no ip split-horizon….

I had to take 2 minutes and blog this.  Last night I set up DMVPN.  It all looked ok but I could not get the spoke to spoke connectivity.  Then today I find Petr Lupakhovs – DMVPN Explained blog post on CCIE Blog at Internetwork expert. (You can find it here)

I didnt even make it all the way through and I see this on Petrs Example:

interface Tunnel0

ip address 10.0.0.1 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 123

no ip split-horizon eigrp 123

ip summary-address eigrp 123 0.0.0.0 0.0.0.0 5

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 123

Then I go look at my config:

r1#sh run int t0
Building configuration...

Current configuration : 344 bytes
!
interface Tunnel0
 bandwidth 1024
 ip address 123.123.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication CISCO
 ip nhrp map multicast dynamic
 ip nhrp network-id 123
 ip nhrp holdtime 60
 no ip split-horizon
 delay 100
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile DMVPN
end

Very subtle but notice that I didn’t specify the EIGRP Autonomous System. Thats what bit me. I made the change:

r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#int t0
r1(config-if)#no ip sp
r1(config-if)#no ip split-horizon e
r1(config-if)#no ip split-horizon eigrp 100
r1(config-if)#

Then I go back to the spoke. From the following output you can see that I now have some 192.168.x.x routes (thats what I was missing before).

r2#
*Mar  2 03:01:32.605: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 123.123.123.1 (Tunnel0) is up: new adjacencysh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     136.8.0.0/24 is subnetted, 1 subnets
C       136.8.0.0 is directly connected, Serial0/0
     123.0.0.0/24 is subnetted, 1 subnets
C       123.123.123.0 is directly connected, Tunnel0
D    192.168.1.0/24 [90/2653440] via 123.123.123.1, 00:00:03, Tunnel0
C    192.168.2.0/24 is directly connected, Loopback1
     150.8.0.0/24 is subnetted, 3 subnets
C       150.8.2.0 is directly connected, Loopback0
R       150.8.3.0 [120/2] via 136.8.0.3, 00:00:16, Serial0/0
R       150.8.1.0 [120/1] via 136.8.0.1, 00:00:16, Serial0/0
D    192.168.3.0/24 [90/2679040] via 123.123.123.1, 00:00:04, Tunnel0

Now I attempt to ping another spoke router and lo and behold, I can successfully ping.

r2#p 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:

*Mar  2 03:01:48.475: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
	(ip) vrf/dest_addr= /150.8.2.2, src_addr= 150.8.3.3, prot= 47..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 188/189/193 ms
r2#p 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/184/185 ms

But I still need to make sure that I actually had an IPSec tunnel for the ICMP over to 192.168.3.3 so I check:

r2#sh cry isa sa
dst             src             state          conn-id slot
150.8.2.2       150.8.3.3       QM_IDLE              2    0
150.8.2.2       150.8.1.1       QM_IDLE              1    0

Yep- I have an SA to 150.8.3.3, thats where 192.168.3.3 is located. Now lets look at the SAs that go to the spoke.

r2#sh cry ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr. 150.8.2.2

   protected vrf:
   local  ident (addr/mask/prot/port): (150.8.2.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (150.8.1.1/255.255.255.255/47/0)
   current_peer: 150.8.1.1:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 23342, #pkts encrypt: 23342, #pkts digest 23342
    #pkts decaps: 20213, #pkts decrypt: 20213, #pkts verify 20213
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 150.8.2.2, remote crypto endpt.: 150.8.1.1
     path mtu 1500, media mtu 1500
     current outbound spi: 7FAB6DEA

     inbound esp sas:
      spi: 0xA65DD270(2791166576)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2056, flow_id: 57, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4435657/3098)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7FAB6DEA(2141941226)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2057, flow_id: 58, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4435653/3098)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (150.8.2.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (150.8.3.3/255.255.255.255/47/0)
   current_peer: 150.8.3.3:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 150.8.2.2, remote crypto endpt.: 150.8.3.3
     path mtu 1500, media mtu 1500
     current outbound spi: 35A8F2BC

     inbound esp sas:
      spi: 0x367950CD(913920205)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2058, flow_id: 59, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4420642/3580)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x35A8F2BC(900264636)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2059, flow_id: 60, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4420643/3578)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

And we are good! Man, its amazing how if you miss one little detail the entire config breaks. I try not to make that mistake on the lab.

Popularity: 1% [?]