Link to home
Start Free TrialLog in
Avatar of vikrantambhore
vikrantambhoreFlag for India

asked on

CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX

Hello,

I have one hub and 2 sites . We are using IPSEC + DMVPN. I get these kinds of errors normally however everything was working fine ,I used to get these messages earlier too but this time they are in a high number, All isworking fine,  but Constantly getting error on HUB router from only  branch approx within hour, & then VPN got Down%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its sanity check or is malformed
then when i cleared crypto sa & clear crypto isakmp then it will work fine for while, but again & again it's happening

can anyone help me? When i look sh crypto isakmp sa, i saw VPN is Up, but I am unable to ping that remote router,

I have attached configuration of HUB & Spoke
:17:34.846: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.
58.37 failed its sanity check or is malformed
012282: Jan 10 04:18:48.573: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.
XX.XX failed its sanity check or is malformed
012283: Jan 10 04:19:49.255: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.
XX.XX failed its sanity check or is malformed

012284: Jan 10 04:21:51.052: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC pa
cket has invalid spi for destaddr=XX.XX.XX.XX, prot=50, spi=0x80CEE739(2161043
257), srcaddr=XX.XX.XX.XX
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its sanity check or is malformed

Open in new window

HUB.txt
SPOKE.txt
Avatar of mpisano
mpisano

I would suggest picking one common  "Crypto ipsec Transform-set..." and  one "Crypto isakmp policy"
Also slightly confused by the GRE statement.

Since your only have two sites and a pix you dont need the other stuff and im not sure which one it's negoticiating. Error during tunnel negoticiating is normal until it finds a common one.

You say this use to work? guess the magic question is "What changed"

At any point can your route across the VPN? could this be firewall or route table related and not crypto?

If it works and then stops it might be lifetime or you might want to try keep alive packets.

would need versions and more detail logs and configs, but if you have any other questions let me know.

HTH
Mike
Avatar of vikrantambhore

ASKER

Hi Mike,

Thanks for your quick reply, I think i didn't change anythink about VPN although not 100% sure if i did,
But We need to fix this issue,
I used Lifetime 28800 under every policy, but have same issue,
Please let me know if U need any log ?
which log u need ?

Regards

Vikrant
Why so many policys?

At any point can you ping across the link?

What are the models and what software version?

Like to see the log of when it stops routing and begins renegociating

Mike

Hi Mike,

I am using UC520 on HUB & 877 for Spoke, I have attached Software details of Both router,
Now everything is working fine, but I know i will happened in 1 hrs, Crypto ISAKMP Error debugging is on both router, i will post when will have this issue again,

Bro about policy I am not sure which is in use,  
but I know I configured DMVPN in last month that time i used policy 20, I think rest is for EZVPN

I request to you pls help me until solve this issue
HUB.txt
SPOKE.txt
One more question is there anyway for knowing which policy is in used & for what ?
Bro I am getting Below error on HUB Router but VPN IS UP & All Application are working fine

ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071687: Feb  3 06:33:50.044: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071688: Feb  3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071689: Feb  3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071690: Feb  3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
Can you please log on Both Router, but all is fine,  was down only for 2-3 Sec, & up again
SPOKE.txt
HUB.txt
Hey - Sorry for the lag. any progress on your end?

ive looked over the config, and I am a bit confused why your using GRE still and "ip nhrp" instead of Crypto and and a route map?

I think we need to take a step back and define what you have. Im guessing these are two DSL circuits without fixed IP addresses and your trying to link these sites together?

Can you the full config for both 877's and the PIX - change the usernames and passwords and any public IP if hard coded on interface

Thanks
Bro We have Static IP On both Side, Both are DSL Line

We have UC520 router on HUB (Head Office of Company) & Cisco877 in Branch office),
Bro if u feel configuration are some wrong so please giude me we can edit our configuration,
also One another router is connected into main router which is 192.168.8.0 subnet but it's doesn't have static IP

I need to ping all branches from all router,

Please help me, I know I am wrong, But I am not too familier in Cisco Networking, But I can do if u will help me

Thanks in Advance


HUB.txt
SPOKE.txt
The other non static 877 - is it remote or direclty attached to the 520?

Are the configs on both 877 the same except for local ip range?

I see your defining a DHCP pool labeled Phone - Are you VOIP ing over these (across pacific to BigPond\Testra?)

Are you using the 802.11 and are these suppose to have not not access to the tunnel? ie is it only for people to browse and not see the inside servers?

Do all three routers form a triangle in routing or do you want spoke and hub? (if the UC is unavailable should the two 877's talk?)

Can you do a DIR or a show ver and let me know exactly what version IOS your running.

Sorry to throw a bunch of questions at you, just dont want to make a mess

Mike
We are using VOIP over 3 Branch, UC520 is in Perth, 877 is in INDIA, & 3rd in Melbourne (Cisco 1861)
we have Static IP in Perth & India but doesn't have in Melbourne, which is Best way for communacating all router with Each other & Which is we are using  Presently, My call manager is in Perth .

I have attached Sh Ver of All Router, also attached sh run Of Melbourne
Sh-Ver-HUB.txt
Sh-Ver-India.txt
Sh-Ver-Melbourne.txt
Sh-RUN--Melbourne.txt
I see your infrestructure is growing - lol

I will review the configs as soon as i get a chance to focus on it.

So the three sites are PER, MEL, IND and to roll back to the original issue, every works and randomly
routing stops and a "cleared crypto sa & clear crypto isakmp" fixes it.

1) The cleared crypto sa & clear crypto isakmp  you enter at the Spoke (MEL\IND)
2) Does it happen to Both?
3) How Often?
4) Do they both fail at the same time?

Is this is only happening in MEL I had a similar problem since Bigpond has upgraded to a newer DSL spec that was not compatible with the rev of 12.4 I had there.

We don't have this issue on Melbourne, It's happended only between IND & Perth,
when it's happend I need to enter clear command on IND also Perth
Maybe this issue happend due to bugs on router I am getting CrashInfo in IND router,
Can you please check if any serious Issue
crashinfo-20110205-034745
well a crashing router is never a good sign!

Are you familiar with TFTP and Cisco flashing?
Yes Bro, I can Upload New Image, But unable to undersatnd what is the Main Issue in Software
& why it's happended ?
Still unsure why, but before we can say this might be a hardware problem we need to make sure it's on the  latest IOS version

Can you do a DIR

That should show me the long fine name of the IOS image booting in Flash

Mike
It's was crash before 1 hours & reason showing unknown in sh ver

Router#dir
Directory of flash:/

    2  -rwx    19004980   --- -- ---- --:--:-- -----  c870-advipservicesk9-mz.12
4-15.T9.bin
   21  -rwx         660  Sep 13 2007 17:18:45 +00:00  vlan.dat

23482368 bytes total (4470784 bytes free)
Router#
Router#sh version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T9,
RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 29-Apr-09 05:52 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE

Router uptime is 1 hour, 59 minutes
System returned to ROM by reload at 03:47:45 UTC Sat Feb 5 2011
System restarted at 03:48:37 UTC Sat Feb 5 2011
System image file is "flash:c870-advipservicesk9-mz.124-15.T9.bin"
Last reload reason: Unknown reason



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of mem
ory.
Processor board ID FHK110914N0
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Router#

Open in new window

Do you have access to cisco's web site for a newer flash or do you nedd one?

