IPsec over GRE in ASR 1000 with VRF
Hi
I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
local_proxy= 10.255.68.246/255.255.255.255/256/0,
remote_proxy= 10.200.25.106/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: map_db_find_best did not find matching map
Oct 3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
Oct 3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
anybody could help me to troubleshoot why it doesn´t work?
I post you involved configuration sections from ASR and 819G routers
B.R.
Ops!! I forgot to paste involved routes from both devices.
ASR router
ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6 <--- c819G LAN network
Cisco 819G
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 10.255.68.246 255.255.255.255 Cellular0
B.R.
Similar Messages
-
IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination
>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides. -
Hello,
please Urgent Help
I have ASR 1000 with asr1000rp2-adventerprisek Version, when I give PPP Multilink to the dialer interface it show following error :
FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image:
MLP bundle , link download to CPP failed
please urgent helpthis error comes with the command PPP multilink, it is a lot of letters and numbers and then this last line comes this message
FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F0: fman_fp_image:
MLP bundle 181, link 178 download to CPP failed
the configuration still not installed but I configured just the following lines
interface Virtual-Template
ip unnumbered Loopback2
ip mtu 1440
ip load-sharing per-packet
ip tcp adjust-mss 1400
no logging event link-status
peer default ip address pool
ipv6 unnumbered Loopback2
ipv6 enable
no ipv6 nd suppress-ra
ppp authentication pap chap callin
ppp multilink
ppp multilink fragment delay 100
ppp multilink mrru local 1546
that were the lines used to configure this Dialer, the image must be asr1000rp2-adventerprisek and not Ipbase but I dont tried to use IPbase.
what do think ? -
IPsec over GRE not coming up, cant see why, debug inc...
Hi all,
Rattling my brains here, as far as i can see everything is fine, it should be working, but for some reason its not, and i cant see anything in the debug thats hinting to the reason why, can anyone help me out with this?
im normally good at this stuff, but this time its got me!
the hub config works with many 3 other spokes configured in the same way!
Thanks for any help guys
SPOKE
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xx3
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec transform-set AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec profile GRE_TUNNEL
set transform-set AES-SHA
archive
log config
hidekeys
ip ssh version 2
interface Tunnel1
bandwidth 100000
ip address 192.168.100.103 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication xxxxxx
ip nhrp map 192.168.100.1 xxx.xxx.xxx.xx3
ip nhrp map multicast xxx.xxx.xxx.xx3
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
qos pre-classify
tunnel source Vlan100
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile GRE_TUNNEL
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
dsl operating-mode auto
interface FastEthernet0
switchport access vlan 100
interface FastEthernet1
switchport access vlan 103
interface FastEthernet2
switchport access vlan 103
interface FastEthernet3
switchport access vlan 103
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
shutdown
interface Vlan100
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
interface Vlan103
ip address 192.168.103.254 255.255.255.0
ip nat inside
ip virtual-reassembly
router eigrp 100
network 192.168.100.0
network 192.168.103.0
auto-summary
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list OUTBOUND interface Vlan100 overload
ip access-list extended INBOUND
deny tcp any any eq 22
deny tcp any any eq telnet
permit ip any any
deny ip any any
ip access-list extended OUTBOUND
permit ip any any
deny ip any any
HUB
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp policy 15
encr 3des
authentication pre-share
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec security-association idle-time 7800
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES_MD5_TUNNEL esp-aes 256 esp-md5-hmac
crypto ipsec profile DataTunnels
set transform-set AES-SHA
interface Tunnel1
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication xxxxxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DataTunnels
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 201
interface FastEthernet1
switchport access vlan 201
interface FastEthernet2
switchport access vlan 201
interface Vlan201
ip address 192.168.201.254 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
no cdp enable
router eigrp 100
network 192.168.100.0
network 192.168.201.0
redistribute static
router nhrp
router odr
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.201.0 0.0.0.255 any
deny ip any any
DEBUG
CWT-DATA#sh ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel1 created 1w5d, never expire
Type: static, Flags: used
NBMA address: xxx.xxx.xxx.xx3
CWT-DATA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xxx.xxx.xxx.xx3 192.168.1.7 MM_NO_STATE 2821 0 ACTIVE (deleted)
Jul 4 12:53:35.551: ISAKMP:(2822):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:53:45.553: ISAKMP:(2822): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:45.553: ISAKMP:(2822):peer does not do paranoid keepalives.
