Skip to main content
noother10
noother10
New Member
April 10, 2018
Question

ADVPN - Only one tunnel works

  • April 10, 2018
  • 2 replies
  • 12360 views

I'm building a proof of concept to get more understanding around ADVPN and BGP before a future project. I have 3x 100E each with its own internet connection.

 

I've looked a numerous cookbooks, guides and topics on it. I've managed to configure and build a 1x Hub and 2x Spoke setup. Both Spokes connect via IPSEC tunnel, but only the first connected Spoke can actually do anything, like ping the Hub interface and use BGP. The second Spoke while connected, cannot actually get anywhere or do anything.

 

Each phase2 on the Spokes is wildcarded (0.0.0.0/0.0.0.0). When I try to ping the hub tunnel interface from the non-functioning spoke interface, it enters the tunnel, I can see it come up in flow trace on the hub but it doesn't seem to get back to the spoke.

id=20085 trace_id=1 func=init_ip_session_common line=5451 msg="allocate a new session-00000340" id=20085 trace_id=1 func=vf_ip_route_input_common line=2576 msg="find a route: flag=80000000 gw-10.0.10.1 via root" id=20085 trace_id=2 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=1." id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction" id=20085 trace_id=3 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=2." id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction" id=20085 trace_id=4 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=3." id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction" id=20085 trace_id=5 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=4." id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction"

 

Could anyone please provide a fix or a way to further troubleshoot? 

    2 replies

    thanhletrung85
    thanhletrung85
    New Member
    April 15, 2018

    Did you resolve your problem? I got exactly your issue. Please help me to solve it.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 15, 2018

    While debugging, I would focus on policies and the routing protocol. Make sure that BGP is working (debug, cut links to provoke route changes etc.).

    By using ADVPN you avoid to tunnel spoke-to-spoke traffic through the hub - is that what you need, and what you test? If this point is not so important for your use case you could focus on hub-and-spoke, supernetting all spoke networks etc., and would avoid having to debug the routing protocol.

    Of course, it all depends on the scale.

    noother10
    noother10Author
    New Member
    April 15, 2018

    The fix was to enable net-device on phase1 interface of the hub. Apparently we could also use tunnel-search nexthop, though I've not tested it, but it's supposed to direct traffic based on the next hop from routing protocols such as BGP. It can be set to selectors if you're not using wildcard (0.0.0.0/0.0.0.0) selectors.

    btp
    btp
    New Member
    May 28, 2018

    (Please mark the post as Answered if you feel it does so..)

     

    In this case I can ping the IPSEC interface of the spokes from the hub. But the routes are not installed at the hub.

     

    config vpn ipsec phase1-interface
        edit "PRIMARY"
            set type dynamic
            set interface "uplink1_lab"
            set peertype any
            set proposal aes256-sha256
            set add-route disable
            set dhgrp 5
            set auto-discovery-sender enable
            set net-device enable <<---
            set psksecret ENC ****
        next
    end

     

     

     

     

     

     

     

    HUB (VPN) # get router info bgp neighbors 10.254.0.2 received-routes
    BGP table version is 6, local router ID is 172.16.3.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete

     

     

     

     

     

     

     

    Network Next Hop Metric LocPrf Weight Path
    *> 10.41.1.0/24 10.254.0.2 0 65501 ?
    *> 10.42.1.0/24 10.254.0.2 0 65501 ?
    (...)

     

     

     

     

     

     

     

    HUB (VPN) # get router info routing-table det 10.41.1.0/24
    % Network not in table

     

     

     

     

    The prefixes are not installed in the RIB:

     

    HUB (VPN) # get router info kernel | grep 10.41.1

    HUB (VPN) #

     

    In this case, owever,  everything works fine. I can ping both IPSEC interface of the spokes from the hub, and I can ping through the tunnel.

     

    config vpn ipsec phase1-interface

        edit "PRIMARY"
            set type dynamic
            set interface "uplink1_lab"
            set peertype any
            set proposal aes256-sha256
            set add-route disable
            set dhgrp 5
            set auto-discovery-sender enable
            set tunnel-search nexthop <<---
            set psksecret ENC ****
        next
    end

     

     

     

     

     

     

     

    HUB (VPN) # get router info rout all

     

     

     

    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default

    B 10.41.1.0/24 [20/0] via 10.254.1.2, SECONDARY, 00:05:14
                         [20/0] via 10.254.0.2, PRIMARY, 00:05:14
    B 10.41.3.0/24 [20/0] via 10.254.0.3, PRIMARY, 00:03:52
                         [20/0] via 10.254.1.3, SECONDARY, 00:03:52
    C 10.60.0.0/24 is directly connected, CENTRAL-SERVER
    C 10.254.0.0/24 is directly connected, PRIMARY
                          is directly connected, PRIMARY
    C 10.254.1.0/24 is directly connected, SECONDARY
                          is directly connected, SECONDARY
           
    HUB (VPN) # get router info kernel | grep 10.41.1
    tab=254 vf=2 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->10.41.1.0/24 pref=0.0.0.0

     

    I am then able to ping from one spoke to the other, through the hub (I have asymroute enabled);

     

    id=20085 trace_id=55 func=print_pkt_detail line=5311 msg="vd-VPN received a packet(proto=1, 10.41.1.1:5888->10.41.3.1:2048) from SECONDARY. type=8, code=0, id=5888, seq=0."
    id=20085 trace_id=55 func=init_ip_session_common line=5470 msg="allocate a new session-00000742"
    id=20085 trace_id=55 func=vf_ip_route_input_common line=2576 msg="find a route: flag=00000000 gw-10.254.0.3 via PRIMARY"
    id=20085 trace_id=55 func=fw_forward_handler line=743 msg="Allowed by Policy-3:"
    id=20085 trace_id=55 func=ipsecdev_hard_start_xmit line=635 msg="enter IPsec interface-PRIMARY"
    id=20085 trace_id=55 func=esp_output4 line=892 msg="IPsec encrypt/auth"
    id=20085 trace_id=55 func=ipsec_output_finish line=527 msg="send to 172.16.54.1 via intf-uplink1_lab"

    Terms & ConditionsAccessibility statement