calendar
  ntp server 0.pool.ntp.org prefer
  ntp server 1.pool.ntp.org
  end

• Authorization issue in Info spoke

  Hi all,
  I am facing some authorization issue when executing info spoke in process chain.
  Info spoke is working fine in direct Scheduling (both background and Dialog).
  Am getting this error after execution of process chain
  "System error: RSDRC / FORM AUTHORITY_CHECK RSDRC / FORM AUTHORITY_CHECK R"
  "System error: RSDRC / FUNC RSDRC_BASIC_CUBE_DATA_GET RSDRC / FUNC RSDRC_B"
  "System error: RSDRC / FORM DATA_GET RSDRC / FORM DATA_GET RSDRC / FORM DA"
  "Extraction Cube : Error in DataManager API".
  I dont know why this problem comes.
  Can anyone tel me what went wrong and how to solve it.
  Thanks in advance.
  Kind regards,
  Shanbagavalli.S

  Hi All,
      The above issue is getting due to # character in text at end(e.g ljdfsaa##). After removing # characters in text issue got resolved.
  Thansk,
  Manjunatha

• DMVPN split tunnling issue, not able to by pass http traffic at spoke end.

  Dear all,
  I would appreciate please help me out to resolve following issue.
  I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
  Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but  spoke router is  continuously forwarding all traffic to tunnel.
  Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
  Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
  thanks and regards,

  I agree with Marcin.
  At the spoke you would need to add a static default route for the internet traffic.  You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric.  Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down.  But if they are both located off the same interface then there is no point in keeping the injected default route.
  Please remember to rate and select a correct answer

• Ggrrrrr, is there any that bios that fixes the temp issue? [solved]..spoke too soon [NOT SOLVED]

  ive tried
  1.1
  1.2
  1.3
  1.42
  come on msi, give me a fighting chance :(

  Here is the last thing I received from MSI tech support.  I'll give them this much, they are much more responsive than VIA or AOpen ever were when I first got my flakey MVP3 board...lol.  I hope they can figure this problem out!
  Quote
  So far in our own testing, we have not found any High CPU Temperature issues.
  We have gone through the threads you have provided to us and we will co-work with AMD to see if anything needs to be updated from our side with the New Castle Core.
  Once again, MSI appreciates all the findings/reports you have provided to us and we will update you once there is any findings becomes available.
  Sincerely,
  Technical Support Division
  MSI Computer Corp.
  http://www.msicomputer.com
  MSI - Beyond Expectations!  
  1-626-913-0828
  1-626-581-7721 Fax
  Due to high volume of cases daily, we may not be able to answer question promptly. Please kindly provide your name, phone number, model number, state in which you are calling from, a brief description of your problems, and we will try to reply your issue as promptly as possible. Thanks
  The information transmitted is intended only for the person or entity to which it is addressed and contained confidential and privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient are prohibited. If you receive this in error, please contact the sender and delete the material from any computer.
  -----Original Message-----
  From: my email deleted
  Sent: Friday, August 06, 2004 8:51 AM
  To: [email protected]
  Subject: RE: 3 -- Customer Problem Description Form
  I know you guys think you fixed the Newcastle temperature problem.  But there are still a LOT of us out here who are having trouble, using latest BIOS.  People are reporting this all over the MSI forums.  The behavior is as follows, flashing the BIOS might help initially, but soon after the temp shoots way back up.
  Please see the following threads:
  Temps and BIOS 1.42
  ggrrrrr, is there any that bios that fixes the temp issue? [solved]..spoke too soon [NOT SOLVED]
  Possible fix for CPU temp problem found.
  The same old problem with temperatures (K8N Neo Platinum)
  K8N Neo Temps :(

• Routing issue for remote vpn user and spoke

  Hi all,
  i have configure VPN (see attached file)
  before upgrading ASA from 8.3 to 8.4,  SPOKES was able to communicate between them and  also remote VPN users was able to access spoke site.
  after upgrade  ASA HUB, neither spoke-to-spoke  nor remoteuser---to---spoke cannot communicate
  here is NAT exemption configuration on ASA HUB.  only this ASA have been upgrade. nothing have been done on other site
  object network 172.17.8.0
  subnet 172.17.8.0 255.255.255.0
  object network 10.100.96.0
  subnet 10.100.96.0 255.255.240.0
  object network VPN-SUBNET
  subnet 172.20.1.0 255.255.255.0
  nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
  nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
  same-security traffic permit intra-interface
  same-security traffic permit inter-interface
  Please do you know what can be the problem ?
  thanks so much for your help

  Since you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
  Pls "clear xlate" after removing it and let us know how it goes.