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP: Unlocking peer struct 0x835CCCE8 for isadb_mark_sa_deleted(), count 0
Jul 4 12:53:45.553: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xx3: 835CCCE8
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node -32418685 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node 2092182627 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 4 12:53:45.553: ISAKMP:(2822):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Jul 4 12:53:45.585: ISAKMP:(0): SA request profile is (NULL)
Jul 4 12:53:45.585: ISAKMP: Created a peer struct for xxx.xxx.xxx.xx3, peer port 500
Jul 4 12:53:45.585: ISAKMP: New peer created peer = 0x835CCCE8 peer_handle = 0x800025C0
Jul 4 12:53:45.585: ISAKMP: Locking peer struct 0x835CCCE8, refcount 1 for isakmp_initiator
Jul 4 12:53:45.585: ISAKMP: local port 500, remote port 500
Jul 4 12:53:45.585: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:53:45.585: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8333DA70
Jul 4 12:53:45.585: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jul 4 12:53:45.585: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 4 12:53:45.585: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 4 12:53:45.585: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jul 4 12:53:45.589: ISAKMP:(0): beginning Main Mode exchange
Jul 4 12:53:45.589: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 4 12:53:45.589: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.653: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_NO_STATE
Jul 4 12:53:45.653: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.653: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jul 4 12:53:45.653: ISAKMP:(0): processing SA payload. message ID = 0
Jul 4 12:53:45.653: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.653: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.653: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.653: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.653: ISAKMP:(0): local preshared key found
Jul 4 12:53:45.653: ISAKMP : Scanning profiles for xauth ...
Jul 4 12:53:45.653: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jul 4 12:53:45.653: ISAKMP: encryption AES-CBC
Jul 4 12:53:45.653: ISAKMP: keylength of 256
Jul 4 12:53:45.653: ISAKMP: hash SHA
Jul 4 12:53:45.653: ISAKMP: default group 5
Jul 4 12:53:45.653: ISAKMP: auth pre-share
Jul 4 12:53:45.653: ISAKMP: life type in seconds
Jul 4 12:53:45.653: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 4 12:53:45.657: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 4 12:53:45.657: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 4 12:53:45.657: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 4 12:53:45.657: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.657: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.657: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.657: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.657: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jul 4 12:53:45.657: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jul 4 12:53:45.657: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.661: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.661: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jul 4 12:53:45.813: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_SA_SETUP
Jul 4 12:53:45.817: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.817: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 4 12:53:45.817: ISAKMP:(0): processing KE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is Unity
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is DPD
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): speaking to another IOS box!
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP (0:2823): NAT found, the node inside NAT
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.993: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jul 4 12:53:45.993: ISAKMP:(2823):Send initial contact
Jul 4 12:53:45.993: ISAKMP:(2823):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 4 12:53:45.993: ISAKMP (0:2823): ID payload
next-payload : 8
type : 1
address : 192.168.1.7
protocol : 17
port : 0
length : 12
Jul 4 12:53:45.993: ISAKMP:(2823):Total payload length: 12
Jul 4 12:53:45.997: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:53:45.997: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.997: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.997: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM5
CWT-DATA#
Jul 4 12:53:55.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:53:55.794: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:53:55.794: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:56.294: ISAKMP (0:2823): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:53:56.294: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:53:56.294: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:05.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:05.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:05.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:06.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:06.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:15.797: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:15.797: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:15.797: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:16.297: ISAKMP (0:2823): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:16.297: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:19.537: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:54:19.537: ISAKMP:(2823):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote xxx.xxx.xxx.xx3)
Jul 4 12:54:19.537: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 4 12:54:19.537: ISAKMP: Error while processing KMI message 0, error 2.
