Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DMVPN Tunnel, EIGRP Neighbourship flaps

Posted on 2013-05-14
8
Medium Priority
?
5,005 Views
Last Modified: 2013-05-24
I have a DMVPN Phase 3 configured in GNS3 using 7200 router with 15.2(4)S3 image. Hubs are fine but as soon as I introduce a Spoke the EIGRP neighborship between the Hubs and the Spokes flaps constantly.
The EIGRP neighborships form but routes are never exchanged. I can ping the Tunnel interfaces across the DMVPN so I know the tunnels are up and I can ping between external interfaces so I know the routers can communicate with each other.

My configs are below.

R1#sh run
Building configuration...

Current configuration : 2413 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.1.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.224 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.226 12.34.56.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.78 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 23.45.67.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.1.1 0.0.0.0
 network 192.168.1.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 23.45.67.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

R2#sh run
Building configuration...

Current configuration : 2450 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.2.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.226 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.100.1
 ip nhrp map 192.168.153.224 23.45.67.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.82 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 12.34.56.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.2.1 0.0.0.0
 network 192.168.2.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.34.56.1
!
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
webvpn cef

R3#sh run
Building configuration...

Current configuration : 2471 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.3.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.63 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.224 12.34.56.2
 ip nhrp map 192.168.153.226 23.45.67.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.153.224
 ip nhrp nhs 192.168.153.226
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 34.56.78.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.3.1 0.0.0.0
 network 192.168.3.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 34.56.78.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

EIGRP Errors:

*May 14 15:23:34.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.224 (Tunnel100) is down: Peer Termination received
*May 14 15:23:34.555: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.226 (Tunnel100) is up: new adjacency
0
Comment
Question by:ICresswell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:ICresswell
ID: 39164967
Just to note I have tried:

crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
mode tunnel
0
 

Author Comment

by:ICresswell
ID: 39165311
So looks like it was an IOS bug, I am now suing IOS version 15.1(4)M6 and while the DMVPN seems more stable I am getting the following errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 

Author Comment

by:ICresswell
ID: 39167660
So what I have noticed now is if I remove the nhrp map statements from the two hub routers then the EIGRP neighborships start flapping again and they do not exchange routes anymore.
R1
no ip nhrp map 192.168.153.226 12.34.56.2
no ip nhrp map multicast 12.34.56.2
R2
no ip nhrp map multicast 192.168.100.1
no ip nhrp map 192.168.153.224 23.45.67.2

Anybody got any ideas, is anybody monitoring this question at all?
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 28

Expert Comment

by:asavener
ID: 39168007
In my experience, EIGRP route flapping occurs when the EIGRP routes contain routes they shouldn't (such as the public IP addresses of the router).
0
 

Accepted Solution

by:
ICresswell earned 0 total points
ID: 39168081
I found the problem, was a simple mistake as these things usually are, I had the nhrp map statements the wrong way round on the spokes:
ip nhrp map 192.168.153.224 12.34.56.2
ip nhrp map 192.168.153.226 23.45.67.2

Should be:
ip nhrp map 192.168.153.226 12.34.56.2
ip nhrp map 192.168.153.224 23.45.67.2

any idea why I am getting the decrypt errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168110
How frequently are they occurring?

Chances are that the packet is getting corrupted somewhere between the VPN endpoints, and that the crypto engine is performing as expected by verifying the integrity of the packet.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168145
Depending on your IOS version, it might be a cosmetic bug:

BUG:

CSCsv43145

Symptom:

A Cisco IOS router terminating an IPSec tunnel may log the following mac authentication errors:

*Oct 31 18:25:58.943: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=10.1.1.2 remote=10.1.1.1 spi=9E092279 seqno=00000001

This is just cosmetic and should not have any functional impact.

Conditions:
Router is an IPSec end point with ESP (Encapsulating Security Payload) authentication enabled.

Workaround:

There is no known workaround at this time

1st Found-In

12.4(21.10)M

12.4(23)M

<http://tools.cisco.com/Support/BugToolKit/search/knownAffectedVersions.do?method=fetchKnownAffectedVersions&bugId=CSCsv43145> Known Affected Versions

This link will launch a new window.

Fixed-In

12.4(23.7)M
12.4(23.6)T
12.4(23.6)PI10
12.4(23.7)PI10
12.4(23.15.1)PIX11
12.4(23.15.4)PIC1
12.4(24.5.1)PIX11
12.4(24.5.2)PIC1
0
 

Author Closing Comment

by:ICresswell
ID: 39193724
Was a simple mix configuration problem, always be anal when checking IP order
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question