Solved

DMVPN Tunnel, EIGRP Neighbourship flaps

Posted on 2013-05-14
8
4,624 Views
Last Modified: 2013-05-24
I have a DMVPN Phase 3 configured in GNS3 using 7200 router with 15.2(4)S3 image. Hubs are fine but as soon as I introduce a Spoke the EIGRP neighborship between the Hubs and the Spokes flaps constantly.
The EIGRP neighborships form but routes are never exchanged. I can ping the Tunnel interfaces across the DMVPN so I know the tunnels are up and I can ping between external interfaces so I know the routers can communicate with each other.

My configs are below.

R1#sh run
Building configuration...

Current configuration : 2413 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.1.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.224 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.226 12.34.56.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.78 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 23.45.67.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.1.1 0.0.0.0
 network 192.168.1.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 23.45.67.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

R2#sh run
Building configuration...

Current configuration : 2450 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.2.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.226 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.100.1
 ip nhrp map 192.168.153.224 23.45.67.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.82 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 12.34.56.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.2.1 0.0.0.0
 network 192.168.2.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.34.56.1
!
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
webvpn cef

R3#sh run
Building configuration...

Current configuration : 2471 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.3.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.63 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.224 12.34.56.2
 ip nhrp map 192.168.153.226 23.45.67.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.153.224
 ip nhrp nhs 192.168.153.226
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 34.56.78.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.3.1 0.0.0.0
 network 192.168.3.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 34.56.78.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

EIGRP Errors:

*May 14 15:23:34.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.224 (Tunnel100) is down: Peer Termination received
*May 14 15:23:34.555: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.226 (Tunnel100) is up: new adjacency
0
Comment
Question by:ICresswell
  • 5
  • 3
8 Comments
 

Author Comment

by:ICresswell
ID: 39164967
Just to note I have tried:

crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
mode tunnel
0
 

Author Comment

by:ICresswell
ID: 39165311
So looks like it was an IOS bug, I am now suing IOS version 15.1(4)M6 and while the DMVPN seems more stable I am getting the following errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 

Author Comment

by:ICresswell
ID: 39167660
So what I have noticed now is if I remove the nhrp map statements from the two hub routers then the EIGRP neighborships start flapping again and they do not exchange routes anymore.
R1
no ip nhrp map 192.168.153.226 12.34.56.2
no ip nhrp map multicast 12.34.56.2
R2
no ip nhrp map multicast 192.168.100.1
no ip nhrp map 192.168.153.224 23.45.67.2

Anybody got any ideas, is anybody monitoring this question at all?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Expert Comment

by:asavener
ID: 39168007
In my experience, EIGRP route flapping occurs when the EIGRP routes contain routes they shouldn't (such as the public IP addresses of the router).
0
 

Accepted Solution

by:
ICresswell earned 0 total points
ID: 39168081
I found the problem, was a simple mistake as these things usually are, I had the nhrp map statements the wrong way round on the spokes:
ip nhrp map 192.168.153.224 12.34.56.2
ip nhrp map 192.168.153.226 23.45.67.2

Should be:
ip nhrp map 192.168.153.226 12.34.56.2
ip nhrp map 192.168.153.224 23.45.67.2

any idea why I am getting the decrypt errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168110
How frequently are they occurring?

Chances are that the packet is getting corrupted somewhere between the VPN endpoints, and that the crypto engine is performing as expected by verifying the integrity of the packet.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168145
Depending on your IOS version, it might be a cosmetic bug:

BUG:

CSCsv43145

Symptom:

A Cisco IOS router terminating an IPSec tunnel may log the following mac authentication errors:

*Oct 31 18:25:58.943: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=10.1.1.2 remote=10.1.1.1 spi=9E092279 seqno=00000001

This is just cosmetic and should not have any functional impact.

Conditions:
Router is an IPSec end point with ESP (Encapsulating Security Payload) authentication enabled.

Workaround:

There is no known workaround at this time

1st Found-In

12.4(21.10)M

12.4(23)M

<http://tools.cisco.com/Support/BugToolKit/search/knownAffectedVersions.do?method=fetchKnownAffectedVersions&bugId=CSCsv43145> Known Affected Versions

This link will launch a new window.

Fixed-In

12.4(23.7)M
12.4(23.6)T
12.4(23.6)PI10
12.4(23.7)PI10
12.4(23.15.1)PIX11
12.4(23.15.4)PIC1
12.4(24.5.1)PIX11
12.4(24.5.2)PIC1
0
 

Author Closing Comment

by:ICresswell
ID: 39193724
Was a simple mix configuration problem, always be anal when checking IP order
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 151
ACL Logging Optimization 7 42
How can I measure the quality of my Internet access? 2 49
Choice of router 8 25
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question