CWT-DATA#
Jul 4 12:54:25.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:25.798: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:25.798: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:26.298: ISAKMP (0:2823): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:26.298: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:26.298: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:35.555: ISAKMP:(2822):purging node -32418685
Jul 4 12:54:35.555: ISAKMP:(2822):purging node 2092182627
Jul 4 12:54:35.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:35.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:35.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:36.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:36.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:36.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#no debug all
All possible debugging has been turned offheres the hub debug
CWCH#
*Jul 5 11:58:16.208: ISAKMP: set new node 1382820308 to QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116):Sending an IKE IPv4 Packet.
*Jul 5 11:58:16.208: ISAKMP:(2116):purging node 1382820308
*Jul 5 11:58:16.208: ISAKMP:(2116):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 5 11:58:16.208: ISAKMP:(2116):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP: set new node -146383553 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120): processing HASH payload. message ID = -146383553
*Jul 5 12:02:47.504: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -146383553, sa = 0x854A7094
*Jul 5 12:02:47.504: ISAKMP:(2120):deleting node -146383553 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP: set new node -1398198787 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120): seq. no 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:47.504: ISAKMP:(2120):purging node -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:52.516: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP: set new node -459292560 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120): processing HASH payload. message ID = -459292560
*Jul 5 12:02:52.516: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -459292560, sa = 0x854A7094
*Jul 5 12:02:52.516: ISAKMP:(2120):deleting node -459292560 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:52.516: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:52.516: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:52.516: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP: set new node -1245354522 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1245354522
*Jul 5 12:02:52.516: ISAKMP:(2120): seq. no 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:52.516: ISAKMP:(2120):purging node -1245354522
*Jul 5 12:02:52.520: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:52.520: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:55.636: ISAKMP:(2119):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:55.636: ISAKMP:(2119):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:55.656: ISAKMP:(2119):purging node 926310294
CWCH#
*Jul 5 12:02:58.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:58.000: ISAKMP: set new node -1957053939 to QM_IDLE
*Jul 5 12:02:58.000: ISAKMP:(2120): processing HASH payload. message ID = -1957053939
*Jul 5 12:02:58.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1957053939, sa = 0x854A7094
*Jul 5 12:02:58.000: ISAKMP:(2120):deleting node -1957053939 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:58.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:58.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:58.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3E
*Jul 5 12:02:58.000: ISAKMP: set new node -1198504167 to QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120): seq. no 0x63A1AE3E
*Jul 5 12:02:58.004: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:58.004: ISAKMP:(2120):purging node -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:58.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:03.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP: set new node 599666073 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120): processing HASH payload. message ID = 599666073
*Jul 5 12:03:03.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 599666073, sa = 0x854A7094
*Jul 5 12:03:03.000: ISAKMP:(2120):deleting node 599666073 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:03.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:03.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:03.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP: set new node 1035716483 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = 1035716483
*Jul 5 12:03:03.000: ISAKMP:(2120): seq. no 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:03:03.004: ISAKMP:(2120):purging node 1035716483
*Jul 5 12:03:03.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:03.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:08.008: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:08.008: ISAKMP: set new node 230166927 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120): processing HASH payload. message ID = 230166927
*Jul 5 12:03:08.008: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 230166927, sa = 0x854A7094
*Jul 5 12:03:08.008: ISAKMP:(2120):deleting node 230166927 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:08.008: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:08.008: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:08.008: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE40
*Jul 5 12:03:08.008: ISAKMP: set new node -1886395474 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1886395474
*Jul 5 12:03:08.008: ISAKMP:(2120): seq. no 0x63A1AE40
*Jul 5 12:03:08.012: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:08.012: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no
*Jul 5 12:03:08.012: ISAKMP:(2120):purging node -1886395474
*Jul 5 12:03:08.012: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:08.012: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP: set new node 841395293 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120): processing HASH payload. message ID = 841395293
*Jul 5 12:03:13.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 841395293, sa = 0x854A7094
*Jul 5 12:03:13.000: ISAKMP:(2120):deleting node 841395293 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:13.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:13.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP: set new node -820358795 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -820358795
*Jul 5 12:03:13.000: ISAKMP:(2120): seq. no 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no debug all
All possible debugging has been turned off
CWCH#
*Jul 5 12:03:13.004: ISAKMP:(2120):purging node -820358795
*Jul 5 12:03:13.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:13.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE -
GRE keeplives enabled under tunnel interfaces will put the line protocol of tunnel to down... I have tested this in LAB !!!
