Transcription
Troubleshooting DMVPNsBRKSEC-3052BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public
Housekeeping We value your feedback- don't forget to complete your onlinesession evaluations after each session & the OverallConference Evaluation which will be available online fromThursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event don’t forget to visit Cisco Live 365:www.ciscolive365.comBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public3
Agenda DMVPN Overview Four Layer Troubleshooting MethodologyCommon Issues DMVPN Best Practice Configuration Q&ABRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public4
DMVPN Overview
Dynamic Multipoint VPN Provides full meshedconnectivity with simpleconfiguration of huband spoke Supports dynamicallyaddressed spokes Facilitates zero-touchconfiguration for addition ofnew spokes Features automatic IPsectriggering for building anIPsec tunnelBRKSEC-3052Secure On-Demand Meshed TunnelsHubVPNSpoke n 2013 Cisco and/or its affiliates. All rights reserved.Spoke 1Spoke 2DMVPN TunnelsTraditional Static TunnelsStatic Known IP AddressesDynamic Unknown IP AddressesCisco Public6
What Is Dynamic Multipoint VPN? DMVPN is a Cisco IOS Software solution for building IPsec GRE VPNs inan easy, dynamic and scalable manner DMVPN relies on two proven technologiesNext Hop Resolution Protocol (NHRP)Creates a distributed (NHRP) mapping database of all the spoke’stunnel to real (public interface) addressesMultipoint GRE Tunnel InterfaceSingle GRE interface to support multiple GRE/IPsec tunnelsSimplifies size and complexity of configurationBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public7
Nomenclature – TransportNBMAAddressHub192.168.254.0/24Transport 110.0.0.254Physical:Tunnel:172.16.1.110.0.0.1Spoke 1192.168.0.0/29Spoke 2192.168.0.8/29DMVPNTunnelsBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public172.16.2.110.0.0.2
Nomenclature – OverlayOverlay l:Tunnel:172.16.1.110.0.0.1Spoke 1192.168.0.0/29Spoke 2192.168.0.8/29Overlay/PrivateAddressesBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public172.16.2.110.0.0.2
DMVPN—How It Works Spokes have a dynamic permanentGRE/IPsec tunnel to the hub; they registeras clients of the NHRP server.Secure On-Demand Meshed TunnelsHub / NHRP Server Based on on-demand traffic, spokequeries the NHRP server for the real(outside) address of the destination spoke Now the originating spoke can initiate adynamic GRE/IPsec tunnel to the targetspoke The spoke-to-spoke tunnel is built over themGRE interface. When traffic ceases then the spoke-tospoke tunnel is torn down.BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.VPNSpoke nSpoke 1Spoke 2DMVPN TunnelsTraditional Static TunnelsStatic Known IP AddressesDynamic Unknown IP AddressesCisco Public10
Dynamic Multipoint VPN (DMVPN)Major Features Configuration reduction and no-touch deploymentIP(v4/v6) unicast, IP multicast and dynamic routing protocols.Spokes with dynamically assigned addressesNAT—spoke routers behind dynamic NAT and hub routers behindstatic NATDynamic spoke-spoke tunnels for scaling partial/full mesh VPNsCan be used without IPsec encryptionVRFs—GRE tunnels and/or data packets in VRFs2547oDMVPN—MPLS switching over tunnelsQoS—aggregate; static/manual per-tunnelTransparent to most data packet level featuresWide variety of network designs and optionsBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public11
DMVPN Components Next Hop Resolution Protocol (NHRP)Creates a distributed (NHRP) mapping database of allthe spoke’s tunnel to real (public interface) addresses Multipoint GRE Tunnel Interface (MGRE)Single GRE interface to support multiple GRE/IPsec tunnelsSimplifies size and complexity of configuration IPsec tunnel protectionDynamically creates and applies encryption policies RoutingDynamic advertisement of branch networks; almost all routingprotocols (EIGRP, RIP, OSPF, BGP, ODR) are supportedBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public12
