CiscoForums.it

Cisco Users Group
https://www.ciscoforums.it/

Problema con tunnel GRE e VRF

https://www.ciscoforums.it/viewtopic.php?f=10&t=30202

Pagina 1 di 1

Problema con tunnel GRE e VRF

Inviato: mar 05 feb , 2013 5:36 pm
da Rizio
Ciao,
ho un tunnel GRE che da quando uno dei 2 1801 è stato migrato in vrf non va più up, qualcuno ha qualche hint da darmi?
Il problema che mi segnala uno dei due router è questo:

Codice: Seleziona tutto

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at x.x.x.x
Ho verificato i profili ipsec e sono identici!

Codice: Seleziona tutto

VPN-ROUTER-01#sh crypto ipsec profile 
IPSEC profile ITALY
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={ 
                myset:  { esp-aes esp-md5-hmac  } , 
        }

Codice: Seleziona tutto

VPN-ROUTER-02#sh crypto ipsec profile 
IPSEC profile TUNNEL-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={ 
                myset:  { esp-aes esp-md5-hmac  } , 
        }
Il debug di ipsec su uno dei 2 nodi mi dice questo:

Codice: Seleziona tutto

.Feb  5 16:26:47.190: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.X, remote= Y.Y.Y.Y,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
.Feb  5 16:26:47.190: IPSEC(key_engine): got a queue event with 1 KMI message(s)
e i due tunnel sono perfettamente identici:

Codice: Seleziona tutto

VPN-ROUTER-01#sh int tu 3
Tunnel3 is up, line protocol is down 
  Hardware is Tunnel
  Internet address is 192.168.255.1/30
  MTU 17940 bytes, BW 1024 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source Y.Y.Y.Y (Vlan201), destination X.X.X.X
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "TUNNEL-PROFILE")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Codice: Seleziona tutto

VPN-ROUTER-02#sh int tu 3
Tunnel3 is up, line protocol is down 
  Hardware is Tunnel
  Internet address is 192.168.255.2/30
  MTU 17940 bytes, BW 1024 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source X.X.X.X, destination Y.Y.Y.Y
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ITALY")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Le preshared key sono corrette e le policy isakmp sono uguali tra loro

Codice: Seleziona tutto

VPN-ROUTER-01#sh crypto isakmp policy 
Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Qualcuno ha qualche idea da suggerirmi?
Grazie in anticipo.
Rizio

Re: Problema con tunnel GRE e VRF

Inviato: lun 11 feb , 2013 11:50 am
da Rizio
La risposta era nelle crypto map. Qui il link per la soluzione:
http://www.cisco.com/en/US/docs/ios/sec ... ipsec.html


Rizio
Tutti gli orari sono UTC+01:00
Pagina 1 di 1

Creato da phpBB® Forum Software © phpBB Limited

Traduzione Italiana phpBB-Store.it