Hi all,
I'm running a bit of tests using GNS3. I built several scenarios using
DMVPN. There is one in particular that is driving me crazy .
Basically I have two spokes behind the same NAT router and the HUB is
facing the NAT router. NAT router and HUB are onto the same network.
The problem I'm running into is I have only a spoke working (able to ping
the hub) at time, even though, under the "sh dmvpn" I can see both spokes
correctly registered. The working spoke however has intermittent connection
toward the hub.
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 0.0.0.0 1.1.1.1 NHRP never IX 1.1.1.1/32
2 172.16.1.2 1.1.1.2 UP 00:00:20 DN 1.1.1.2/32
Claimed Addr. 10.2.2.2
0 172.16.1.2 1.1.1.3 UP 00:00:34 DN 1.1.1.3/32
Claimed Addr. 10.2.2.3
HUB-1#sh ip nhrp detail
1.1.1.2/32 via 1.1.1.2
Tunnel0 created 00:12:11, expire 01:47:48
Type: dynamic, Flags: unique registered
NBMA address: 172.16.1.2
(Claimed NBMA address: 10.2.2.2)
1.1.1.3/32 via 1.1.1.3
Tunnel0 created 00:12:25, expire 01:50:47
Type: dynamic, Flags: unique registered
NBMA address: 172.16.1.2
(Claimed NBMA address: 10.2.2.3)
Below the ping form spoke 1
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!.!.!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!.!.!!!
!!!!!!!!!!!!!!!!!!!
*Mar 1 00:03:38.131: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify
failed for connection
id=1.!.!!!!!!!!!!!!!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!
!!!!!.!!!!!!!!!!!!!!!.!!!!!!!!.!!!!!!!!!!!!!!!.!!!!!!!!.!!!!!!!!!!!!!!
!.!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!.!.!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!.!!!!!!!!!!!!!!!!!!!
I've noticed that %CRYPTO-4-RECVD_PKT_MAC_ERR. Looking at the Cisco
documentation looks like the packet is corrupted or there is a problem with
the link.
Pinging from both spokes at the same time when Spoke-1 works spoke-2 cannot
ping the hub and viceversa. This moves from one to the other randomly.
Below the relevant configs
HUB-1#sh run | sec crypto
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto ipsec transform-set trans-dmvpn esp-3des esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set trans-dmvpn
HUB-1#sh run inter tunnel 0
Building configuration...
Current configuration : 296 bytes
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip ospf network point-to-multipoint
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
end
Current configuration : 98 bytes
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
end
HUB-1#sh run inter fas 0/1
Building configuration...
Current configuration : 101 bytes
!
interface FastEthernet0/1
ip address 192.168.200.1 255.255.255.0
duplex auto
speed auto
!
----------------------------------------
Spoke-1#sh run | s crypto
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto ipsec transform-set trans esp-3des esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set trans
Building configuration...
Current configuration : 380 bytes
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp map 1.1.1.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 1
ip nhrp nhs 1.1.1.1
ip ospf network point-to-multipoint
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
end
Spoke-1#sh run int fas 0/0
Building configuration...
Current configuration : 92 bytes
!
interface FastEthernet0/0
ip address 10.2.2.2 255.255.255.0
speed 100
full-duplex
end
Spoke-1#sh run int fas 0/1
Building configuration...
Current configuration : 92 bytes
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
---------------------------------------
Spoke-2#sh run | s crypto
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto ipsec transform-set trans esp-3des esp-sha-hmac
mode transport
crypto ipsec profile DMVPN
set transform-set trans
Spoke-2#
Spoke-2#sh run int tun 0
Building configuration...
Current configuration : 380 bytes
!
interface Tunnel0
ip address 1.1.1.3 255.255.255.0
no ip redirects
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp map 1.1.1.1 172.16.1.1
ip nhrp map multicast 172.16.1.1
ip nhrp network-id 1
ip nhrp nhs 1.1.1.1
ip ospf network point-to-multipoint
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
end
Spoke-2#sh run in fas 0/0
Building configuration...
Current configuration : 92 bytes
!
interface FastEthernet0/0
ip address 10.2.2.3 255.255.255.0
speed 100
full-duplex
end
Spoke-2#sh run in fas 0/1
Building configuration...
Current configuration : 94 bytes
!
interface FastEthernet0/1
ip address 172.31.1.1 255.255.255.0
speed 100
full-duplex
end
---------------------------------
NAT-1#sh run int fas 0/0
Building configuration...
Current configuration : 133 bytes
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
end
NAT-1#sh run int fas 0/1
Building configuration...
Current configuration : 130 bytes
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
end
NAT-1#sh run | i nat
ip nat outside
ip nat inside
ip nat inside source list 1 interface FastEthernet0/0 overload
NAT-1#
Any Ideas or suggestions?
Thanks,
Cristiano
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
iPexpert on YouTube: www.youtube.com/ipexpertinc