why is it so , what is the workaround to use keepalives with VRF ........Hello,
It is caused by the way how the GRE keepalives work. I suggest reading these two documents first:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml
In short, a router sending keepalive in essence constructs an IP packet whose source is the remote endpoint and recipient is the router itself. It then encapsulates it using GRE and attaches another IP header to it with the send being itself and destination being the remote end. This packet will be sent to the remote end, there it will be decapsulated and afterwards it will be routed as usual, thereby returning the inner IP packet back to the original sender.
Obviously, this keepalive mechanism is not integrated with the VRF feature. The keepalive packet may arrive at the remote endpoint but after it is decapsulated the association with the receiving Tunnel interface is obviously lost and the remote endpoint tries to route that packet back using the global routing table, not the VRF in which the tunnel resides. This in turn causes the keepalive packet to never return.
I am unfortunately not aware of any backup keepalive mechanism for this, apart of running routing protocols over the tunnel with more aggresive hello and dead intervals.
Best regards,
Peter -
IPSec for Redundant DMVPN with VRF
Hi.
I have been labbing up a solution using DMVPN and VRF, similar to that described in the blog post here. It works very well, however when I try to extend the concept to a redundant hub, it breaks with IPSec. If I remove the tunnel protection, it works fine.
Does anyone have any ideas about providing IPSec protection to multiple DMVPN tunnels for VRFs to a redundant Hub?
Thanks.
Client config (no IPSec):
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.23 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast 172.16.1.1
ip nhrp map 10.254.254.1 172.16.1.1
ip nhrp map 10.254.254.3 172.16.1.3
ip nhrp map multicast 172.16.1.3
ip nhrp network-id 10
ip nhrp holdtime 600
ip nhrp nhs 10.254.254.1
ip nhrp nhs 10.254.254.3
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.23 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map 10.254.253.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp map multicast 172.16.1.3
ip nhrp map 10.254.253.3 172.16.1.3
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.254.253.1
ip nhrp nhs 10.254.253.3
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
Hub 1:
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 20
Hub 2:
interface Tunnel10
ip vrf forwarding Staff
ip address 10.254.254.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFS
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp holdtime 360
ip nhrp server-only
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 10
interface Tunnel20
ip vrf forwarding Clients
ip address 10.254.253.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication MFSC
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 360
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0 tunnel mode gre multipoint
tunnel key 20Under the Hub you have to add
HUB1
interface Tunnel10
ip nhrp map 10.254.254.1
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB2>
HUB2
interface Tunnel10
ip nhrp map 10.254.254.3
ip nhrp map multicast < ip add of FastEthernet0/0 for HUB1>
The same thing for the other tunnel interfaces -
WAAS with IPSEC or GRE tunnels
Hello,
I have a client with HQ and remote site, I need to implement WAAS between them.
issue is they are connected GRE over IPsec over MPLS WAAN, is there anything to take care about when implementing WAAS in GRE/IPSEC deployment.
Thanks & BR
MoamenI would keep in mind the following things...
1. Interception - You have to ensure you intercept the traffic outside the tunnels, otherwise you won't get any compression. Hardware based switches like the Cat6K cannot use WCCP on tunnel interfaces. Software based routers can do interception on tunnel interfaces, but don't scale as much as the hardware assisted platforms.
2. Packet size - if you are getting excessive fragmentation, try lowering the Optimized MSS value on the WAEs to under what you need for headers. WAAS default is 1432.
