DMVPN with EIGRP

EduardoMoiEduardoMoi
in CCIE RSv5 Workbooks

Hi 

I would like to ask you if someone has had flapping connections once DMVPN and EIGRP are running? Im using cisco routers 1841/3825 with IOS 15.0

Thank you

 

R1#

*Jun  6 19:03:20.847: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

R1#

*Jun  6 19:03:24.455: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

R1#

*Jun  6 19:04:43.967: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

R1#

*Jun  6 19:04:47.075: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

 

 

R1

crypto isakmp policy 10

 hash md5

 authentication pre-share

crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set CCIE esp-3des esp-md5-hmac

!

crypto ipsec profile IPSEC

 set transform-set CCIE

!

!

!

!

!

!

interface Loopback0

 ip address 150.1.1.1 255.255.255.255

 ipv6 address 2001:150:1:1::1/128

 !

!

interface Tunnel100

 ip address 155.1.0.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication CCIE1

 ip nhrp map multicast dynamic

 ip nhrp map 155.1.0.5 169.254.100.5

 ip nhrp network-id 10

 ip nhrp nhs 155.1.0.5

 ip tcp adjust-mss 1360

 no ip split-horizon

 tunnel source FastEthernet0/0.100

 tunnel mode gre multipoint

 tunnel key 10

 tunnel protection ipsec profile IPSEC



**--***



R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

169.254.100.5   169.254.100.1   QM_IDLE           1001 ACTIVE






R5



crypto isakmp policy 10

 hash md5

 authentication pre-share

crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set CCIE esp-3des esp-md5-hmac

!

crypto ipsec profile IPSEC

 set transform-set CCIE

!

!

!

!

!

!

interface Loopback0

 ip address 150.1.5.5 255.255.255.255

 ipv6 address 2001:150:5:5::5/128

 !

!

interface Tunnel100

 ip address 155.1.0.5 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication CCIE1

 ip nhrp map multicast dynamic

 ip nhrp network-id 10

 ip tcp adjust-mss 1360

 no ip split-horizon

 tunnel source FastEthernet0/0.100

 tunnel mode gre multipoint

 tunnel key 10

 tunnel protection ipsec profile IPSEC




· Share on FacebookShare on Twitter

Comments

  • pietro.gallo@allynet.it[email protected]

    Yes it is a common error in DMVPN often because of the MTU size applied on the tunnel. Try tweak the mtu size on the tunnel interface to a value lower than 1400. Let us know if it worked because it could depend also by other issues.

    · Share on FacebookShare on Twitter
  • EduardoMoiEduardoMoi

    Hi Pgallo,

    Thank you for posting, I changed the mtu to 1000 (on the hub and spoke) but it apparentely has decreased the time of the flapping but it is still showing that  [:(]

    R1#sh run int tu100

    Building configuration...

     

    Current configuration : 402 bytes

    !

    interface Tunnel100

     ip address 155.1.0.1 255.255.255.0

     no ip redirects

     ip mtu 1000

     ip nhrp authentication CCIE1

     ip nhrp map multicast dynamic

     ip nhrp map 155.1.0.5 169.254.100.5

     ip nhrp network-id 10

     ip nhrp nhs 155.1.0.5

     ip tcp adjust-mss 1360

     no ip split-horizon

     tunnel source FastEthernet0/0.100

     tunnel mode gre multipoint

     tunnel key 10

     tunnel protection ipsec profile IPSEC

     !

    end

     

    R1#

    *Jun  6 19:26:47.403: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

    *Jun  6 19:26:47.743: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

    R1#

    *Jun  6 19:28:07.255: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

    R1#

    *Jun  6 19:28:10.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

     

    · Share on FacebookShare on Twitter
  • Brian McGahanBrian McGahan mod

    This is likely a multicast mapping problem.  The spokes need static multicast mappings for the hub. Are the EIGRP adjacencies actually up on both sides?

     

    Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of EduardoMoi
    Sent: Friday, June 06, 2014 1:57 PM
    To: Brian McGahan
    Subject: Re: [RSv5 WB] DMVPN with EIGRP

     

    Hi Pgallo,

    Thank you for posting, I changed the mtu to 1000 (on the hub and spoke) but it apparentely has decreased the time of the flapping but it is still showing that  Sad

    R1#sh run int tu100

    Building configuration...