DMVPN PhasesPhase 1Phase 2Phase 3 Hub and spoke functionality12.2(13)T Spoke to spokefunctionality 12.3(4)T Architecture and scaling12.4(6)T Simplified and smallerconfig for hub & spoke Single mGRE interface inspokes Increase number of hub withsame hub and spoke ratio Support dynamicallyaddress CPE Direct spoke to spoke datatraffic - reduced load onhub No hub daisy-chain Cannot summarise spokeroutes on hub OSPF routing protocol notlimited to 2 hubs Route on spoke must haveIP next hop of remotespoke Cannot mix phase 2 andphase 3 in same DMVPNcloud Support for multicast trafficfrom hub to spoke Summarise routing at hubBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved. Spokes don’t need fullrouting tableCisco Public13
Network DesignsSpoke-to-hub tunnelsSpoke-to-spoke tunnels2547oDMVPN tunnels.Hub and spoke(Phase 1)Spoke-to-spoke(Phase 2)VRF-liteServer Load BalancingHierarchical (Phase 3)2547oDMVPNBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public14
Four Layer TroubleshootingMethodology
Before You Begin Sync up the timestamps between the hub and spokePreferably using NTP Enable msec debug and log timestampsservice timestamps debug date time msecservice timestamps log date time msec Enable “terminal exec prompt timestamp” for the debuggingsessions.Easily correlate the debug output with the show command outputBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public16
Four Layer Troubleshooting Methodology Four layers for troubleshootingPhysical and routing layerIPsec encryption layer—IPsec/ISAKMPGRE encapsulation layer—NHRPVPN routing layer—routing and IP dataYXXVPN Routing LayerIPsec Dest. STATICEIGRP 2OSPF 2BGPIP Infrastructure Layer 2013 Cisco and/or its affiliates. All rights reserved.STATICEIGRP 2OSPF 2BGPCisco PublicTunnelDest. b17
Four Layers for Troubleshooting:Physical and Routing Layer Physical (NBMA or tunnel endpoint) routing layerThis gets the encrypted tunnel packets between the tunnel endpointsabTunnelDest. aSTATICEIGRP 2OSPF 2BGPBRKSEC-3052IP Infrastructure Layer 2013 Cisco and/or its affiliates. All rights reserved.STATICEIGRP 2OSPF 2BGPCisco PublicTunnelDest. b18
Four Layers for Troubleshooting:Physical and Routing Layer Ping from the hub to the spoke's using NBMA addresses (andreverse):These pings should go directly out the physical interface,not through the DMVPN tunnelIf pings are failing, check the routing and any firewallsbetween the hub and spoke routers Also use traceroute to check the path that the encryptedtunnel packets are taking Check for “administratively prohibited” (ACL) messagesBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public19
Four Layers for Troubleshooting:Physical and Routing Layer (Cont) Debugs and show commands to use for connectivity issuesdebug ip icmpValuable tool used to troubleshoot connectivity issuesHelps you determine whether the router is sending or receiving ICMP messagesICMP: rcvd type 3, code 1, from 172.17.0.1ICMP: src 172.17.0.1, dst 172.16.1.1, echo replyICMP: dst (10.120.1.0) port unreachable rcv from 10.120.1.15ICMP: src 172.17.0.5, dst 172.16.1.1, echo replyDebug icmp field 2 3/debug/command/referencedbg i1g.html#wp1017595BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public20
Four Layers for Troubleshooting:Physical and Routing Layer (Cont.) Debugs and show commands to troubleshootconnectivity issuesdebug ip packet [access-list-number] [detail] [dump]Useful tool use for troubleshooting end to end communicationIP packet debugging captures the packets that are process switched includingreceived, generated and forwarded packets.IP: s 172.16.1.1 (local), d 172.17.0.1 (FastEthernet0/1), len 100, sending ICMP type 8, code 0IP: table id 0, s 172.17.0.1 (FastEthernet0/1), d 172.16.1.1 (FastEthernet0/1), routed via RIBIP: s 172.17.0.1 (FastEthernet0/1), d 172.16.1.1 (FastEthernet0/1), len 100, rcvd 3 ICMPtype 0, code 0Caution:BRKSEC-3052Debug IP packet command can generate a substantial amount of output and uses asubstantial amount of system resources. This command should be used withcaution in production networks. Always use with an ACL. 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public21