Does the Router crash happen at the same time you loose routing and need to clear crypto isakmp ?
I don't have access to cisco's web site ,
I don't think  Router cras happen at same time when i losed routing, as I have seen that  it's happens sometimes, but not all the time. But Router crash one time in day

Hi Dear,

Please check error on HUB Router, But VPN is Still up, I think somethink wrong in Crypto policy,
Please look if u can understand this
000296: Feb  5 02:09:08.431: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000297: Feb  5 03:08:44.359: %LINK-3-UPDOWN: Interface Virtual-Access4, changed
state to up
000298: Feb  5 03:08:44.363: %LINK-3-UPDOWN: Interface Virtual-Access5, changed
state to up
000299: Feb  5 03:08:45.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vir
tual-Access4, changed state to up
000300: Feb  5 03:08:45.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vir
tual-Access5, changed state to up
000301: Feb  5 03:09:32.505: %ALIGN-3-SPURIOUS: Spurious memory access made at 0
x829E305C  reading 0x0
000302: Feb  5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F50F84 0x81F4F5F0 0x81F53270 0x81F542BC 0x81F4E3EC 0x8017716C
000303: Feb  5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30CF4 0x80DDC7E4
000304: Feb  5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DD8A7C
000305: Feb  5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DE8488
000306: Feb  5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DE8608
000307: Feb  5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DD88B8
000308: Feb  5 03:46:49.089: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0
/1/0, changed state to Administrative Shutdown
000309: Feb  5 03:46:52.257: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0
/1/0, changed state to up
000310: Feb  5 03:47:27.718: %SYS-5-CONFIG_I: Configured from console by admin o
n vty0 (115.108.160.226)
000311: Feb  5 04:10:57.148: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000312: Feb  5 04:11:05.133: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
        (ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
000313: Feb  5 04:12:00.331: %IPPHONE-6-REG_ALARM: 14: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=CM-closed-TCP
000314: Feb  5 04:12:00.391: %IPPHONE-6-REG_ALARM: 14: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=CM-closed-TCP
000315: Feb  5 04:12:00.431: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000316: Feb  5 04:40:05.784: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000317: Feb  5 04:40:38.526: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000318: Feb  5 04:47:38.067: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000319: Feb  5 05:01:48.918: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000320: Feb  5 06:11:42.947: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000321: Feb  5 06:11:49.479: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000322: Feb  5 06:11:49.479: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000323: Feb  5 06:50:49.000: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000324: Feb  5 10:08:30.032: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000325: Feb  5 10:10:38.742: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000326: Feb  5 10:10:38.754: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000327: Feb  5 11:05:16.925: %LINK-3-UPDOWN: Interface Virtual-Access5, changed
state to down
000328: Feb  5 11:05:17.925: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vir
tual-Access5, changed state to down
000329: Feb  5 11:05:33.681: %ALIGN-3-SPURIOUS: Spurious memory access made at 0
x829E305C  reading 0x0
000330: Feb  5 11:05:33.681: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F50F84 0x81F51084 0x81F4DA4C 0x81F4FC38 0x81F4F5F0 0x81F5078C
000331: Feb  5 11:39:38.918: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000332: Feb  5 11:46:51.911: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000333: Feb  5 12:08:39.329: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000334: Feb  5 12:09:39.412: %CRYPTO-4-IKMP_NO_SA: IKE message from 115.108.160.
226 has no SA and is not an initialization offer
000335: Feb  5 12:14:53.781: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000336: Feb  5 12:14:53.785: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000337: Feb  5 12:14:53.785: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000338: Feb  5 12:40:18.087: SSH2 0: Unexpected mesg type received
000339: Feb  5 13:15:35.967: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000340: Feb  5 13:47:15.893: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000341: Feb  5 13:54:41.091: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000342: Feb  5 13:54:48.272: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000343: Feb  5 13:55:55.602: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000344: Feb  5 13:56:43.400: %DOT11-4-MAXRETRIES: Packet to client 0016.eaee.132
8 reached max retries, removing the client
000345: Feb  7 01:33:34.639: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000346: Feb  7 01:33:50.875: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000347: Feb  7 03:39:17.173: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
        (ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
000348: Feb  7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000349: Feb  7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000350: Feb  7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000351: Feb  7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000352: Feb  7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000353: Feb  7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000354: Feb  7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000355: Feb  7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000356: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000357: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000358: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000359: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000360: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000361: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000362: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000363: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000364: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000365: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000366: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000367: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000368: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000369: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000370: Feb  7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000371: Feb  7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000372: Feb  7 03:39:20.193: ISAKMP:(0): claimed IOS but failed authentication
000373: Feb  7 03:39:21.837: ISAKMP (0/2239): Unknown Attr: MODECFG_HOSTNAME (0x
700A)
000374: Feb  7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000375: Feb  7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000376: Feb  7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000377: Feb  7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000378: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000379: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000380: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000381: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000382: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000383: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000384: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000385: Feb  7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000386: Feb  7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000387: Feb  7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000388: Feb  7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000389: Feb  7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000390: Feb  7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000391: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000392: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000393: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000394: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000395: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000396: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000397: Feb  7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000398: Feb  7 03:39:22.934: ISAKMP:(2239):deleting node -1494177723 error TRUE
reason "Delete Larval"
000399: Feb  7 03:39:22.950: ISAKMP:(2239):deleting node 847146984 error TRUE re
ason "Delete Larval"
000400: Feb  7 03:39:52.923: ISAKMP:(2239):deleting node 298063460 error TRUE re
ason "Delete Larval"
000401: Feb  7 03:39:52.943: ISAKMP:(2239):deleting node -903285737 error TRUE r
eason "Delete Larval"
000402: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000403: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000404: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000405: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000406: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000407: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000408: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000409: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000410: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000411: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000412: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000413: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000414: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000415: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000416: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000417: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000418: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000419: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000420: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000421: Feb  7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000422: Feb  7 03:39:53.779: ISAKMP:(2239): phase 2 SA policy not acceptable! (l
ocal 58.108.208.65 remote 115.108.160.226)
000423: Feb  7 03:39:53.783: ISAKMP:(2239):deleting node -1923026943 error TRUE
reason "QM rejected"
000424: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000425: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000426: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000427: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000428: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000429: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000430: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000431: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000432: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000433: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000434: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000435: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000436: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000437: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000438: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000439: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000440: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000441: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000442: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000443: Feb  7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000444: Feb  7 03:39:53.799: ISAKMP:(2239): phase 2 SA policy not acceptable! (l
ocal 58.108.208.65 remote 115.108.160.226)
000445: Feb  7 03:39:53.803: ISAKMP:(2239):deleting node 1849779352 error TRUE r
eason "QM rejected"
000446: Feb  7 03:40:11.912: %IPPHONE-6-REG_ALARM: 17: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=KeepaliveTO
000447: Feb  7 03:40:11.984: %IPPHONE-6-REG_ALARM: 17: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=KeepaliveTO
000448: Feb  7 03:40:12.028: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000449: Feb  7 03:40:22.924: ISAKMP:(2239):deleting node 1486549235 error TRUE r
eason "Delete Larval"
000450: Feb  7 03:40:22.952: ISAKMP:(2239):deleting node 1216159300 error TRUE r
eason "Delete Larval"
000451: Feb  7 03:40:23.784: ISAKMP:(2239):deleting SA reason "gen_ipsec_isakmp_
delete but doi isakmp" state (R) QM_IDLE       (peer 115.108.160.226)
000452: Feb  7 03:40:23.784: ISAKMP:(2239):deleting SA reason "gen_ipsec_isakmp_
delete but doi isakmp" state (R) QM_IDLE       (peer 115.108.160.226)
000453: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000454: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000455: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000456: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000457: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000458: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000459: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000460: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000461: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000462: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000463: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000464: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000465: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000466: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000467: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000468: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000469: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000470: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000471: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000472: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000473: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000474: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000475: Feb  7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000476: Feb  7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000477: Feb  7 03:40:25.112: ISAKMP:(0): claimed IOS but failed authentication
000478: Feb  7 03:40:25.680: ISAKMP (0:2240): Unknown Input IKE_MESG_FROM_IPSEC,
 IKE_PHASE2_DEL:  state = IKE_XAUTH_REQ_SENT
000479: Feb  7 03:40:25.680: ISAKMP (0:2240): Unknown Input IKE_MESG_FROM_IPSEC,
 IKE_PHASE2_DEL:  state = IKE_XAUTH_REQ_SENT
000480: Feb  7 03:40:25.680: ISAKMP (0:2240): Unknown Input IKE_MESG_FROM_IPSEC,
 IKE_PHASE2_DEL:  state = IKE_XAUTH_REQ_SENT
000481: Feb  7 03:40:26.712: ISAKMP (0/2240): Unknown Attr: MODECFG_HOSTNAME (0x
700A)
000482: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000483: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000484: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000485: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000486: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000487: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000488: Feb  7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000489: Feb  7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000490: Feb  7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000491: Feb  7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000492: Feb  7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000493: Feb  7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000494: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000495: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000496: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000497: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000498: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000499: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000500: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000501: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000502: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000503: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000504: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000505: Feb  7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000506: Feb  7 03:40:30.680: ISAKMP:(0):Can't decrement IKE Call Admission Contr
ol stat incoming_active since it's already 0.
000507: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000508: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000509: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000510: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000511: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000512: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000513: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000514: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000515: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000516: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000517: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000518: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000519: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000520: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000521: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000522: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000523: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000524: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000525: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000526: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000527: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000528: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000529: Feb  7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000530: Feb  7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
 3
000531: Feb  7 03:40:33.000: ISAKMP:(0): claimed IOS but failed authentication
000532: Feb  7 03:40:33.576: ISAKMP (0:2241): Unknown Input IKE_MESG_FROM_IPSEC,
 IKE_PHASE2_DEL:  state = IKE_XAUTH_REQ_SENT
000533: Feb  7 03:40:33.580: ISAKMP (0:2241): Unknown Input IKE_MESG_FROM_IPSEC,
 IKE_PHASE2_DEL:  state = IKE_XAUTH_REQ_SENT
000534: Feb  7 03:40:34.624: ISAKMP (0/2241): Unknown Attr: MODECFG_HOSTNAME (0x
700A)
000535: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000536: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000537: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000538: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000539: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000540: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000541: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000542: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000543: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000544: Feb  7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000545: Feb  7 03:40:35.172: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000546: Feb  7 03:40:35.172: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000547: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000548: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000549: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000550: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000551: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000552: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000553: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000554: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000555: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000556: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000557: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000558: Feb  7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256