• Facetime will not connect - Anyone spoke to Apple regarding the facetime issue fix

  Day four and still not able to connect with Facetime. Has anyone spoke to Apple regarding the status of the fix?

  No...actually I have an iPad Air and my mother has an iPad 2.  I cannot connect to her on Facebook.  I did not catch what device it was showing when I started the discussion.  The problem started on Thursday and when you call her iPad 2, it rings and tries to connect but NO luck.  She has iOS 6 on her device.  It's as if Apple flipped a switch and stopped allowing some iOS devices to connect via Facetime.  I can connect with other iOS devices with my iPad Air.

• Hub and spoke VPN issue - probably simple

  Hello,
  I setup a Hub & Spoke VPN configuration as a temporary solution to get phones working at a client with 5 Sites. 
  Site A: HQ and main PBX System - Cisco ASA 5520
  Sites B-E: Remote Sites with PBX systems with ASA 5505's
  I configured my crypto access-lists to allow all interesting traffic to/from all sites, and it's working for the most part. 
  Refer to this short discussion for further reference
  https://supportforums.cisco.com/message/4162268#4162268
  Recently the customer started saying sometimes the call forwarding between sites isn't working correctly.  Upon further testing, it seems that you have to ping to/from both ends of the Spokes before traffic will start passing through properly.
  E.g.
  Site B wants to talk to Site C
  I need to initiate a ping on Site B to Site C which fails
  Initiate a ping on Site C to Site B and the first packet drops, then the rest go through
  Initiate Ping on Site B to Site C and all works just fine.
  Traffic going to/from Site A to/from any remote site (Sites B-E) works fine 100% of the time.
  This is happening for all remote sites.  When traffic has been initiated on both ends, it works just fine, but after a specific timeout it appears to stop working.
  Probably something simple I'm missing.  Any help is greatly appreciated.
  (Also, kind of silly but I realize that I didn't need same-security-traffic on each spoke, correct?)

  The purpose of doing VPN is that you want 2 or more different networks seamlessly become line 1 common network. Your class B network having 192.168.0.0 and class C networks 192.168.10.0 are in the same network sine both are in the network 192.168.x.x network. Try to consider changing the Class B network into 192.169.0.0 or you can change the Class C network into 192.169.10.0.

• BPEL 10.1.2 hub-and-spoke or distributed architecture?

  Hi,
  I'm currently wrestling with the following question:BPEL 10.1.2 hub-and-spoke or distributed architecture?
  Hi,
  I'm currently wrestling with the following question:
  An ESB as per definition of e.g. Forrester should be capable of supporting a distributed bus architecture. From my understanding this distributed bus architecture is achieved by installing some sort of ESB component(s) on all machines that are participating in this infrastructure, together forming a ‘bus’.
  As I understand the BPEL 10.1.2 product basically offers two categories of functionality: orchestration and integration. Does this integration part offer ESB alike functionality and more specific allows for a distributed bus architecture? As far as I can see the BPEL 10.1.2 offers limited ESB alike functionality and only supports a hub-and-spoke architecture.
  Other threads in this forum talk about using BPEL 10.1.2 together with InterConnect in order to foresee in ESB functionality. What does InterConnect add to the BPEL 10.1.2 integration functionality?
  As of SOA suite 10.1.3 these products have been split up into a BPEL product and an ESB product. Is the ESB product in SOA suite 10.1.3 a combination of the integration from BPEL 10.1.2 and InterConnect? Is this new ESB product able to support a distributed architecture?
  I’m very much in favor of a distributed architecture compared to hub-and-spoke, as hub-and-spoke requires a very solid and redundant system that is going to handling all message traffic and other functions. When moving towards a SOA giving an ESB a back-bone role, I’m not very keen on introducing a single system that should actually make up this ESB. Distributed would mean all machines are taking care of some basic functions resulting in a fully functional ESB, even when one or more machines are down.
  Am I making sense with this? I would like to know how others are looking at these topics.
  Regards,
  Gershon Janssen