Four Layers for Troubleshooting:Physical and Routing Layer (Cont.)Common Issues: ACL in firewall/ISP side blocking ISAKMP traffic Traffic filtering resulting traffic flows one directionBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public22
Common Issues:Firewall or ISP Blocking IKEProblem: IPsec tunnel is not coming up Network connectivity between hub and spoke is fineHow to detect?Spoke Routershow crypto isa saIPv4 Crypto ISAKMP MM NO STATE00ACTIVE172.17.0.1172.16.1.1MM NO STATE00ACTIVE (deleted)172.17.0.5172.16.1.1MM NO STATE00ACTIVE172.17.0.5172.16.1.1MM NO STATE00ACTIVE (deleted)BRKSEC-3052IKE SA (phase1) negotiation failing 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public23
Common Issues:Firewall or ISP Blocking IKE Run “debug crypto isakmp” to verify spoke router is sending udp 500 packetSpoke Routerdebug crypto isakmp04:14:44.450: ISAKMP:(0):Old State IKE READY New State IKE I MM104:14:44.450: ISAKMP:(0): beginning Main Mode exchange04:14:44.450: ISAKMP:(0): sending packet to 172.17.0.1 my port 500 peer port 500 (I) MM NO STATE04:14:44.450: ISAKMP:(0):Sending an IKE IPv4 Packet.04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM NO STATE.04:14:54.450: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 104:14:54.450: ISAKMP:(0): retransmitting phase 1 MM NO STATE04:14:54.450: ISAKMP:(0): sending packet to 172.17.0.1 my port 500 peer port 500 (I) MM NO STATE04:14:54.450: ISAKMP:(0):Sending an IKE IPv4 Packet.04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM NO STATE.04:15:04.450: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 104:15:04.450: ISAKMP:(0): retransmitting phase 1 MM NO STATE04:15:04.450: ISAKMP:(0): sending packet to 172.17.0.1 my port 500 peer port 500 (I) MM NO STATE04:15:04.450: ISAKMP:(0):Sending an IKE IPv4 Packet.Above debug output shows spoke router is sending udp 500 packet every 10 secsBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public24
Common Issues: IKE Traffic Blocked How to fix?Check and allow UDP port 500 in all intermediate devices and ISPAfter UDP port 500 is allowed in the inbound ACL on WAN(public) interface , verify thathit counts are incrementing on the ACL using “show access-list acl ” commandHub Routershow access-lists 101Extended IP access list 10110 permit udp host 172.17.0.1 host 172.16.1.1 eq isakmp (4 matches)20 permit udp host 172.17.0.5 host 172.16.1.1 eq isakmp (4 matches)30 permit ip any any (295 matches)Caution: Make sure you have IP any any allowed in your access-list otherwise allother traffic will be blocked by this acl applied inbound on egress interface.BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public25
Common Issues: IKE Traffic Blocked How to verify it is working ?show crypto isakmp saSpoke RouterIPv4 Crypto ISAKMP SAdstsrcstateconn-id slotstatus172.17.0.1172.16.1.1QM IDLE1009 0ACTIVE172.17.0.5172.16.1.1QM IDLE1008 0ACTIVEPhase 1 is UP, UDP500 packetreceiveddebug crypto isakmpISAKMP:(0):Old State IKE READY New State IKE I MM1ISAKMP:(0): beginning Main Mode exchangeISAKMP:(0): sending packet to 172.17.0.1 my port 500 peer port 500 (I) MM NO STATEISAKMP (0:0): received packet from 172.17.0.1 dport 500 sport 500 Global (I) MM NO STATEISAKMP:(0):Sending an IKE IPv4 Packet Old State IKE R MM1 New State IKE R MM2ISAKMP:(0):atts are acceptable ISAKMP:(1009):Old State IKE R MM3 New State IKE R MM3 ISAKMP:(1009):Old State IKE P1 COMPLETE New State IKE P1 COMPLETEBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public26