     

    Current configuration : 402 bytes

    !

    interface Tunnel100

     ip address 155.1.0.1 255.255.255.0

     no ip redirects

     ip mtu 1000

     ip nhrp authentication CCIE1

     ip nhrp map multicast dynamic

     ip nhrp map 155.1.0.5 169.254.100.5

     ip nhrp network-id 10

     ip nhrp nhs 155.1.0.5

     ip tcp adjust-mss 1360

     no ip split-horizon

     tunnel source FastEthernet0/0.100

     tunnel mode gre multipoint

     tunnel key 10

     tunnel protection ipsec profile IPSEC

     !

    end

     

    R1#

    *Jun  6 19:26:47.403: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

    *Jun  6 19:26:47.743: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

    R1#

    *Jun  6 19:28:07.255: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

    R1#

    *Jun  6 19:28:10.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

     




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

    · Share on FacebookShare on Twitter
  • EduardoMoiEduardoMoi

    Hi Brian,

    Thank you so much!, I removed the ip nhrp map multicast dynamic command on the spokes, and it was resolved using: ip nhrp map multicast <<IP address of the physical interface>>.

    Thank you so much!!! [:D]

    Have a great weekend.

     

     

    · Share on FacebookShare on Twitter
  • Brian McGahanBrian McGahan mod

    FYI that log message normally means a layer 2 reachability problem.  In this case it was because you were able to send multicast from one end but not receive multicast.  “debug ip packet” would have shown you that the remote packets weren’t being received.  If that didn’t work on the platform you have (some can’t debug data plane) the alternate check would have been for you to apply an inbound ACL to account for the packets.  Something like:

     

    ip access-list extended LOG_EIGRP

    permit eigrp host 1.1.1.1 any log

    permit ip any any

    !

    Interface tunnel 0

    Ip access-group LOG_EIGRP in

     

     

    Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of EduardoMoi
    Sent: Friday, June 06, 2014 3:54 PM
    To: Brian McGahan
    Subject: Re: [RSv5 WB] RE: DMVPN with EIGRP

     

    Hi Brian,

    Thank you so much!, I removed the ip nhrp map multicast dynamic command on the spokes, and it was resolved using: ip nhrp map multicast <<IP address of the physical interface>>.

    Thank you so much!!! Big Smile

    Have a great weekend.

     

     




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

    · Share on FacebookShare on Twitter
  • EduardoMoiEduardoMoi

    Hi Brian,

    First, congratulations for your baby :)

    I would like to ask you if MP BGP and DM VPN are able to work together, I was trying to do that but it is not working, Im not sure if a step is missing, or the requirements to implement that.


    Thanks
    Blessings.


    2014-06-06 14:06 GMT-06:00 Brian McGahan <[email protected]>:

    This is likely a multicast mapping problem.  The spokes need static multicast mappings for the hub. Are the EIGRP adjacencies actually up on both sides?

     

    Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13


    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of EduardoMoi

    Sent: Friday, June 06, 2014 1:57 PM
    To: Brian McGahan
    Subject: Re: [RSv5 WB] DMVPN with EIGRP

     

    Hi Pgallo,

    Thank you for posting, I changed the mtu to 1000 (on the hub and spoke) but it apparentely has decreased the time of the flapping but it is still showing that  Sad

    R1#sh run int tu100

    Building configuration...

     

    Current configuration : 402 bytes

    !

    interface Tunnel100

     ip address 155.1.0.1 255.255.255.0

     no ip redirects

     ip mtu 1000

     ip nhrp authentication CCIE1

     ip nhrp map multicast dynamic

     ip nhrp map 155.1.0.5 169.254.100.5

     ip nhrp network-id 10

     ip nhrp nhs 155.1.0.5

     ip tcp adjust-mss 1360

     no ip split-horizon

     tunnel source FastEthernet0/0.100

     tunnel mode gre multipoint

     tunnel key 10

     tunnel protection ipsec profile IPSEC

     !

    end

     

    R1#

    *Jun  6 19:26:47.403: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

    *Jun  6 19:26:47.743: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

    R1#

    *Jun  6 19:28:07.255: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is down: retry limit exceeded

    R1#

    *Jun  6 19:28:10.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.0.5 (Tunnel100) is up: new adjacency

     




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com


    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx





    INE - The Industry Leader in CCIE Preparation


    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

    · Share on FacebookShare on Twitter
  • EduardoMoiEduardoMoi

    Hi Brian,

    First, congratulations for your baby :)

    I
    would like to ask you if MP BGP and DM VPN are able to work together, I
    was trying to do that but it is not working, Im not sure if a step is
    missing, or the requirements to implement that.

     

    It was working with ethernet interfaces (no tunnel)

     

    Thanks
    Blessings.

    · Share on FacebookShare on Twitter
  • cristian.mateicristian.matei

    Hi,

       DMVPN is routing protocol independent, so you can run BGP.

    Regards,

    Cristian.

    · Share on FacebookShare on Twitter
  • EduardoMoiEduardoMoi

    Thank you so much Cristian,

    I found the error [:|]

    Have a nice day

    · Share on FacebookShare on Twitter
Sign In or Register to comment.