Open in new window

Hello Bro,

Can you please look http://www.networking-forum.com/viewtopic.php?p=42943
somebody said in above link you may need to configure a route map defining the tunnel traffic instead of an access list. You will need to configure the routemap with the "set interface" command to route your traffic through the loopback.

It's because the routing table sends the traffic straight out the appropriate interface which doesn't have the crypto map applied and the traffic isn't getting encrypted.

Can you suggest, I am not getting him
Please help
Anyone Help me please
Avatar of greg ward
do you have ntp set up?

Try this
Router#show ntp status

Clock is synchronized, stratum 8, reference is 127.127.7.1
nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**16
reference time is D100F57F.A2AAFA6D (12:03:11.635 UK Sat Feb 12 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

The output below shows that my router is time synced.
This is important if you are using a vpn tunnel.

conf t
ntp master
ntp server <ip or dns of a time server all your routers can reach>

Greg
Bro we have setup this on My Router
coinop-uc520#sh ntp sta
coinop-uc520#sh ntp status
Clock is synchronized, stratum 8, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 249.9897 Hz, precision is 2**18
reference time is D10108F7.7667B9EA (22:26:15.462 WST Sat Feb 12 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
coinop-uc520#

One sily ques ? please don't mind
what is relation of NTP with My Issue ?
I had a quick look at your configs and i did not see the anything after the acl's so i thought this could have been missed...
I just googled for isakmp time skew and got the below link
http://kb.syneto.net/entry/54/
•There is a large time skew between the two tunnel endpoints; solution: configure NTP on both machines.
•The Syneto acting as CA might have a time skew; solution: configure NTP on both machines.

there is some other stuff on there which might be useful.

Greg
Thanks for reply,

I removed after acl in my attached config because I thoughy that part is not necessary, If u need I can Post Full config

Vikrant
I would remove all the vpn config and start again on all the routers.
Looks like there is plenty of stuff in there you are not using.
Also ths is very easy to redo with the sdm web gui.
Are you able to drop the routers for an hour or two?

Greg
Also are you able to get remote access to the routers if you do break the vpn...

Greg
Yes Bro,

I have All, Bro I can remove all stuff abt VPN through CLI
I can Manage It, But I am Only using CLI mode not using SDM


Thanks
VIkrant
having a look at the hub config

crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
 mode transport                                                                              <<here
!
crypto ipsec profile DMVPN
 set transform-set DMVPN

I would remove the mode transport and from all your routers.

Greg
You mean

No crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
&
no crypto ipsec profile DMVPN

bro but this is for DMVPN

anyway I am doing try
Sorry for above  comment

u mean I need to remove only mode transport    from crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac

Am i correct ?
yes
conf t
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
no  mode transport                                                            
Ok Bro Done this
Bro,

Do we need any output for getting Status ?


Vikrant
now to wait to see if it fixes the problem...
how long before we know?

Greg
Ok Bro,

Lot's of Thanks, I will Inform you
Bro,

I am getting CrashInfo in remote router, Can you please check if any serious Issue.
Sometime router reboot automatic.

Regards


crashinfo-20110214-055549
Bro
also
got this error today
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its sanity check or is malformed
From
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_tech_note09186a00800a65d1.shtml

Spurious Accesses
Spurious access is an attempt by Cisco IOS software to access memory in a restricted location. An example of system log output for a spurious access is shown below:

%ALIGN-3-SPURIOUS: Spurious memory access made at 0x60968C44 reading 0x0
%ALIGN-3-TRACE: -Traceback= 60968C44 60269808 602389D8 00000000 00000000 00000000
00000000 00000000
Cause
A spurious access occurs when a process attempts to read from the lowest 16 KB region of memory. This portion of memory is reserved and should never be accessed. A read operation to this region of memory is usually caused when a nonexisting value is returned to a function in the software, or in other words, when a null pointer is passed to a function.