Common Issues:Traffic Filtering, Uni-directional TrafficProblem Unable to pass data traffic VPN tunnel between spoke to spoke router is UPHow to detect?spoke1# show crypto ipsec sa peer 172.16.2.11local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)#pkts encaps: 110, #pkts encrypt: 110, #pkts decaps: 0, #pkts decrypt: 0,local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.2.11inbound esp sas: spi: 0x4C36F4AF(1278669999)outbound esp sas: spi: 0x6AC801F4(1791492596)spoke2#show crypto ipsec sa peer 172.16.1.1local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)#pkts encaps: 116, #pkts encrypt: 116, #pkts decaps: 110, #pkts decrypt: 110,local crypto endpt.: 172.16.2.11, remote crypto endpt.: 172.16.1.1inbound esp sas: spi: 0x6AC801F4(1791492596)outbound esp sas: spi: 0x4C36F4AF(1278669999)There is no decap packets in Spoke 1, which means ESP packets are likely getting droppedsome where in the path from Spoke 2 towards Spoke1BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public27
Common Issues:Traffic Filtering, Uni-directional Traffic How to fix?Spoke 2 router shows both encap and decap which means either firewall in spoke 2 end or ISP is blocking ESP.Check and allow the ESP traffic. How to verify?spoke1# show crypto ipsec sa peer 172.16.2.11local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)#pkts encaps: 300, #pkts encrypt: 300#pkts decaps: 200, #pkts decrypt: 200,spoke2#sh cry ipsec sa peer 172.16.1.1local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)#pkts encaps: 316, #pkts encrypt: 316,#pkts decaps: 300, #pkts decrypt: 310,After ESP (IP protocol 50) is allowed, Spoke 1 and 2 encaps and decaps are incrementingBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public28
Four Layers for Troubleshooting:IPsec Encryption Layer The IPsec encryption layer—This layer encrypts the GRE tunnel packet going out and decrypts the IPsecpacket coming in to reveal the GRE encapsulated packetIPsec TunnelabTunnelDest. aBRKSEC-3052STATICEIGRP 2OSPF 2BGPIP Infrastructure Layer 2013 Cisco and/or its affiliates. All rights reserved.STATICEIGRP 2OSPF 2BGPCisco PublicTunnelDest. b29
Four Layers for Troubleshooting:IPsec Encryption Layer—IPsec ComponentDMVPN Component-Ipsec DMVPN introduced tunnel protection The profile must be applied on the tunnel interfacetunnel protection ipsec profile prof Internally Cisco IOS Software will treat this as a dynamic crypto map and it derivesthe local-address, set peer and match address parameters from the tunnelparameters and the NHRP cache This must be configured on the hub and spoke tunnelsBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public30
Four Layers for Troubleshooting:IPsec Encryption Layer—IPsec ComponentDMVPN Component-IPsec (Cont.) A transform set must be defined:crypto ipsec transform-set ts esp-3des esp-sha-hmacmode transport An IPsec profile replaces the crypto mapcrypto ipsec profile profset transform-set ts The IPsec profile is like a crypto map without “set peer” and “match address”Interface Tunnel0Ip address 10.0.0.1 255.255.255.0:tunnel source fast ethernet0/0tunnel protection ipsec profile profNote: GRE Tunnel Keepalives are not supported in combination with Tunnel ProtectionBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public31
Four Layers for Troubleshooting:IPsec Encryption LayerIPsec Layer Verification-show commands Verify that ISAKMP SAs and IPsec SAs between the NBMA addresses of the huband spoke have been createdshow crypto isakmp sa detailshow crypto IPsec sa peer NBMA-address-of-peer Notice SA lifetime valuesIf they are close to the configured lifetimes (default --24 hrs for ISAKMP and 1hour for IPsec) then that means these SAs have been recently negotiatedIf you look a little while later and they have been re-negotiated again, then theISAKMP and/or IPsec may be bouncing up and downBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public32
Four Layers for Troubleshooting:IPsec Encryption LayerIPsec Layer Verification-show commands (Cont.) New show commands for DMVPN introduced in 12.4(9)T that has brief and detail outputshow dmvpn detailCovers both IPsec phase 1 and phase 2 statusShow dmvpn [ {interface i/f } {vrf vrf-name } {peer {{nbma tunnel } ip-addr } {network ip-addr mask }} ][detail]Note:BRKSEC-3052Prior to 15.x version , it does not show remaining life time for both IPsecphase 1 and phase 2. Use legacy commands for lifetime. 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public33
