Solved

DMVPN Tunnel, EIGRP Neighbourship flaps

Posted on 2013-05-14
8
4,673 Views
Last Modified: 2013-05-24
I have a DMVPN Phase 3 configured in GNS3 using 7200 router with 15.2(4)S3 image. Hubs are fine but as soon as I introduce a Spoke the EIGRP neighborship between the Hubs and the Spokes flaps constantly.
The EIGRP neighborships form but routes are never exchanged. I can ping the Tunnel interfaces across the DMVPN so I know the tunnels are up and I can ping between external interfaces so I know the routers can communicate with each other.

My configs are below.

R1#sh run
Building configuration...

Current configuration : 2413 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.1.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.224 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.226 12.34.56.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.78 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 23.45.67.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.1.1 0.0.0.0
 network 192.168.1.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 23.45.67.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

R2#sh run
Building configuration...

Current configuration : 2450 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.2.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.226 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.100.1
 ip nhrp map 192.168.153.224 23.45.67.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.82 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 12.34.56.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.2.1 0.0.0.0
 network 192.168.2.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.34.56.1
!
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
webvpn cef

R3#sh run
Building configuration...

Current configuration : 2471 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.3.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.63 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.224 12.34.56.2
 ip nhrp map 192.168.153.226 23.45.67.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.153.224
 ip nhrp nhs 192.168.153.226
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 34.56.78.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.3.1 0.0.0.0
 network 192.168.3.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 34.56.78.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

EIGRP Errors:

*May 14 15:23:34.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.224 (Tunnel100) is down: Peer Termination received
*May 14 15:23:34.555: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.226 (Tunnel100) is up: new adjacency
0
Comment
Question by:ICresswell
  • 5
  • 3
8 Comments
 

Author Comment

by:ICresswell
ID: 39164967
Just to note I have tried:

crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
mode tunnel
0
 

Author Comment

by:ICresswell
ID: 39165311
So looks like it was an IOS bug, I am now suing IOS version 15.1(4)M6 and while the DMVPN seems more stable I am getting the following errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 

Author Comment

by:ICresswell
ID: 39167660
So what I have noticed now is if I remove the nhrp map statements from the two hub routers then the EIGRP neighborships start flapping again and they do not exchange routes anymore.
R1
no ip nhrp map 192.168.153.226 12.34.56.2
no ip nhrp map multicast 12.34.56.2
R2
no ip nhrp map multicast 192.168.100.1
no ip nhrp map 192.168.153.224 23.45.67.2

Anybody got any ideas, is anybody monitoring this question at all?
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 28

Expert Comment

by:asavener
ID: 39168007
In my experience, EIGRP route flapping occurs when the EIGRP routes contain routes they shouldn't (such as the public IP addresses of the router).
0
 

Accepted Solution

by:
ICresswell earned 0 total points
ID: 39168081
I found the problem, was a simple mistake as these things usually are, I had the nhrp map statements the wrong way round on the spokes:
ip nhrp map 192.168.153.224 12.34.56.2
ip nhrp map 192.168.153.226 23.45.67.2

Should be:
ip nhrp map 192.168.153.226 12.34.56.2
ip nhrp map 192.168.153.224 23.45.67.2

any idea why I am getting the decrypt errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168110
How frequently are they occurring?

Chances are that the packet is getting corrupted somewhere between the VPN endpoints, and that the crypto engine is performing as expected by verifying the integrity of the packet.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168145
Depending on your IOS version, it might be a cosmetic bug:

BUG:

CSCsv43145

Symptom:

A Cisco IOS router terminating an IPSec tunnel may log the following mac authentication errors:

*Oct 31 18:25:58.943: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=10.1.1.2 remote=10.1.1.1 spi=9E092279 seqno=00000001

This is just cosmetic and should not have any functional impact.

Conditions:
Router is an IPSec end point with ESP (Encapsulating Security Payload) authentication enabled.

Workaround:

There is no known workaround at this time

1st Found-In

12.4(21.10)M

12.4(23)M

<http://tools.cisco.com/Support/BugToolKit/search/knownAffectedVersions.do?method=fetchKnownAffectedVersions&bugId=CSCsv43145> Known Affected Versions

This link will launch a new window.

Fixed-In

12.4(23.7)M
12.4(23.6)T
12.4(23.6)PI10
12.4(23.7)PI10
12.4(23.15.1)PIX11
12.4(23.15.4)PIC1
12.4(24.5.1)PIX11
12.4(24.5.2)PIC1
0
 

Author Closing Comment

by:ICresswell
ID: 39193724
Was a simple mix configuration problem, always be anal when checking IP order
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 174
Setting up a VPN 60 184
eigrp in site-to-site vpn 4 55
Cisco 3560 Switch with Multiple Gateways 10 75
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question