Other then that, what you have is a pretty normal installation situation.
Thanks,
Dan -
MPLS over GRE Support (Platform)
Hello,
I am looking to run MPLS over GRE (over the Public Internet) probably with IPSec for obvious reasons. CFN seems to suggest only the Cat6k with SUP-VS-2T or the Catalyst 6800 is capable of MPLS over GRE functionality...
I currently have 2 x Cisco 7200 VXR platforms (7204 & 7206) with the NPE-G2 processing engine and was wondering if we added the VSA encryption module (C7200-VSA=) would be enough to get a reliable MPLS over GRE tunnel functionality.
The tunnel with Encryption would ideally support up to 500Mbps.
My other alternative is to upgrade/replace the VXRs with ASRs (1002 or similar) but again CFN is unclear if the ASR100x platform is capable of delivering MPLS over GRE + IPSec.
Thanks,MPLS over GRE is not supported in Hardware for sup720. This is a PFC3 hardware limitation. Your options would be to use SPA-400 or Enhanced FlexWan.
-
Hi All,
I need to extend Layer 2 between two Data Centers over IP cloud. I am looking at the EoMPLSoGRE option and wondering which ASR I need to buy to have this feature working. Will basic model of ASR 1000 do? Or, do we have to buy any specific model of ASR ( and SPAs) for this EoMPLSoGRE to be working. Any specific version of IOS needed for this feature?
As of now, we have L3 MPLS VPN between the sites, terminated on Cisco 3900 series routers. We want to use this IP cloud to build this L2 extension just temporaily for migrating some servers where we cannot change the IP address of the servers due to application complexities.
Any help is hightly appreciated. Also, if you can point me to a sample setup and configuration for EoMPLSoGRE, it would be of great help.
Thanks and Regards,
Mohan MuthuAny ASR Model running IOS XE 2.4+ supports ATOM Over GRE, i would recommend you to read this document in detail, and tell us if you need any further help.
http://www.cisco.com/en/US/prod/collateral/routers/ps9343/Deploying_and_Configuring_MPLS_Virtual_Private_Networks_In_IP_Tunnel_Environments.pdf -
Error message on ASR 1000 logs.
Hi Everyone,
Good day.
I am seeing the below errors from the ASR 1000 that I have and It is not very clear on what the error actually means.
If someone have had experience with this kind of similar error message, kindly assist:
Apr 11 12:02:08.744 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:09.442 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:13.381 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:13.986 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:18.312 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:18.765 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:22.827 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:23.449 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:27.777 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:28.090 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:32.649 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:32.686 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:37.397 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:37.552 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:42.062 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:42.259 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:46.775 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:47.200 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:51.347 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:51.977 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:56.271 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:02:56.835 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:01.140 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:01.787 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:06.064 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:06.325 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:10.949 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:11.039 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:15.533 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Apr 11 12:03:15.858 AEST: ASR1000-INJECT: can't find tunnel adj for 0.0.0.0
Thanks
Kanes.RHi,
Ok, the message is indicating that one of the tunnels can't find the adj device through default route (0.0.0.0)
Check your tunnels and make sure they are all working correctly and have peering. I am not sure if this is possible, but see if you can figure out if the tunnels have been running for some times or anyone of them flapping
HTH -
What is the Max Nat Session supported on ASR 1002 with ASR1002-5G/K9
Hello,
I am going for ASR 1002 With ASR1002-5G/K9 ESP, Can any 1 help me to know how many NAT translation is possible.
As I got the Datasheet for ASR1000 it say’s 1M translation is Supported by ESP10 but it’s not giving any information regarding ESP5.
Thanks in advanceFirewall or NAT: 250,000 sessions and 50,000 sessions-per-sec setup rate
This is from the datasheet. Pls check.
Table 3. Cisco ASR 1000 Series 5-Gbps ESP Module Performance and Scaling
Regards
Durga Prasad - Datasoft Comnet
Pls rate helpful posts
Sent from Cisco Technical Support Android App -
BGP to OSPF redistribution with VRFs
I am having a problem with redistribution of routes between BGP and OSPF when using VRFs mapping to VLANs between the PE and CE.