Four Layers for Troubleshooting:IPsec Encryption LayerIPsec Layer Verification-debug commands Check the debug output on both the spoke and the hub at the same timedebug crypto isakmp New commanddebug dmvpn detail cryptoIntroduced in12.4(9)Tdebug crypto ipsecdebug crypto engine Use conditional debugging on the hub router to restrict the crypto debugs to only showdebugs for the particular spoke in question:debug crypto condition peer ipv4 nbma address debug dmvpn condition peer nbma tunnel Verify the communication between NHRP and IPsec by showing the crypto map and sockettablesshow crypto mapshow crypto socketBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public34
Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commandsshow crypto isakmp saRouter# show crypto isakmp sadstsrcstate172.17.0.1 172.16.1.1QM IDLEconnid1slot0IKE Phase 1 status UPshow crypto isakmp sa detailRouter# show crypto isakmp sa detailCodes: C - IKE configuration mode,D - Dead Peer DetectionEncryption:3desK - Keepalives, N - NAT-traversalAuthentication :Pre-shared keyX - IKE Extended AuthenticationRemaining lifetime before phase 1 re-keypsk - Preshared key, rsig - RSA signature,renc - RSA ection-id:Engine-id BRKSEC-3052I-VRF Encr Hash Auth DH Lifetime Cap.1:1(hardware) 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public35
Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commandsshow crypto ipsec saRouter# show crypto ipsec sainterface: Ethernet0/3Crypto map tag: vpn, local addr. 172.17.0.1local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0)current peer: 172.17.0.1:500PERMIT, flags {origin is acl,}#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19#pkts compressed: 0, #pkts decompressed: 0#pkts not compr’ed: 0, #pkts compr. failed: 0, #pkts decompr. failed: 0#send errors 1, #recv errors 0local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.17.0.1path mtu 1500, media mtu 1500current outbound spi: 8E1CB77ABRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public36
Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commandsshow crypto ipsec sa (cont.)inbound esp sas:spi: 0x4579753B(1165587771)transform: esp-3des esp-md5-hmac ,in use settings {Tunnel, }slot: 0, conn id: 2000, flow id: 1, cryptosa timing: remaining key lifetime (k/sec):IV size: 8 bytesreplay detection support: Youtbound esp sas:spi: 0x8E1CB77A(2384246650)transform: esp-3des esp-md5-hmac ,in use settings {Tunnel, }slot: 0, conn id: 2001, flow id: 2, cryptosa timing: remaining key lifetime (k/sec):IV size: 8 bytesreplay detection support: YBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.map: vpn(4456885/3531)Remaining life timebefore re-keymap: vpn(4456885/3531)Cisco Public37
Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commandsshow dmvpnHUB-1# show dmvpnLegend: Attrb -- S - Static, D - Dynamic, I - IncompleteN - NATed, L - Local, X - No Socket# Ent -- Number of NHRP entries with same NBMA peerTunnel1, Type:Hub, NHRP Peers:2,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb----- --------------- --------------- ----- -------- ----11.1.1.1172.20.1.1UP 00:04:32 D12.2.2.2172.20.1.2UP 00:01:25 DDynamic entry can bebuilt either in hub or inspoke( spoke to spoketunnels)SPOKE-1#show dmvpnLegend: Attrb -- S - Static, D - Dynamic, I - IncompleteaN - NATed, L - Local, X - No Socket# Ent -- Number of NHRP entries with same NBMA peerTunnel1, Type:Spoke, NHRP Peers:1,# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb----- --------------- --------------- ----- -------- ----13.3.3.3172.20.1.100UP 00:21:56 SBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Static NHRP mappingCisco Public38
