[c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
howdy ho all,
Was hoping I could use this forum to get some direction on resolving a
strange issue I have with a DMVPN setup.
All works 100% if I do not protect the tunnels with IPSEC. As soon as I
enable IPSEC the tunnels stop passing traffic.
The setup :-
All routers are CISCO 1841 platforms. the IOS image is :-
C1841-ADVIPSERVICESK9-M
c1841-advipservicesk9-mz.124-21.bin
HUB Router
--
HUB router connects via ADSL (a PPPOE session over ethernet) and then fires up
an L2TP tunnel to obtain a static IP address.
The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1)
This IP address is the NHS. All connections to/from the hub
use the address of 196.47.0.204.
Tunnel interface on the hub router is 10.0.0.1
Spoke Router
the Spoke router (there are 2 I am just showing one) connects via ADSL
(a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke
routers use Dialer1 as their interface into the NHRP cloud.
NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface
ie do not add the command
tunnel protection ipsec profile DMVPN
on Tunnel0
Tunnel interface on the hub router is 10.0.0.3
all works perfectly.
The Problem
===
When I enable IPSEC encryption on the tunnel interfaces on all routers
then things break. I have tried with both 3DES and AES and same issue.
All the crypto sessions seem correct - correct SAs
come up. The dynamically created crypto-maps seem correct.
BUT. on the spoke routers, IPSEC reports that no packets are being
de-encapsulated but no errors are reported.
nhrp-spoke-2#show crypto ipsec sa
interface: Tunnel0
local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
current_peer 196.47.0.204 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
But on the HUB. all is well
protected vrf: (none)
local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0)
current_peer 41.195.37.191 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
#pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
Any ideas/thoughts would be greatly appreciated.
The configuration's and some useful output are below
HUB Configuration
=
hostname adsl-nhrp-hub
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
l2tp-class l2tpclass1
authentication
password 7 03070E0C2E572B6A1719
!
!
!
!
!
!
pseudowire-class pwclass1
encapsulation l2tpv2
protocol l2tpv2 l2tpclass1
ip local interface Dialer1
!
!
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key X address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set 3DES_MD5
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication xx
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp registration timeout 30
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source Virtual-PPP1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Virtual-PPP1
ip address negotiated
ip mtu 1452
ip virtual-reassembly
no logging event link-status
no peer neighbor-route
no cdp enable
ppp chap hostname X
ppp chap password 7 XX
ppp pap sent-username password 7 X
pseudowire 196.30.121.42 10 pw-class pwclass1
!
interface Dialer1
mtu 1492
ip address negotiated
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap hostname XXX
ppp chap password 7
ppp pap sent-username password 7
!
router eigrp 1
redistribute connected route-map to-eigrp
redistribute static
passive-interface Dialer1
network
[c-nsp] Cisco ACE and Akamai
Since I see there are more and more people using the ACE on the list, has anyone encountered a problem with the ACE vers A1(8.0a) and Akamai where Akamai returns a null cookie even though one is set? Thanks, Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interesting 7206 behavior
It had a lot of do with the fact that there isn't CEF support for MLPPP in 12.0S. It's there in 12.2(31)SB and SRC releases for the 72xx along with 12.4 based releases. Rodney On Sat, Aug 23, 2008 at 02:07:02PM -0400, Ryan Lambert wrote: Arie, Thanks for the information. I thought it was a little curious that the feature was there, it was just bouncing me back and forth between go here and just kidding, not supported!. We are looking at NPE upgrades anyway, so this is at least something I can table for discussion come Monday. Thanks again! -Ryan -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2008 10:40 AM To: Ryan Lambert; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Interesting 7206 behavior Ryan, It seems QOS support on multilink ports was disabled in 12.0(28)S due to some major issues between the LFI and QOS code. The support is there in newer software, specifically the 12.2SB. I suggest you try using 12.2(31)SB. I think this link could help: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/mcmlp.html Thanks Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Lambert Sent: Saturday, August 23, 2008 05:02 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Interesting 7206 behavior Running a 7206XVR with NPE-300. Code 12.0(28)S6. For what it's worth, the two T1s land on a PA-MC-2T3+. Anyone seen anything similar to this before? I took a quick peek on Cisco's site for anything relevant, but I didn't come up with much. As per usual, browsing the list of bugs managed to freak me out, but I didn't see exactly what I was looking for. router(config-if)#int mu16 router(config-if)#service-policy output Customer_QoS-Colo Service policies on multilink interfaces are not supported router(config-if)#int ser5/1/25:0 router(config-if)#service-policy output Customer_QoS-Colo Serial5/1/25:0 is a member of a multilink/mfr bundle. Please attach the service-policy to the multilink/mfr interface instead. I did sanitize some of this to take out router/customer names, but this is the actual output, if you can believe that. As a side note, this works if I rip one of the T1s out of the MLPPP bundle and apply the policy to the individual serial interface. Does not work -ever- on the Multilink interface, or on an interface part of a multilink group. Thanks, -Ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ADSL weirdness