  We are struggling with this issue too. The "all-pervasive" vision of the ESB visionaries, in my opinion, means that every node in my enterprise architecture should have access to the bus and I should be able to orchestrate anything that is running on any node in my architecture. We were told to think of an ESB as the equivalent of the hardware bus in computers. From that perspective I thought that:
  (1) BPEL and ESB functions would add a marginal increment to the licensing cost of an app server - I should be able to afford an "all-pervasive" architecture.
  (2) BPEL and ESB functions would add a "marginal increment" to the memory and resource foot-print. Again, I should be able to afford an "all-pervasive" architecture.
  Are these two satisfied by Oracle's products ? Some vendors don't seem to support the above two. In that case there is a disconnect between the marketing and technology departments of the vendors. What am I missing ?
  If BPEL engines and ESBs are priced very high, based on economics we will end up with a hub-and-spoke model.
  Thanks

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• In info spoke customer details generating in two lines

  Hi All,
     In Info spoke after file trigerring job background, file creating in AL11 but in that file for each customer details generating in two lines.
  Eg:
  Correct reocrd : 1212|dsfsdfd|ddf|fdf||dfsdf
  Error record: 1212|dsfsdfd
                         |ddf|fdf||dfsdf
  Thanks,
  Manjunatha

  Hi All,
      The above issue is getting due to # character in text at end(e.g ljdfsaa##). After removing # characters in text issue got resolved.
  Thansk,
  Manjunatha

• "sh ip ospf nei" on spokes shows only HUBS

  Hi there!
  Not so long I've built Single-HUB-Single-cloud DmVPN with 12 spokes. Everything was working file until I decided to configure one of the spokes as a BDR in the same cloud.
  Now sh ip ospf nei on HUBS shows all of routers as FULL/DROTHER and FULL/DR/BDR respectively. But on each of spokes it shows records about HUBS only. Almost all of SPOKES can ping each other. But even after this there no changes in sh ip ospf nei output, still HUBS only.
  In most cases traffic from SPOKE to SPOKE goes through DR and it does not have any matter how much times i'm running the ping, trace or other traffic
  SPOKE7#trace 172.18.15.1
  Type escape sequence to abort.
  Tracing the route to 172.18.15.1
  1 172.255.255.1.rdns.as15003.net (172.255.255.1) 44 msec
  172.255.255.11.rdns.as15003.net (172.255.255.11) 144 msec 148 msec
  and still
  SPOKE7#sh ip ospf nei
  Neighbor ID Pri State Dead Time Address Interface
  1.1.0.1 10 FULL/DR 00:00:36 172.255.255.1 Tunnel0
  1.2.1.1 5 FULL/BDR 00:00:34 172.255.255.5 Tunnel0
  =============================================================
  I would much appreciate for any assistance in solving of this issue.
  The configs and debug outputs are attached in txt-files to make the post more readable. If it's require I'll paste the data as a plain text.
  Please do not hesitate to request additional debugging information.