In this lab I've put together I have R4 and R5 communicating with eachother via BGP with MPLS. If I redistribute the BGP into OSPF and delivering the connection to the CE without VLANs it works fine. If I want to essentially keep the same primary network going into the other side of the BGP but send the VRF over a VLAN to the next router the redistribution doesn't happen.
In this example I have
192.168.100.0/24 (R6) --ospf-- (R4) --BGP-- (R5) --ospf-- (R7) 192.168.200.0/24
Between R4 and R5 is the core network running ospf (R1 - R3).
Can anyone point me in the right direction why this isn't working? I am obviously missing something here.
Thanks,
MikeHi Mike,
You need to add capability vrf-lite under ospf process of R6 and R7 because they are configured with VRF-lite. This command will disable the check usually done on the PE to avoid routing loops.
HTH
Laurent. -
Hi,
Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
thanx and regards,
Shakeel AhmadI have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
Anyone have any idea how to solve this?
Example:
class-map match-all PING
match access-group 171
policy-map class-default
class PING
bandwidth percent 15
policy-map PING
class class-default
shape average 256000
service-policy class-default
INterfacexx
service-policy output PING
access-list 171 permit icmp any any -
Ipsec(tunnelmode)+gre+eigr
is it possible to use ipsec(tunnelmode)+gre+eigrp at the sime time?
The real question is not whether you are connected using a single physical interface at the central site. I have a customer who is currently using a single physical interface for about 90 GRE tunnels with no issue about split horizon. But these are traditional point to point GRE tunnels. If you connect to multiple remote locations with a multipoint GRE tunnel then there is an issue with EIGRP split horizon and you would need to turn off split horizon. If you do not disable split horizon the symptom is likely to be that all remotes can talk to the central site, the central site can talk to all remotes, but one remote will not be able to talk to other remotes.
HTH
Rick -
HI : Are there any MTU issues of running MPLS over GRE tunnels??
what will be the MTU size ?
thnak youGRE has an overhead of 24 bytes, and can directly interfere with the MPLS overhead. The MTU associated with an MPLS packet is broken down like so:
Ethernet Payload - 1500
802.1q header - 18
AToM Header - 4 (Required for ATM and FR only)
AToM Label - 4
LDP Label - 4
TE Label - 4
MPLS Fast Reroute - 4
Total = 1538
Granted, you may not configure all of those features above into your MPLS network, this is a good baseline to use for the MPLS MTU. You need to configure the core network to accept an MTU of at least 1538 bytes, without GRE.
You need to ensure that your GRE tunnels can support an MTU greater than 1562 if you plan to implement additional MPLS features like TE and AToM.
Maybe you are looking for
-
reinstalled my windows operating system and decided to put on windows 8. After loading all of my music back into a freshly installed itunes, my 4th gen ipod is not recognized by itunes. My 1st gen ipod nano works with no problem. I can eliminate a
-
How do I get bookmark syncing to work?
So I have 3 Mac's here all running Lion. I deleted all bookmarks from one Mac and turned on and off the Bookmark Sync button inside system pref, then hit "Merge". It found something from somewhere and stuffed it in there. I've done the Merge part on
-
JAI(Java Advanced Imaging) Problem with splitting TIFF images
Hi I am getting problem with height when I use this program to split TIFF images ImageDecoder decImage = ImageCodec.createImageDecoder("tiff", inStr, null); Then it creates RenderedImage page by page and encodes them to file: String outFileName = "";
-
Installing Photoshop & Premier Elements on my 2nd computer (laptop)?
From What I can gather, I should be able to install each of the aforementioned programs on as second computer. When I try, the serisal number is not accepted. Am I mistaken about installing these programs on another computer?
-
JavaScript error with CourseBuilder
Hi! I intend to use CourseBuilder for a simple test. I've done the CourseBuilder tutorial and everything went fine. Two weeks later I tried to implement an interaction in my page... and got an error message after I had clicked on the action manager t