This is driving me absolutely batty. I have an ADSL connection with a /29 block of static IPs. I was originally using a BroadMax DSL modem. The modem works but locks up semi-regularly. Behind the modem, I have a 2651XM router. Tired of having to reboot the modem, I picked up an ADSL WIC for the router. After configuring everything, the router connects via ADSL and everything appears to be fine on the router. The problem is that I can not access some web pages. Hotmail.com and myspace.com are two that I know will not load but they aren't the only two. I can ping the web site IPs, at least those that answer ping. The page will start to load and then stall. Some pages will time out, others will simply say loading and never complete, even if left up over night. If I switch back to the BroadMax modem, I can load the same webpages without any issue. I get the exact same behavior regardless of what browser I'm using, and on Windows and Linux, so it's unlikely to be any sort of host issue. I've checked the web page IPs and there doesn't appear to be any pattern. They're certainly not all in a common subnet or anything. The sites where I'm having an issue do all seem to be more complex sites with lots of scripting. I've tried to find out if the pages are doing anything weird, such as opening connections on unusual ports or transferring stuff using unusual protocols, but I haven't been able to identify anything. I'm not at all certain that it's only web page traffic that has issues, but that's what I've noticed to this point. I run a mail server and a small mailing list, and I've gotten a couple of complaints of messages bouncing from one user but I believe that's his issue, not mine. Mail appears to be flowing normally otherwise. Here's the config I have on the router: Interface ATM0/0 no ip address no ip mroute-cache no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 interface Dialer1 mtu 1492 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 ppp chap hostname USERNAME ppp chap password 7 PASSWORD ppp pap sent-username USERNAME password 7 PASSWORD I'm running NAT for internal IPs but my servers have public IPs and the issue occurs regardless of whether I'm on a NAT'd machine or a server. The internal networks runs on switches hanging off the fastethernet ports, which are the internal NAT interface. The servers are connected to a 16 port switch module in the router. I was running some firewall rules but in an effort to solve this problem, I've removed all access lists other than the one liner which allows the private IPs into NAT. Ideas, hints and suggestions all welcome. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL weirdness
Daniel, interface Dialer1 mtu 1492 sounds like TCP window problem try adding ip mtu 1492 ip tcp adjust-mss 1452 look here for more info http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html Best Regards, -- -mat ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multiple SPAN config question (re: tim's reply of 2005 sometime)
Hi So this is the conversation I'm referencing inline below. The configuration we've tried has vlan sources and destionations on a 6148A linecard. It seems to be sending traffic from *all* vlans to each port, however. The IOS is 12.2(18)SXF14. Is there a hardware limitation on the split source split port option? Config: monitor session 2 source vlan 64 , 120 , 888 , 998 monitor session 2 destination interface Gi2/23 - 26 REFERENCED CONVERSATION: To span, say, two of the spanned vlans to one of the configured dest ports, just add multiple vlans to the allowed list, ie, sw trunk all vlan 10-11, or similar. The config I mentioned will include the 1q headers already. If you don't want that, you could make the native vlan of the span dest port trunk the vlan you have in the allowed list. One word of caution on this configuration. The system is not (currently, no firm plans) intelligent enough to not send ALL the SPAN traffic to ALL the destintaion modules, even if that module ultimately won't forward the traffic because of the allowed vlan list. For example, if I have a fabric enabled system with modules 1 2 3, and I span vlans 10 11 from module 1 to dest ports on module 2 3, where the allowed list on the mod 2 port is 10 the allowed list on the mod 3 port is 11, VLAN 10 11 traffic is passed over BOTH the fabric channels, the one connecting to module 2 the one connecting to module 3, even though module 2 will ultimately drop the vlan 11 traffic module 3 will drop the vlan 10 traffic. Tim At 05:22 PM 3/17/2005, Virgil declared: On 18/3/05 7:29 AM, Tim Stevenson [EMAIL PROTECTED] wrote: Tim, And then configure a single SPAN session like so: mon ses 1 source vlan 10 - 13 mon ses 1 dest int gig 1/1 - 4 This ends up spanning just vlan 10 traffic to int gig 1/1, just vlan 11 traffic to int gig 1/2, etc. That's excellent information. What would be required to receive traffic for a couple of vlans to one port, and include the dot1q headers as well? Regards Virgil Tim Stevenson, [EMAIL PROTECTED] Routing Switching CCIE #5561 Technical Marketing Engineer, Catalyst 6500 Cisco Systems, http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ACE Regex filtering for url match trouble with %
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi,
Has anyone had any issues with filtering anything with a % sign in
the url when trying to match for url filtering.