Cisco IOS Software Handling
Depending on the platform, Cisco IOS software handles spurious accesses differently. On platforms where this is possible, the Cisco IOS software code handles these invalid accesses by returning a value of zero and recording the event. If this is not supported on the platform, then the router will crash with a SegV error. Since any spurious access is inappropriate, spurious accesses always point to a bug.


From your crashinfo
========= Show Alignment =============================
Alignment data for:
C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Compiled Wed 29-Apr-09 05:52 by prod_rel_team

Total Spurious Accesses 4, Recorded 4

I am guessing that the crypto commands you have in your router which are not being used are making this worse.
Are you able to sit next to this router and rebuild from the start.
Maybe, not 100% sure these commands are not needed
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 5
 lifetime 28800

to remove these commands i would issue a router reload first and then remove the commands
that way if the commands are in use the router reloads and you have your old config back...
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1360    <<<<<<this is just WRONG and may be creating an issue
should be
ip tcp adjust-mss 1452    <<<<<<is the same as the mtu-40
but i dont think its needed
here is some good reading about mtu and tunnels from

http://www.tek-tips.com/viewthread.cfm?qid=784463

I think Dulem is on the right path. I ran into a similar problem awhile back. Some of the PC's were able to get through the GRE tunnel while other couldn't. Yes, it was always the same PC's. The problem turned out to be the mtu size of the packet. I'm not sure how you're connecting to the internet, but I'll assume it's a DSL connection (it doesn't really matter). I don't know if your using IPSec, but I'll assume so. And you have a GRE tunnel established through the IPsec tunnel (typically setup). With all these "tunnels" setup, the overhead added to the packet will exceed the  allowable size to be transported across the network. If you're using a cisco router with the righto IOS, you can force the mtu size of all the traffic coming from an interface. Use the following command:interface FastEthernet 0/0ip tcp adjust-mss 1360Notice that this command is applied to the interface on the LAN, not the tunnel (do this on both sides).This is one approach. The other is to manual set the MTU size on each PC (using an application like DrTCP, but are literlly tons of these types of apps out there).Hope this helps...

I would also remove the command from the vlan1 or change it to match the interface Dialer0.


Greg
Ok Bro,

Should be remove from Spoke or HUB or both
I was looking at the spoke.
however i would remove the crpto commands from the one local to you.
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 5
 lifetime 28800

once that is removed on the local router and it stays working, i would remove from the remote one.

i think its
reload in 30

but i am not next to a router.

Also the mtu commands may force an interface reset.

Greg



Hi Bro,

I removed from Local router & it's working fine also rrebbot local router  after rebooted VPN is fine,
But I got below error On HUB Router after reboot local router

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
        (ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
Bro,

I think it's issue regarding ISAKMP Policy, I read somewhere should be same on Both end, but I saw on our config spoke router is using default policy, there is some different abt policy, although I'm not 100% sure, can you please check my Crypto isa policy of both router
HUB.txt
SPOKE.txt
did you also change the mtu settings?
Can you paste a copy of the router configs with passwords removed.


interface Vlan2
 description -= ISP 2 =-
 ip address 192.168.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 crypto ipsec client ezvpn AustraliaVPN

What are you using that for?
Are you trying to use dmvpn or ezvpn...

Greg
Not sure which are in use
Router#sh run
Building configuration...

Current configuration : 6971 bytes
!
! Last configuration change at 05:16:28 UTC Tue Feb 15 2011 by admin
! NVRAM config last updated at 04:59:14 UTC Tue Feb 15 2011 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable password 7 XXXXXXXXXXXXXXX
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2149300000
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2149300000
 revocation-check none
 rsakeypair TP-self-signed-2149300000
!
!
crypto pki certificate chain TP-self-signed-2149300000
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313439 33303030 3030301E 170D3037 30383234 30343338
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343933
  30303030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C3A7 F701D7A0 5DDD90D6 818BB30E D9E680F7 1EEB12BD B0047D7A 978A7188
  B8862673 B88BB646 4A4B6FC7 5CF73422 4DDB2BEB 39CC2141 E18B3006 F8892C1E
  D95D4678 5A2E7441 7799C02A AD9EB079 ADC006A6 6A5F18B0 1219208A 8E682BEF
  45D1B98F F0AE8282 B38C7E86 F17A5E3D 621EDFA4 18057C0D F3E0177F 8EFF09B7
  2DAD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 14275D63
  B6D8FFFE C641F864 25EF338D 278EAFF2 82301D06 03551D0E 04160414 275D63B6
  D8FFFEC6 41F86425 EF338D27 8EAFF282 300D0609 2A864886 F70D0101 04050003
  8181001B EDA25E81 08ADA2F7 730400E5 E76F533E 851E5CF7 421EAD2E 26C8AE3C
  31EACF15 E74ABF74 2AF8039F DF61E414 B389AFEC F69047C3 23D63935 2D8AB419
  2DD95465 1A9578B3 218BA9AC A9DDE380 78410250 B8ECF6F3 CE19428C BE8087C4
  9B247169 5465173A 1D89C3EE 7A1E3A84 1CCC6367 529ECEDB 70DD3234 1F09E852 587376

        quit
dot11 syslog
!
dot11 ssid Coinopsolutions
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 15221E1F0C3A1D2D3B3B2323425037
!
dot11 ssid coinopsolutions
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 15221E1F0C3A3D2D3B3B23234250
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.25
!
ip dhcp pool LAN-POOL
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
   dns-server 192.168.4.1
   lease 0 2
!
!
ip name-server 202.54.10.2
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 20
 authentication pre-share
 lifetime 28800
crypto isakmp key DMVPN_STR0NG_K3Y address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120
!
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile DMVPN
 set transform-set DMVPN
!
!
!
crypto ipsec client ezvpn AustraliaVPN
 connect auto
 group EZVPN_GROUP_1 key Coinopsolutions.com
 mode network-extension
 peer 58.108.208.65
 username XXXXXXXXXXXXXXX password XXXXXXXXXXXXXXX
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface Loopback0
 no ip address
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description -= DMVPN =-
 ip address 10.91.255.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_A
 ip nhrp map multicast 58.108.208.65
 ip nhrp map 10.91.255.1 58.108.208.65
 ip nhrp network-id 91
 ip nhrp holdtime 600
 ip nhrp nhs 10.91.255.1
 ip nhrp registration no-unique
 delay 1000
 tunnel source Vlan2
 tunnel mode gre multipoint
 tunnel key 91
 tunnel protection ipsec profile DMVPN
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 description -= ISP 2 =-
 switchport access vlan 2
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid Coinopsolutions
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ES_LAN$
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan2
 description -= ISP 2 =-
 ip address 192.168.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 crypto ipsec client ezvpn AustraliaVPN
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXXXXXXXXXX
 ppp chap password 7XXXXXXXXXXXXXXX
 ppp pap sent-username XXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
!
interface Dialer1
 no ip address
!
interface BVI1
 ip address 192.168.4.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 crypto ipsec client ezvpn AustraliaVPN inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.8.0 255.255.255.0 192.168.2.1
ip route 192.168.8.0 255.255.255.0 10.91.255.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list ToNAT interface Vlan2 overload
!
ip access-list extended ToNAT
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.4.0 0.0.3.255 any
ip access-list extended acl_vpn
 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
bridge 1 route ip
!
line con 0
 password 7 XXXXXXXXXXXXXXX
 login local
 no modem enable
line aux 0
line vty 0 4
 password 7 XXXXXXXXXXXXXXX
 login local
!
scheduler max-task-time 5000
sntp server 120.88.46.10
end

Open in new window

I removed ezvpn from Spoke rouer, All is working fine but  same error getting On HUB Router after reboot Spoke

if you remove the ezvpn from spoke then it will lose its nat outside interface.
Please check that the computers on that site can access the internet...