  Roman, 
  I did manage to find one of my old labs and transfer config to OSPF from EIGRP. 
  Spoke_R4#debug nhrp packet
  NHRP activity debugging is on
  Spoke_R4#sh ip nhrp
  172.16.0.1/32 via 172.16.0.1
  Tunnel0 created 00:04:08, never expire
  Type: static, Flags: used
  NBMA address: 10.0.0.1
  172.16.0.2/32 via 172.16.0.2
  Tunnel0 created 00:04:08, never expire
  Type: static, Flags: used
  NBMA address: 10.0.0.2
  Spoke_R4#traceroute 192.168.133.1 source l0
  Type escape sequence to abort.
  Tracing the route to 192.168.133.1
  VRF info: (vrf in name/id, vrf out name/id)
  1
  *Apr 22 12:58:54.872: NHRP: Send Resolution Request via Tunnel0 vrf 0, packet size: 72
  *Apr 22 12:58:54.872: src: 172.16.0.104, dst: 172.16.0.1
  *Apr 22 12:58:54.872: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
  *Apr 22 12:58:54.872: shtl: 4(NSAP), sstl: 0(NSAP)
  *Apr 22 12:58:54.872: pktsz: 72 extoff: 52
  *Apr 22 12:58:54.872: (M) flags: "router auth src-stable nat ", reqid: 4
  *Apr 22 12:58:54.872: src NBMA: 10.0.0.104
  *Apr 22 12:58:54.872: src protocol: 172.16.0.104, dst protocol: 172.16.0.103
  *Apr 22 12:58:54.872: (C-1) code: no error(0)
  *Apr 22 12:58:54.872: prefix: 32, mtu: 17916, hd_time: 600
  Apr 22 12:58:54.872: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
  *Apr 22 12:58:54.936: CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.0.0.103:500 Id: 10.0.0.103
  *Apr 22 12:58:54.956: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 120
  *Apr 22 12:58:54.956: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
  *Apr 22 12:58:54.956: shtl: 4(NSAP), sstl: 0(NSAP)
  *Apr 22 12:58:54.956: pktsz: 120 extoff: 60
  *pr 22 12:58:54.956: (M) flags: "router auth dst-stable unique src-stable nat ", reqid: 4
  *Apr 22 12:58:54.956: src NBMA: 10.0.0.104
  *Apr 22 12:58:54.956: src protocol: 172.16.0.104, dst protocol: 172.16.0.103
  *Apr 22 12:58:54.956: (C-1) code: no error(0)
  *Apr 22 12:58:54.956: prefix: 32, mtu: 17916, hd_time: 600
  Apr 22 12:58:54.956: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
  *Apr 22 12:58:54.956: client NBMA: 10.0.0.103
  *Apr 22 12:58:54.956: client protocol: 172.16.0.103 *
  172.16.0.103 12 msec *
  Spoke_R4#
  Spoke_R4#sh ip nhr
  Spoke_R4#sh ip nhrp
  172.16.0.1/32 via 172.16.0.1
  Tunnel0 created 00:04:28, never expire
  Type: static, Flags: used
  NBMA address: 10.0.0.1
  172.16.0.2/32 via 172.16.0.2
  Tunnel0 created 00:04:28, never expire
  Type: static, Flags: used
  NBMA address: 10.0.0.2
  172.16.0.103/32 via 172.16.0.103
  Tunnel0 created 00:00:16, expire 00:09:44
  Type: dynamic, Flags: router used
  NBMA address: 10.0.0.103
  Spoke_R4#
  Spoke_R4#
  Spoke_R4#sh ip nhrp
  172.16.0.1/32 via 172.16.0.1
  Tunnel0 created 00:04:31, never expire
  Type: static, Flags: used
  NBMA address: 10.0.0.1
  172.16.0.2/32 via 172.16.0.2
  Tunnel0 created 00:04:31, never expire
  Type: static, Flags: used
  NBMA address: 10.0.0.2
  172.16.0.103/32 via 172.16.0.103
  Tunnel0 created 00:00:18, expire 00:09:41
  Type: dynamic, Flags: router used
  NBMA address: 10.0.0.103
  Spoke_R4#
  Spoke_R4#
  Spoke_R4#traceroute 192.168.133.1 source l0
  Type escape sequence to abort.
  Tracing the route to 192.168.133.1
  VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.0.103 20 msec * 12 msec
  Spoke_R4#
  Spoke_R4#sh ip route 192.168.133.1
  Routing entry for 192.168.133.1/32
  Known via "ospf 1", distance 110, metric 1001, type intra area
  Last update from 172.16.0.103 on Tunnel0, 00:05:53 ago
  Routing Descriptor Blocks:
  * 172.16.0.103, from 192.168.133.1, 00:05:53 ago, via Tunnel0
  Route metric is 1001, traffic share count is 1
  Routing on spoke4 shows that one should go to spoke3 (172.16.0.3).
  This will trigger NHRP resolution process - demonstrated in debugs.

• Full Mesh to Hub Spoke Connectivity

  I have implemented MPLS VPN. Currently running as a full mesh connectivity. I
  need to implement and configure a hub and spoke connectivity due to the
  business requirement.
  I have 4 spokes and 1 hub. For each spokes, they shouldn't communicate
  with spoke, only to hub and vice-versa.
  What is the appropriate and best practise for me to implement and configuring for such scenario?
  Appreciate your feedbacks and opinion.
  regards,
  maher

  ok keep all your config in as it is just now. The only issue (personal one I believe) is that you shall be using the same RD everywhere but that shouldnt matter. On your hub site add under the vrf something like Route-target export 99:1. On a your spoke sites add route-target export 99:2 then on the other spoke site route-target export 99:3 until you do them all to 99:x. Then go back to the hub site and do route-target import 99:2 all the way through to x. You can now remove your original route-targets and all shall be fine. A cleaner method would be to completely remove the vrf but thats prolly too much hassle and downtime for your liking :-)
  HTH