Four Layers for Troubleshooting:IPsec Encryption Layer—Show Commandsshow dmvpn detailR600 spokeB#show dmvpn detailLegend: Attrb -- S - Static, D - Dynamic, I – IncompleteN - NATed, L - Local, X - No Socket# Ent -- Number of NHRP entries with same NBMA peerNHS Status: E -- Expecting Replies, R -- Responding, W -- WaitingUpDn Time -- Up or Down Time for a Tunnel Interface Tunnel0 is up/up, Addr. is 10.10.10.6, VRF ""Tunnel Src./Dest. addr: 172.16.2.1/MGRE, Tunnel VRF ""Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-ikev2”IPv4 NHS:10.10.10.2 RE priority 0 cluster 0Type:Spoke, Total NBMA Peers (v4/v6): 3# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- ----------------1 172.17.0.9 10.10.10.2 UP 18:15:07 S 10.10.10.2/322 172.16.7.2 10.10.10.7 UP 00:02:36 D 10.10.10.7/320 172.16.7.2 10.10.10.7 UP 00:02:36 DT1 192.168.19.0/241 172.16.2.1 10.10.10.6 UP 00:02:36 DLX 192.168.18.0/24BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Learnt Dynamically,DLX:Dynamic Local no socketDT1: Dynamic tunnel forspoke to spokeCisco Public39
Four Layers for Troubleshooting:IPsec Encryption Layer - Show Commands contdshow dmvpn detailR600 spokeB#show dmvpn detailCrypto Session -------------------------------------Interface: Tunnel0Session: [0x0916D430]IKEv2 SA: local 172.16.2.1/500 remote 172.17.0.9/500 ActiveCapabilities:(none) connid:1 lifetime:05:44:52Crypto Session Status: UP-ACTIVEfvrf: (none),Phase1 id: 172.17.0.9IPSEC FLOW: permit 47 host 172.16.2.1 host 172.17.0.9Active SAs: 2, origin: crypto mapInbound: #pkts dec'ed 14818 drop 0 life (KB/Sec) 4200810/3377Outbound: #pkts enc'ed 28979 drop 0 life (KB/Sec) 4200805/3377Outbound SPI : 0x25C41C2C, transform : esp-3des esp-sha-hmacSocket State: OpenInterface: Tunnel0Session: [0x0916D330]IKEv1 SA: local 172.16.2.1/500 remote 172.16.7.2/500 ActiveCapabilities:(none) connid:1039 lifetime:23:57:22Crypto Session Status: UP-ACTIVEfvrf: (none),Phase1 id: 172.16.7.2IPSEC FLOW: permit 47 host 172.16.2.1 host 172.16.7.20 life (KB/Sec) 4305525/3443Outbound: #pkts enc'ed 41 drop 0 life (KB/Sec) 4305525/3443Outbound SPI : 0x57A1D6F6, transform : esp-3des esp-sha-hmacSocket State: OpenBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.IKEv2 SessionCrypto session statusSocket stateIKEv1 SessionCrypto session statusSocket stateCisco Public40
Four Layers for Troubleshooting: IPsecEncryption Layer - debug crypto Condition To enable crypto conditional debugging:debug crypto condition cond-type cond-value debug crypto { isakmp ipsec engine } To view crypto condition debugs that have been enabled:show crypto debug-condition [ all peer fvrf ivrf isakmp username connid spi ] To disable crypto condition debugs:debug crypto condition resetBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public41
Four Layers for Troubleshooting: IPsecEncryption Layer—debug dmvpn detail alldebugtunnelprotectiondebug cryptosocketdebug cryptoisakmpdebug cryptoIPsecdebug tunnelprotectiondebug nhrppacket debug dmvpn introduced in 12.4(9)Tdebug dmvpn {[{condition [unmatched] [peer [nbma tunnel {ip-address}]] [vrf {vrf-name}] [interface {tunnel number}]}] [{error detail packet all}{nhrp crypto tunnel socket all}]} One complete debug to help troubleshoot dmvpn issuesBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public42
Four Layers for Troubleshooting: IPsecEncryption Layer—debug dmvpn detail all (Cont.)debug tunnelprotectiondebug cryptosocketdebug cryptoisakmpdebug cryptoIPsecdebug tunnelprotectiondebug nhrppacketTunnel protection configured on tunnel interface open crypto socketas soon as either router or tunnel interface come upIPSEC-IFC MGRE/Tu0: Checking tunnel statuscame upIPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Opening a socket with profile dmvpnIPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): connection lookup returned 0IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Triggering tunnel immediately.IPSEC-IFC MGRE/Tu0: tunnel coming upIPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Opening a socket with profile dmvpnIPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): connection lookup returned 83884274IPSEC-IFC MGRE/Tu0(172.16.2.11/172.17.0.1): Socket is already being opened. Ignoring.BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public43