Greg
Are you happy that people at the remote site use their internet connection to access the internet or do you have a managed solution at the hub  site?
Bro Internet is working fine in LAN from spoke Router
But geting timeout If i ping Another spoke from my LAP-Top

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Vikrant>ping 192.168.8.13 -t

Pinging 192.168.8.13 with 32 bytes of data:
Request timed out.
Reply from 192.168.8.13: bytes=32 time=711ms TTL=125
Reply from 192.168.8.13: bytes=32 time=720ms TTL=125
Reply from 192.168.8.13: bytes=32 time=746ms TTL=125
Reply from 192.168.8.13: bytes=32 time=742ms TTL=125
Reply from 192.168.8.13: bytes=32 time=741ms TTL=125
Reply from 192.168.8.13: bytes=32 time=801ms TTL=125
Reply from 192.168.8.13: bytes=32 time=813ms TTL=125
Reply from 192.168.8.13: bytes=32 time=691ms TTL=125
Reply from 192.168.8.13: bytes=32 time=717ms TTL=125
Reply from 192.168.8.13: bytes=32 time=816ms TTL=125
Reply from 192.168.8.13: bytes=32 time=705ms TTL=125
Reply from 192.168.8.13: bytes=32 time=685ms TTL=125
Reply from 192.168.8.13: bytes=32 time=704ms TTL=125
Reply from 192.168.8.13: bytes=32 time=762ms TTL=125
Reply from 192.168.8.13: bytes=32 time=735ms TTL=125
Reply from 192.168.8.13: bytes=32 time=843ms TTL=125
Reply from 192.168.8.13: bytes=32 time=702ms TTL=125
Reply from 192.168.8.13: bytes=32 time=868ms TTL=125
Reply from 192.168.8.13: bytes=32 time=686ms TTL=125
Reply from 192.168.8.13: bytes=32 time=685ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=696ms TTL=125
Reply from 192.168.8.13: bytes=32 time=813ms TTL=125
Reply from 192.168.8.13: bytes=32 time=689ms TTL=125
Reply from 192.168.8.13: bytes=32 time=700ms TTL=125
Reply from 192.168.8.13: bytes=32 time=698ms TTL=125
Reply from 192.168.8.13: bytes=32 time=725ms TTL=125
Reply from 192.168.8.13: bytes=32 time=791ms TTL=125
Reply from 192.168.8.13: bytes=32 time=705ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=672ms TTL=125
Reply from 192.168.8.13: bytes=32 time=694ms TTL=125
Reply from 192.168.8.13: bytes=32 time=677ms TTL=125
Reply from 192.168.8.13: bytes=32 time=1930ms TTL=125
Reply from 192.168.8.13: bytes=32 time=808ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=695ms TTL=125
Reply from 192.168.8.13: bytes=32 time=697ms TTL=125
Reply from 192.168.8.13: bytes=32 time=713ms TTL=125
Reply from 192.168.8.13: bytes=32 time=693ms TTL=125
Reply from 192.168.8.13: bytes=32 time=679ms TTL=125
Reply from 192.168.8.13: bytes=32 time=709ms TTL=125
Reply from 192.168.8.13: bytes=32 time=706ms TTL=125
Reply from 192.168.8.13: bytes=32 time=724ms TTL=125
Reply from 192.168.8.13: bytes=32 time=696ms TTL=125
Reply from 192.168.8.13: bytes=32 time=673ms TTL=125
One more thing Dialer Interface is not my WAN Int
we are getting internet from DSL modem, it plugged into fa3, it means my WAN int is VLAN 2

I think getting trouble for understand,

sorry to say

Regards

Vikrant
Great
Now to remove ezvpn from hub?
Is anything else using it?

Greg
Bro cant remove EZVPN becuase  we using it when we are on Tour,
we are connect EZVPN through dialup
Bro, please look above We are geting timeout If i ping Another spoke from my LAP-Top

Why are the ping times so high?
cna you traceroute them please

Greg
Ok but the EZVPN is not being used by anything else at the moment so it will not cause any issues right?
And it only needs to be set up on the hub?

Greg
Which Ip Public or local ?
Yes Bro,

EZVPN is not  used by anything at the moment ?

if you tarceroute the local ip we can see if you are fully meshed or not.
The dmvpn is supposed to mesh all routers. If the trace goes through the hub it is not working correctly.
To configure mine, i use eigrp and let the router do the work.
If you do a show ip route it will also give us the info we need.

Greg
Now I hope we will fix this issue, I just did a little happy

please check below is from router also check in code that is from Laptop
Router#traceroute 192.168.8.13

Type escape sequence to abort.
Tracing the route to 192.168.8.13

  1 10.91.255.1 580 msec 616 msec 648 msec
  2 10.91.255.2 724 msec 688 msec 680 msec
  3 192.168.8.13 688 msec 720 msec 700 msec
Router#sh ip
Router#sh ip rou
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S    192.168.8.0/24 [1/0] via 192.168.2.1
                    [1/0] via 10.91.255.2
C    192.168.4.0/24 is directly connected, BVI1
     10.0.0.0/24 is subnetted, 3 subnets
S       10.10.10.0 [1/0] via 10.91.255.2
                   [1/0] via 10.1.1.1
S       10.1.1.0 [1/0] via 10.91.255.1
C       10.91.255.0 is directly connected, Tunnel0
C    192.168.0.0/24 is directly connected, Vlan2
S    192.168.2.0/24 [1/0] via 10.91.255.1
S*   0.0.0.0/0 [1/0] via 192.168.0.1
Router#
C:\Users\Vikrant>tracert 192.168.8.13

Tracing route to WAREHOUSE1 [192.168.8.13]
over a maximum of 30 hops:

  1    11 ms     4 ms     6 ms  192.168.4.1
  2   620 ms   599 ms   667 ms  10.91.255.1
  3     *      703 ms   690 ms  10.91.255.2
  4   698 ms   715 ms   699 ms  WAREHOUSE1 [192.168.8.13]

Trace complete.

