Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5110
  • Last Modified:

DMVPN Tunnel, EIGRP Neighbourship flaps

I have a DMVPN Phase 3 configured in GNS3 using 7200 router with 15.2(4)S3 image. Hubs are fine but as soon as I introduce a Spoke the EIGRP neighborship between the Hubs and the Spokes flaps constantly.
The EIGRP neighborships form but routes are never exchanged. I can ping the Tunnel interfaces across the DMVPN so I know the tunnels are up and I can ping between external interfaces so I know the routers can communicate with each other.

My configs are below.

R1#sh run
Building configuration...

Current configuration : 2413 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.1.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.224 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.226 12.34.56.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.78 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 23.45.67.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.1.1 0.0.0.0
 network 192.168.1.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 23.45.67.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

R2#sh run
Building configuration...

Current configuration : 2450 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.2.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.226 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.100.1
 ip nhrp map 192.168.153.224 23.45.67.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.82 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 12.34.56.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.2.1 0.0.0.0
 network 192.168.2.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.34.56.1
!
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
webvpn cef

R3#sh run
Building configuration...

Current configuration : 2471 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.3.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.63 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.224 12.34.56.2
 ip nhrp map 192.168.153.226 23.45.67.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.153.224
 ip nhrp nhs 192.168.153.226
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 34.56.78.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.3.1 0.0.0.0
 network 192.168.3.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 34.56.78.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

EIGRP Errors:

*May 14 15:23:34.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.224 (Tunnel100) is down: Peer Termination received
*May 14 15:23:34.555: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.226 (Tunnel100) is up: new adjacency
0
ICresswell
Asked:
ICresswell
  • 5
  • 3
1 Solution
 
ICresswellAuthor Commented:
Just to note I have tried:

crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
mode tunnel
0
 
ICresswellAuthor Commented:
So looks like it was an IOS bug, I am now suing IOS version 15.1(4)M6 and while the DMVPN seems more stable I am getting the following errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 
ICresswellAuthor Commented:
So what I have noticed now is if I remove the nhrp map statements from the two hub routers then the EIGRP neighborships start flapping again and they do not exchange routes anymore.
R1
no ip nhrp map 192.168.153.226 12.34.56.2
no ip nhrp map multicast 12.34.56.2
R2
no ip nhrp map multicast 192.168.100.1
no ip nhrp map 192.168.153.224 23.45.67.2

Anybody got any ideas, is anybody monitoring this question at all?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
asavenerCommented:
In my experience, EIGRP route flapping occurs when the EIGRP routes contain routes they shouldn't (such as the public IP addresses of the router).
0
 
ICresswellAuthor Commented:
I found the problem, was a simple mistake as these things usually are, I had the nhrp map statements the wrong way round on the spokes:
ip nhrp map 192.168.153.224 12.34.56.2
ip nhrp map 192.168.153.226 23.45.67.2

Should be:
ip nhrp map 192.168.153.226 12.34.56.2
ip nhrp map 192.168.153.224 23.45.67.2

any idea why I am getting the decrypt errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 
asavenerCommented:
How frequently are they occurring?

Chances are that the packet is getting corrupted somewhere between the VPN endpoints, and that the crypto engine is performing as expected by verifying the integrity of the packet.
0
 
asavenerCommented:
Depending on your IOS version, it might be a cosmetic bug:

BUG:

CSCsv43145

Symptom:

A Cisco IOS router terminating an IPSec tunnel may log the following mac authentication errors:

*Oct 31 18:25:58.943: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=10.1.1.2 remote=10.1.1.1 spi=9E092279 seqno=00000001

This is just cosmetic and should not have any functional impact.

Conditions:
Router is an IPSec end point with ESP (Encapsulating Security Payload) authentication enabled.

Workaround:

There is no known workaround at this time

1st Found-In

12.4(21.10)M

12.4(23)M

<http://tools.cisco.com/Support/BugToolKit/search/knownAffectedVersions.do?method=fetchKnownAffectedVersions&bugId=CSCsv43145> Known Affected Versions

This link will launch a new window.

Fixed-In

12.4(23.7)M
12.4(23.6)T
12.4(23.6)PI10
12.4(23.7)PI10
12.4(23.15.1)PIX11
12.4(23.15.4)PIC1
12.4(24.5.1)PIX11
12.4(24.5.2)PIC1
0
 
ICresswellAuthor Commented:
Was a simple mix configuration problem, always be anal when checking IP order
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now