Four Layers for Troubleshooting: IPsecEncryption Layer—debug dmvpn detail all (Cont.)debug tunnelprotectiondebug cryptosocketdebug cryptoisakmpdebug cryptoIPsecdebug tunnelprotectiondebug nhrppacket Shows socket state Crypto socket debug shows creation of local and remote proxy idCRYPTO SS (TUNNEL SEC): Application started listeninginsert of map into mapdb AVL failed, map ace pair already exists on the mapdbCRYPTO-6-ISAKMP ON OFF: ISAKMP is ONCRYPTO SS(TUNNEL SEC): Active open, socket info:local 172.16.2.11 172.16.2.11/255.255.255.255/0,remote 172.17.0.1 172.17.0.1/255.255.255.255/0, prot 47, ifc Tu0BRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public44
Four Layers for Troubleshooting: IPsecEncryption Layer—debug dmvpn detail all (Cont.)debug tunnelprotectiondebug cryptoisakmpdebug cryptosocketdebug cryptoIPsecdebug tunnelprotectiondebug nhrppacket IKE negotiation Shows six packet exchange(MM1-MM6) in main modeISAKMP:(0):Old State IKE READY New State IKE I MM1ISAKMP:(0): beginning Main Mode exchangeISAKMP:(0): sending packet to 172.17.0.1 my port 500 peer port 500 (I) MM NO STATEISAKMP:(0):Sending an IKE IPv4 PacketISAKMP:(0):Old State IKE I MM1 New State IKE I MM2IKE has found matchingpolicyISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policyISAKMP:(0):atts are acceptable. Next payload is 0ISAKMP:(0):Old State IKE I MM2 New State IKE I MM3ISAKMP:(0):Old State IKE I MM3 New State IKE I MM4IKE completeauthenticationISAKMP:(1051):Old State IKE I MM4 New State IKE I MM5ISAKMP:(1051):Old State IKE I MM5 New State IKE I MM6ISAKMP:(1051):Old State IKE I MM6 New State IKE P1 COMPLETEBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public45
Four Layers for Troubleshooting: IPsecEncryption Layer—debug dmvpn detail all (Cont.)debug tunnelprotectiondebug cryptosocketdebug cryptoisakmpdebug cryptoIPsecdebug tunnelprotectiondebug nhrppacket IKE negotiates to set up the IP Security (IPsec) SA by searching for a matching transform set Creation of inbound and outbound security association database (SADB)ISAKMP:(1051):beginning Quick Mode exchange, M-ID of 1538742728ISAKMP:(1051):Old State IKE QM READY New State IKE QM I QM1ISAKMP:(1051):atts are acceptable.INBOUND local 172.16.2.11, remote 172.17.0.5,local proxy 172.16.2.11/255.255.255.255/47/0 (type 1),remote proxy 172.17.0.5/255.255.255.255/47/0 (type 1),protocol ESP, transform esp-3des esp-sha-hmac (Transport),ISAKMP:(1051): Creating IPsec SAsinbound SA from 172.17.0.5 to 172.16.2.11 (f/i) 0/ 0(proxy 172.17.0.5 to 172.16.2.11)has spi 0xE563BB42 and conn id 0outbound SA from 172.16.2.11 to 172.17.0.5 (f/i) 0/0(proxy 172.16.2.11 to 172.17.0.5)has spi 0xFE745CBD and conn id 0ISAKMP:(1051):Old State IKE QM I QM1 New State IKE QM PHASE2 COMPLETEBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Phase 2 CompleteCisco Public46
Four Layers for Troubleshooting:IPsec Encryption LayerCommon Issues: Incompatible ISAKMP Policy DMVPN Hub and EzVPN server on same Router. Incompatible IPsec transform setBRKSEC-3052 2013 Cisco and/or its affiliates. All rights reserved.Cisco Public47
Common Issues:Incompatible ISAKMP Policy If the configured ISAKMP policies don’t match the proposed policyby the remote peer, the router tries the default policy of 65535, andif that does not match either, it fails ISAKMP negotiationDefault protection suiteencryption algorithm:hash algorithm:authentication method:Diffie-Hellman group:lifetime:DES—Data Encryption Standard (56 bit keys).Secure Hash StandardRivest-Shamir-Adleman Signature#1 (768 bit)86400 seconds, no volume limit show crypto isakmp sa command output shows the IKE SA to be inMM NO STATE status, indicative of main mode negotiation failureBRKSEC-3052 2013 Cisco and/or its affili
traffic - reduced load on hub Cannot summarise spoke routes on hub Route on spoke must have IP next hop of remote spoke cloud Architecture and scaling 12.4(6)T Increase number of hub with same hub and spoke ratio No hub daisy-chain Spokes don't need full routing table OSPF routing protocol not limited to 2 hubs