Open in new window

Working backwards
interface Tunnel0
 description -= DMVPN =-
 ip address 10.91.255.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_A
 ip nhrp map multicast 58.108.208.65
 ip nhrp map 10.91.255.1 58.108.208.65
 ip nhrp network-id 91
 ip nhrp holdtime 600
 ip nhrp nhs 10.91.255.1
 ip nhrp registration no-unique
 delay 1000
 tunnel source Vlan2
 tunnel mode gre multipoint
 tunnel key 91
 tunnel protection ipsec profile DMVPN    <<<<< this is the profile

crypto ipsec profile DMVPN      <<<<< this is the profile
 set transform-set DMVPN       <<<<< not to usefule that this has the same name as above
 crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac  Is the transform set used by the line above.

the rest is not being used if you dont want the ezvpn to acces the spoke directly.

This is how i have mine configured.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set COMP esp-des esp-md5-hmac comp-lzs
!
crypto ipsec profile DMVPN
 set transform-set  ESP-3DES-SHA COMP

Greg
As i dont fully know your topology, did that use the best route...
If it did , can you try a pathping from windows.
it will ping every hop and should tell us where we are losing the packets.

Greg
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set COMP esp-des esp-md5-hmac comp-lzs
!
crypto ipsec profile DMVPN
 set transform-set  ESP-3DES-SHA COMP


is should be use only spoke or both ?
that would be used on both.

Greg
Can you please check Path Ping

C:\Users\Vikrant>pathping 192.168.8.1

Tracing route to 192.168.8.1 over a maximum of 30 hops

  0  Vikrant-PC.mshome.net [192.168.4.29]
  1  192.168.4.1
  2  10.91.255.1
  3  192.168.8.1

Computing statistics for 75 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           Vikrant-PC.mshome.net [192.168.4.2
9]
                                0/ 100 =  0%   |
  1    1ms     0/ 100 =  0%     0/ 100 =  0%  192.168.4.1
                                3/ 100 =  3%   |
  2  632ms     4/ 100 =  4%     1/ 100 =  1%  10.91.255.1
                                0/ 100 =  0%   |
  3  728ms     3/ 100 =  3%     0/ 100 =  0%  192.168.8.1

Trace complete.

C:\Users\Vikrant>
192.168.4.1  3/ 100 =  3%   |

I think you are losing packets to your default gateway.
Are you using wireless?

Greg
im not 100%sure that pasted into the window correctly.
Can you ping 192.168.4.1 -t and see if you are losing any packets...

Greg
Yes  i am on Wireless
But  not losed any packets if i ping router
Do u need my Topology Diagram ?
also below output from System which is connect to Spoke thorogh LAN Cable
C:\Users\Satish>pathping 192.168.8.13

Tracing route to WAREHOUSE1 [192.168.8.13]
over a maximum of 30 hops:
  0  Satish-PC.mshome.net [192.168.4.26]
  1  192.168.4.1
  2  10.91.255.1
  3  10.91.255.2
  4  WAREHOUSE1 [192.168.8.13]

Computing statistics for 100 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           Satish-PC.mshome.net [192.168.4.26
]
                                0/ 100 =  0%   |
  1    1ms     0/ 100 =  0%     0/ 100 =  0%  192.168.4.1
                                4/ 100 =  4%   |
  2  629ms     6/ 100 =  6%     2/ 100 =  2%  10.91.255.1
                                0/ 100 =  0%   |
  3  719ms     4/ 100 =  4%     0/ 100 =  0%  10.91.255.2
                                0/ 100 =  0%   |
  4  782ms     4/ 100 =  4%     0/ 100 =  0%  WAREHOUSE1 [192.168.8.13]

Trace complete.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Vikrant>ping 192.168.4.1 -t

Pinging 192.168.4.1 with 32 bytes of data:
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=5ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=2ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=4ms TTL=255
Reply from 192.168.4.1: bytes=32 time=2ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=2ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=3ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=5ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255

Open in new window

interface Tunnel0
 description -= DMVPN =-
 ip address 10.91.255.3 255.255.255.0   < this is your router
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_A
 ip nhrp map multicast 58.108.208.65
 ip nhrp map 10.91.255.1 58.108.208.65  < this is your hub


  0  Satish-PC.mshome.net [192.168.4.26]
  1  192.168.4.1
  2  10.91.255.1
  3  10.91.255.2
  4  WAREHOUSE1 [192.168.8.13]
the packets are going through the hub..
this is not configured correctly.
I would remove the static routes and add this

router eigrp 1
 network 192.168.4.0 0.0.0.255
 network 10.91.255.0 0.0.0.255
 no auto-summary
this would need to be set up on every router.
If a router has a network attached to it then on that router you need the command
router eigrp 1
 network 10.91.255.0 0.0.0.255 < this is the vpn and is on all routers
 network 192.168.4.0 0.0.0.255< this a local network to the router. EIGRP will advertise this to the other routers.

As to why you are dropping packets, I would need to see both configs without passwords again please.

Greg
coinop-uc520(config)#router eigrp 1
Protocol not in this image

Not sure if HUB router is not supported
IS it possible to use any other protocol ?
can you use ospf?

Greg
Same bro, Strange for me

coinop-uc520(config)#router ospf 1
Protocol not in this image
coinop-uc520(config)#

also same for RIP

I am not sure
Hello Bro,

All is fine now, between spoke 1 & hub, Just having issue from Spoke 2, where is i am, means from India, All is fine betwwen Perh & melbourne but getting packets lossed from India,

Please see attched Diagram for knowing my Network
Bro, You've got me like GOD, I'll never forget this favor of you,  actuaaly i don't have that much exp in networking,  i just start my carreer in this field from last 2 years, you are really great,
How old are you working in Networkin ?

Vikrant
3-Network.jpg
From-HUB-2-Spoke-1.txt
From-Spoke2-to-HUB.txt
One more question,

Can we configure India & Melbourne direct without HUB means Perth ?

yes we need to set up static routes.
I will have a look tonight as busy at the moment.

Greg
Just to check , do all three sites have static ip addreses?
And if they do, what are they.
Greg
interface Tunnel0
 description -= DMVPN =-
 ip address 10.91.255.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_A
 ip nhrp map multicast 58.108.208.65
 ip nhrp map 10.91.255.1 58.108.208.65

we can add more into this if you have static ip's
 ip nhrp map <local ip> <outside ip>
then we can add ip routes using the local ip

Greg
Bro,

We have Static IP only in Perth, rest sites has  Dynamic IP,

we have  configure Static Router as per Below Please let me know if anything wrong

Perth(192.168.2.0  & 10.1.1.1)
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.4.0 255.255.255.0 10.91.255.3
ip route 192.168.8.0 255.255.255.0 10.91.255.2


India(192.168.4.0/24)
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0
ip route 192.168.8.0 255.255.255.0 192.168.2.1
ip route 192.168.8.0 255.255.255.0 10.91.255.2


Melboure (192.168.8.0/24   & 10.10.10.0)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 10.1.1.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
India(192.168.4.0/24)
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1          <this is wrong
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0  < this is local,no route required
ip route 192.168.8.0 255.255.255.0 192.168.2.1 <this is wrong
ip route 192.168.8.0 255.255.255.0 10.91.255.2

Melboure (192.168.8.0/24   & 10.10.10.0)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1 <this is wrong
ip route 192.168.4.0 255.255.255.0 10.1.1.1       <this is wrong
ip route 192.168.4.0 255.255.255.0 10.91.255.3

Does that make sense ?

