Solved

DMVPN Tunnel, EIGRP Neighbourship flaps

Posted on 2013-05-14
8
4,875 Views
Last Modified: 2013-05-24
I have a DMVPN Phase 3 configured in GNS3 using 7200 router with 15.2(4)S3 image. Hubs are fine but as soon as I introduce a Spoke the EIGRP neighborship between the Hubs and the Spokes flaps constantly.
The EIGRP neighborships form but routes are never exchanged. I can ping the Tunnel interfaces across the DMVPN so I know the tunnels are up and I can ping between external interfaces so I know the routers can communicate with each other.

My configs are below.

R1#sh run
Building configuration...

Current configuration : 2413 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.1.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.224 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.226 12.34.56.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.78 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 23.45.67.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.1.1 0.0.0.0
 network 192.168.1.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 23.45.67.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

R2#sh run
Building configuration...

Current configuration : 2450 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.2.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.226 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map multicast 192.168.100.1
 ip nhrp map 192.168.153.224 23.45.67.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 ip nhrp redirect
 no ip split-horizon eigrp 11487
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN shared
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 12.13.14.82 255.255.255.252
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 12.34.56.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.2.1 0.0.0.0
 network 192.168.2.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 12.34.56.1
!
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
webvpn cef

R3#sh run
Building configuration...

Current configuration : 2471 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name sec.grey.com
!
multilink bundle-name authenticated
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Pa$$w0rd address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set CSM_TS_1
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 172.23.3.1 255.255.255.0
!
interface Tunnel100
 description DMVPN Interface
 bandwidth 128
 ip address 192.168.153.63 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip bandwidth-percent eigrp 11487 999999
 ip hold-time eigrp 11487 30
 ip nhrp authentication Pa$$w0rd
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.153.224 12.34.56.2
 ip nhrp map 192.168.153.226 23.45.67.2
 ip nhrp map multicast 12.34.56.2
 ip nhrp map multicast 23.45.67.2
 ip nhrp network-id 76540293
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.153.224
 ip nhrp nhs 192.168.153.226
 ip nhrp registration timeout 60
 ip nhrp cache non-authoritative
 ip nhrp shortcut
 delay 10000
 tunnel source Serial1/0
 tunnel mode gre multipoint
 tunnel key 76540293
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 34.56.78.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 11487
 network 172.23.3.1 0.0.0.0
 network 192.168.3.0
 network 192.168.153.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 34.56.78.1
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
webvpn cef

EIGRP Errors:

*May 14 15:23:34.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.224 (Tunnel100) is down: Peer Termination received
*May 14 15:23:34.555: %DUAL-5-NBRCHANGE: EIGRP-IPv4 11487: Neighbor 192.168.153.226 (Tunnel100) is up: new adjacency
0
Comment
Question by:ICresswell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:ICresswell
ID: 39164967
Just to note I have tried:

crypto ipsec transform-set CSM_TS_1 esp-aes 256 esp-sha-hmac
mode tunnel
0
 

Author Comment

by:ICresswell
ID: 39165311
So looks like it was an IOS bug, I am now suing IOS version 15.1(4)M6 and while the DMVPN seems more stable I am getting the following errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 

Author Comment

by:ICresswell
ID: 39167660
So what I have noticed now is if I remove the nhrp map statements from the two hub routers then the EIGRP neighborships start flapping again and they do not exchange routes anymore.
R1
no ip nhrp map 192.168.153.226 12.34.56.2
no ip nhrp map multicast 12.34.56.2
R2
no ip nhrp map multicast 192.168.100.1
no ip nhrp map 192.168.153.224 23.45.67.2

Anybody got any ideas, is anybody monitoring this question at all?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 28

Expert Comment

by:asavener
ID: 39168007
In my experience, EIGRP route flapping occurs when the EIGRP routes contain routes they shouldn't (such as the public IP addresses of the router).
0
 

Accepted Solution

by:
ICresswell earned 0 total points
ID: 39168081
I found the problem, was a simple mistake as these things usually are, I had the nhrp map statements the wrong way round on the spokes:
ip nhrp map 192.168.153.224 12.34.56.2
ip nhrp map 192.168.153.226 23.45.67.2

Should be:
ip nhrp map 192.168.153.226 12.34.56.2
ip nhrp map 192.168.153.224 23.45.67.2

any idea why I am getting the decrypt errors:
*May 14 16:59:56.179: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=9 local=34.56.78.2 remote=23.45.67.2 spi=60060807 seqno=00000005
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168110
How frequently are they occurring?

Chances are that the packet is getting corrupted somewhere between the VPN endpoints, and that the crypto engine is performing as expected by verifying the integrity of the packet.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39168145
Depending on your IOS version, it might be a cosmetic bug:

BUG:

CSCsv43145

Symptom:

A Cisco IOS router terminating an IPSec tunnel may log the following mac authentication errors:

*Oct 31 18:25:58.943: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=10.1.1.2 remote=10.1.1.1 spi=9E092279 seqno=00000001

This is just cosmetic and should not have any functional impact.

Conditions:
Router is an IPSec end point with ESP (Encapsulating Security Payload) authentication enabled.

Workaround:

There is no known workaround at this time

1st Found-In

12.4(21.10)M

12.4(23)M

<http://tools.cisco.com/Support/BugToolKit/search/knownAffectedVersions.do?method=fetchKnownAffectedVersions&bugId=CSCsv43145> Known Affected Versions

This link will launch a new window.

Fixed-In

12.4(23.7)M
12.4(23.6)T
12.4(23.6)PI10
12.4(23.7)PI10
12.4(23.15.1)PIX11
12.4(23.15.4)PIC1
12.4(24.5.1)PIX11
12.4(24.5.2)PIC1
0
 

Author Closing Comment

by:ICresswell
ID: 39193724
Was a simple mix configuration problem, always be anal when checking IP order
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question