Example:
class-map type http inspect match-any SQL_FILTER
2 match url [EMAIL PROTECTED]
3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.*
The first string will match no problem, but the second one won't,
i've tried all different methods of matching the % sign like 'ing it,
putting it in [] etc. in theory the above should just work with
something like http://www.bla.com/SELECT%20test.html [1] as it does
with EXEC@ but it doesn't, anyone got any ideas or had similar issues,
just want to check here before I raise a TAC.
Cheers
Ben
Links:
--
[1] http://www.bla.com/SELECT%20test.html
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
have you tried adding \ in front of the % character?
On Sun, Aug 24, 2008 at 10:32 PM, [EMAIL PROTECTED] wrote:
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi,
Has anyone had any issues with filtering anything with a % sign in
the url when trying to match for url filtering.
Example:
class-map type http inspect match-any SQL_FILTER
2 match url [EMAIL PROTECTED]
3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.*
The first string will match no problem, but the second one won't,
i've tried all different methods of matching the % sign like 'ing it,
putting it in [] etc. in theory the above should just work with
something like http://www.bla.com/SELECT%20test.html [1] as it does
with EXEC@ but it doesn't, anyone got any ideas or had similar issues,
just want to check here before I raise a TAC.
Cheers
Ben
Links:
--
[1] http://www.bla.com/SELECT%20test.html
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL weirdness
-Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Mateusz Blaszczyk Sent: Sunday, August 24, 2008 4:26 PM To: Daniel D Jones Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ADSL weirdness Daniel, interface Dialer1 mtu 1492 sounds like TCP window problem try adding ip mtu 1492 ip tcp adjust-mss 1452 look here for more info http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss .html Specifically add: ip tcp adjust-mss 1452 to the INSIDE interface where your devices which access the web sites are attached. That should do it. -Vinny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Yes I have, I did mention that in my first post but this stupid
webmail client removed it and just put 'ing instead of 'ing :)
FWIW I did manage to get this to match by telling it to match an
ASCII space instead ie .*selectx20.* however this is more of a hack
for my original request so I will still chase up with TAC.
Cheers
On Mon 25/08/08 12:32 PM , Christian Koch [EMAIL PROTECTED]
sent:
have you tried addingin front of the % character?
On Sun, Aug 24, 2008 at 10:32 PM, wrote:
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi,
Has anyone had any issues with filtering anything with a % sign in
the url when trying to match for url filtering.
Example:
class-map type http inspect match-any SQL_FILTER
2 match url [EMAIL PROTECTED]
3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.*
The first string will match no problem, but the second one won't,
i've tried all different methods of matching the % sign like 'ing
it,
putting it in [] etc. in theory the above should just work with
something like http://www.bla.com/SELECT%20test.html [2] [1] as it
does
with EXEC@ but it doesn't, anyone got any ideas or had similar
issues,
just want to check here before I raise a TAC.
Cheers
Ben
Links:
--
[1] http://www.bla.com/SELECT%20test.html [3]
___
cisco-nsp mailing list
https://puck.nether.net/mailman/listinfo/cisco-nsp [5]
archive at http://puck.nether.net/pipermail/cisco-nsp/ [6]
Links:
--
[2]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html
[3]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html
[5]
https://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp
[6]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