Greg
Ok Bro,

The first time that I did not get any error, All is working Fine, just need to fix Ping time from Spoke 2

Ok i will Fix as per your suggestion, Just please let me know, You did correction only in India & Melbourne so is Perth configuration are fine about route ?

Vik
ASKER CERTIFIED SOLUTION
Avatar of greg ward
greg ward
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Dear,

I don't think issue solved, I just thinking may issue with my ISP, If i ping google.com it's working Normal but if i ping my Perth Static IP that time ping times will get so high & also I tracert Ping IP, it's  seems data is going via US & Singapur to AU, Not sure why my ISP is unsing US server
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Vikrant>ping google.com

Pinging google.com [209.85.153.104] with 32 bytes of data:
Reply from 209.85.153.104: bytes=32 time=94ms TTL=51
Reply from 209.85.153.104: bytes=32 time=305ms TTL=51
Reply from 209.85.153.104: bytes=32 time=203ms TTL=51
Reply from 209.85.153.104: bytes=32 time=151ms TTL=51

Ping statistics for 209.85.153.104:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 94ms, Maximum = 305ms, Average = 188ms

C:\Users\Vikrant>ping 58.108.208.65

Pinging 58.108.208.65 with 32 bytes of data:
Reply from 58.108.208.65: bytes=32 time=662ms TTL=231
Reply from 58.108.208.65: bytes=32 time=678ms TTL=231
Reply from 58.108.208.65: bytes=32 time=616ms TTL=231
Reply from 58.108.208.65: bytes=32 time=627ms TTL=231

Ping statistics for 58.108.208.65:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 616ms, Maximum = 678ms, Average = 645ms

C:\Users\Vikrant>tracert 58.108.208.65

Tracing route to 58.108.208.65.optusnet.com.au [58.108.208.65]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.4.1
  2     3 ms     2 ms     2 ms  192.168.0.1
  3   201 ms   127 ms    78 ms  115.108.160.1.static-Nagpur.vsnl.net.in [115.108
.160.1]
  4   163 ms    84 ms    59 ms  172.31.44.225
  5   117 ms    88 ms    96 ms  172.31.44.221
  6   100 ms   162 ms    95 ms  172.31.44.222
  7    88 ms    90 ms    90 ms  172.31.70.21
  8   609 ms   248 ms   120 ms  172.31.8.210
  9    82 ms    92 ms    81 ms  172.31.45.229
 10    79 ms    88 ms   218 ms  172.31.16.209
 11   157 ms    97 ms    89 ms  172.31.1.65
 12   118 ms   189 ms    96 ms  203.197.13.2.static.vsnl.net.in [203.197.13.2]
 13   137 ms   135 ms   157 ms  59.163.16.54.static.vsnl.net.in [59.163.16.54]
 14   170 ms   151 ms   144 ms  59.163.16.54.static.vsnl.net.in [59.163.16.54]
 15   153 ms   137 ms   137 ms  if-1-0-0-101.core1.CFO-Chennai.as6453.net [116.0
.79.9]
 16   315 ms   532 ms   440 ms  if-1-0-0-0.tcore1.CXR-Chennai.as6453.net [180.87
.36.13]
 17   363 ms   448 ms   317 ms  if-3-3.tcore2.CXR-Chennai.as6453.net [180.87.36.
6]
 18   334 ms   319 ms   340 ms  if-5-2.tcore2.SVW-Singapore.as6453.net [180.87.1
5.69]
 19   457 ms   447 ms   369 ms  if-7-2.tcore2.LVW-LosAngeles.as6453.net [180.87.
15.26]
 20   543 ms   394 ms   349 ms  209.58.53.14
 21   648 ms   546 ms   571 ms  203.208.191.6
 22   640 ms   656 ms   663 ms  bla2-ge3-0.gw.optusnet.com.au [211.29.125.250]
 23   629 ms   600 ms   619 ms  sun2-ge0-1-0-904.gw.optusnet.com.au [211.29.125.
81]
 24   609 ms   600 ms   584 ms  per2-ge5-0-0-909.gw.optusnet.com.au [211.29.125.
213]
 25   588 ms   616 ms   577 ms  per800-e2-1.ba.optusnet.com.au [198.142.7.254]
 26   594 ms   598 ms   609 ms  58.108.208.65.optusnet.com.au [58.108.208.65]

Trace complete.

C:\Users\Vikrant>
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=541ms TTL=126
Reply from 192.168.8.13: bytes=32 time=579ms TTL=126
Reply from 192.168.8.13: bytes=32 time=568ms TTL=126
Reply from 192.168.8.13: bytes=32 time=690ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=582ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=648ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=604ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=621ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=573ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=660ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=662ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=701ms TTL=126
Reply from 192.168.8.13: bytes=32 time=576ms TTL=126
Reply from 192.168.8.13: bytes=32 time=595ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=565ms TTL=126
Reply from 192.168.8.13: bytes=32 time=530ms TTL=126
Reply from 192.168.8.13: bytes=32 time=558ms TTL=126
Reply from 192.168.8.13: bytes=32 time=1896ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=583ms TTL=126
Reply from 192.168.8.13: bytes=32 time=634ms TTL=126
Reply from 192.168.8.13: bytes=32 time=569ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=585ms TTL=126
Reply from 192.168.8.13: bytes=32 time=530ms TTL=126
Reply from 192.168.8.13: bytes=32 time=632ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=537ms TTL=126
Reply from 192.168.8.13: bytes=32 time=540ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=609ms TTL=126
Reply from 192.168.8.13: bytes=32 time=579ms TTL=126
Reply from 192.168.8.13: bytes=32 time=646ms TTL=126
Reply from 192.168.8.13: bytes=32 time=647ms TTL=126
Reply from 192.168.8.13: bytes=32 time=596ms TTL=126
Reply from 192.168.8.13: bytes=32 time=591ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=547ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=572ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=569ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=530ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=613ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=536ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=611ms TTL=126
Reply from 192.168.8.13: bytes=32 time=659ms TTL=126
Reply from 192.168.8.13: bytes=32 time=603ms TTL=126
Reply from 192.168.8.13: bytes=32 time=571ms TTL=126
Reply from 192.168.8.13: bytes=32 time=619ms TTL=126
Reply from 192.168.8.13: bytes=32 time=568ms TTL=126
Reply from 192.168.8.13: bytes=32 time=619ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=572ms TTL=126
Reply from 192.168.8.13: bytes=32 time=610ms TTL=126
Reply from 192.168.8.13: bytes=32 time=609ms TTL=126
Reply from 192.168.8.13: bytes=32 time=628ms TTL=126
Reply from 192.168.8.13: bytes=32 time=1977ms TTL=126
Reply from 192.168.8.13: bytes=32 time=629ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=622ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=617ms TTL=126
Reply from 192.168.8.13: bytes=32 time=694ms TTL=126
Reply from 192.168.8.13: bytes=32 time=640ms TTL=126
Reply from 192.168.8.13: bytes=32 time=568ms TTL=126
Reply from 192.168.8.13: bytes=32 time=591ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=562ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=667ms TTL=126
Reply from 192.168.8.13: bytes=32 time=565ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=619ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=578ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=699ms TTL=126
Reply from 192.168.8.13: bytes=32 time=731ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=576ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=631ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=608ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=628ms TTL=126
Reply from 192.168.8.13: bytes=32 time=541ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=685ms TTL=126
Reply from 192.168.8.13: bytes=32 time=613ms TTL=126
Reply from 192.168.8.13: bytes=32 time=573ms TTL=126
Reply from 192.168.8.13: bytes=32 time=592ms TTL=126
Reply from 192.168.8.13: bytes=32 time=691ms TTL=126
Reply from 192.168.8.13: bytes=32 time=558ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=528ms TTL=126
Reply from 192.168.8.13: bytes=32 time=595ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=539ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=636ms TTL=126
Reply from 192.168.8.13: bytes=32 time=805ms TTL=126
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=613ms TTL=126
Reply from 192.168.8.13: bytes=32 time=588ms TTL=126
Reply from 192.168.8.13: bytes=32 time=627ms TTL=126
Reply from 192.168.8.13: bytes=32 time=579ms TTL=126
Reply from 192.168.8.13: bytes=32 time=525ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=648ms TTL=126
Reply from 192.168.8.13: bytes=32 time=546ms TTL=126
Reply from 192.168.8.13: bytes=32 time=745ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=582ms TTL=126
Reply from 192.168.8.13: bytes=32 time=562ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=594ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=599ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=600ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=703ms TTL=126
Reply from 192.168.8.13: bytes=32 time=621ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=587ms TTL=126
Reply from 192.168.8.13: bytes=32 time=628ms TTL=126
Reply from 192.168.8.13: bytes=32 time=583ms TTL=126
Reply from 192.168.8.13: bytes=32 time=612ms TTL=126
Reply from 192.168.8.13: bytes=32 time=573ms TTL=126
Reply from 192.168.8.13: bytes=32 time=703ms TTL=126
Reply from 192.168.8.13: bytes=32 time=681ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=608ms TTL=126
Reply from 192.168.8.13: bytes=32 time=547ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=529ms TTL=126
Reply from 192.168.8.13: bytes=32 time=547ms TTL=126
Reply from 192.168.8.13: bytes=32 time=596ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=529ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=687ms TTL=126
Reply from 192.168.8.13: bytes=32 time=626ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=572ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=587ms TTL=126
Reply from 192.168.8.13: bytes=32 time=634ms TTL=126
Reply from 192.168.8.13: bytes=32 time=2061ms TTL=126
Reply from 192.168.8.13: bytes=32 time=508ms TTL=126
Reply from 192.168.8.13: bytes=32 time=677ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=576ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=531ms TTL=126
Reply from 192.168.8.13: bytes=32 time=528ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=583ms TTL=126
Reply from 192.168.8.13: bytes=32 time=598ms TTL=126
Reply from 192.168.8.13: bytes=32 time=562ms TTL=126
Reply from 192.168.8.13: bytes=32 time=649ms TTL=126
Reply from 192.168.8.13: bytes=32 time=697ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=631ms TTL=126
Reply from 192.168.8.13: bytes=32 time=598ms TTL=126
Reply from 192.168.8.13: bytes=32 time=546ms TTL=126
Reply from 192.168.8.13: bytes=32 time=565ms TTL=126
Reply from 192.168.8.13: bytes=32 time=617ms TTL=126
Reply from 192.168.8.13: bytes=32 time=594ms TTL=126
Reply from 192.168.8.13: bytes=32 time=523ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=535ms TTL=126
Reply from 192.168.8.13: bytes=32 time=552ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=589ms TTL=126
Reply from 192.168.8.13: bytes=32 time=552ms TTL=126
Reply from 192.168.8.13: bytes=32 time=539ms TTL=126
Reply from 192.168.8.13: bytes=32 time=597ms TTL=126
Reply from 192.168.8.13: bytes=32 time=599ms TTL=126
Reply from 192.168.8.13: bytes=32 time=669ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=607ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=534ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=518ms TTL=126
Reply from 192.168.8.13: bytes=32 time=580ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=612ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=528ms TTL=126
Reply from 192.168.8.13: bytes=32 time=526ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=543ms TTL=126
Reply from 192.168.8.13: bytes=32 time=630ms TTL=126
Reply from 192.168.8.13: bytes=32 time=529ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=537ms TTL=126
Reply from 192.168.8.13: bytes=32 time=1894ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=526ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=549ms TTL=126
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=539ms TTL=126
Reply from 192.168.8.13: bytes=32 time=578ms TTL=126
Reply from 192.168.8.13: bytes=32 time=527ms TTL=126
Reply from 192.168.8.13: bytes=32 time=546ms TTL=126
Reply from 192.168.8.13: bytes=32 time=544ms TTL=126
Reply from 192.168.8.13: bytes=32 time=835ms TTL=126
Reply from 192.168.8.13: bytes=32 time=621ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=578ms TTL=126
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=513ms TTL=126
Reply from 192.168.8.13: bytes=32 time=521ms TTL=126
Reply from 192.168.8.13: bytes=32 time=520ms TTL=126
Reply from 192.168.8.13: bytes=32 time=610ms TTL=126
Reply from 192.168.8.13: bytes=32 time=589ms TTL=126
Reply from 192.168.8.13: bytes=32 time=536ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=537ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=742ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=622ms TTL=126

Open in new window

As you asked about my networking experience, I have no work related experience
I work as a desktop support engineer.
However I have my own Cisco routers which are located across the world to run my family voip network.
Also I started writing my own program found at tftpterminal.co.uk while I was studying for my CCNA.

Greg
That's great Bro,

It is worth praising,  You are work as a desktop support engineer, & you have Great Experience in CIsco & Networking,

Very happy I am with you, Can you please look my above Post


I have to agree the internet is wrong !
I would do traceroutes from each router to the other two to make sure everything works.
Can you post the output from show crypto ipakmp sa
From a spoke and the hub.
This should show us if the mesh is working.

Greg
Hi,

It's working as far as my think but not 100% sure in Melbourne & India
from Spoke 2 (india)
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
58.108.208.65   192.168.0.254   QM_IDLE           2019    0 ACTIVE
192.168.0.254   58.108.208.65   QM_IDLE           2020    0 ACTIVE

IPv6 Crypto ISAKMP SA

Router#


From HUB (PERTH)
coinop-uc520#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
58.108.208.65   58.110.120.205  QM_IDLE           2216    0 ACTIVE
58.108.208.65   115.108.160.226 QM_IDLE           2214    0 ACTIVE
115.108.160.226 58.108.208.65   QM_IDLE           2215    0 ACTIVE

IPv6 Crypto ISAKMP SA

coinop-uc520#

Spoke 1(Melbourne)
Melbourne#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
58.108.208.65   58.110.120.205  QM_IDLE           2839 ACTIVE

IPv6 Crypto ISAKMP SA

Melbourne#
that looks to be caused by the internet routing issue.
It should resolve soon , if you isp has any idea......

Greg
Ok Bro,

Nice Job with you Thank you verry much, Veery verry happy, i will contact to my ISP