Hot!ADVPN - Only one tunnel works

Author
noother10
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/10 15:15:37
  • Status: offline
2018/04/10 15:39:50 (permalink)
0

ADVPN - Only one tunnel works

I'm building a proof of concept to get more understanding around ADVPN and BGP before a future project. I have 3x 100E each with its own internet connection.
 
I've looked a numerous cookbooks, guides and topics on it. I've managed to configure and build a 1x Hub and 2x Spoke setup. Both Spokes connect via IPSEC tunnel, but only the first connected Spoke can actually do anything, like ping the Hub interface and use BGP. The second Spoke while connected, cannot actually get anywhere or do anything.
 
Each phase2 on the Spokes is wildcarded (0.0.0.0/0.0.0.0). When I try to ping the hub tunnel interface from the non-functioning spoke interface, it enters the tunnel, I can see it come up in flow trace on the hub but it doesn't seem to get back to the spoke.
id=20085 trace_id=1 func=init_ip_session_common line=5451 msg="allocate a new session-00000340"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2576 msg="find a route: flag=80000000 gw-10.0.10.1 via root"
id=20085 trace_id=2 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=1."
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction"
id=20085 trace_id=3 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=2."
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction"
id=20085 trace_id=4 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=3."
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction"
id=20085 trace_id=5 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=1, 10.0.10.2:512->10.0.10.1:2048) from Spoke. type=8, code=0, id=512, seq=4."
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5367 msg="Find an existing session, id-00000340, original direction"
 
Could anyone please provide a fix or a way to further troubleshoot? 
#1

5 Replies Related Threads

    thanhletrung85
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/16 00:05:26
    • Status: offline
    Re: ADVPN - Only one tunnel works 2018/04/14 20:46:26 (permalink)
    0
    Did you resolve your problem? I got exactly your issue. Please help me to solve it.
    #2
    ede_pfau
    Expert Member
    • Total Posts : 5519
    • Scores: 364
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: ADVPN - Only one tunnel works 2018/04/15 04:35:04 (permalink)
    0
    While debugging, I would focus on policies and the routing protocol. Make sure that BGP is working (debug, cut links to provoke route changes etc.).
    By using ADVPN you avoid to tunnel spoke-to-spoke traffic through the hub - is that what you need, and what you test? If this point is not so important for your use case you could focus on hub-and-spoke, supernetting all spoke networks etc., and would avoid having to debug the routing protocol.
    Of course, it all depends on the scale.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    noother10
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/10 15:15:37
    • Status: offline
    Re: ADVPN - Only one tunnel works 2018/04/15 14:21:04 (permalink)
    0
    The fix was to enable net-device on phase1 interface of the hub. Apparently we could also use tunnel-search nexthop, though I've not tested it, but it's supposed to direct traffic based on the next hop from routing protocols such as BGP. It can be set to selectors if you're not using wildcard (0.0.0.0/0.0.0.0) selectors.
    #4
    thanhletrung85
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/16 00:05:26
    • Status: offline
    Re: ADVPN - Only one tunnel works 2018/04/15 21:02:13 (permalink)
    0
     
    My diagram as attach.
    Hub config:
    FG1 # show vpn ipsec phase1-interface
    config vpn ipsec phase1-interface
        edit "ADVPN"
            set type dynamic
            set interface "port1"
            set peertype any
            set proposal des-sha1
            set add-route disable
            set auto-discovery-sender enable
            set psksecret ENC QMvrwngyaW0WAtYN78oW3bjb2fT9yNON05BJA1JdoY2gp4vwj8mRr8xKc0rkQR6nHMGZlHyCJmnhEnooal+WTgp8eMs1aCUr1bgtZm0MQV45gUCezkbP5+9hCXW9i3KrQeCcCNrj9X3vdDsMT+Igm8kszN818rFEpKCG5kaLhEJnfPSjmeyjotQEaKMySMPlN2zbsw==
        next
    end

    FG1 # show vpn ipsec phase2-interface
    config vpn ipsec phase2-interface
        edit "ADVPN-P2"
            set phase1name "ADVPN"
            set proposal des-sha1
        next
    end

    FG1 # show system interface ADVPN
    config system interface
        edit "ADVPN"
            set vdom "root"
            set ip 192.168.168.1 255.255.255.255
            set allowaccess ping
            set type tunnel
            set remote-ip 192.168.168.254 255.255.255.0
            set snmp-index 12
            set interface "port1"
        next
    end

    FG1 # show firewall policy
    config firewall policy
        edit 1
            set name "To Spoke"
            set uuid 395b68bc-401c-51e8-c909-fdd0933c73b3
            set srcintf "port2"
            set dstintf "ADVPN"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
        edit 2
            set name "From spoke"
            set uuid 2230163e-4156-51e8-c559-3c4833ac015f
            set srcintf "ADVPN"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
        edit 3
            set name "Spoke to spoke"
            set uuid 3da4b3f2-4156-51e8-1f4d-9386759e92a0
            set srcintf "ADVPN"
            set dstintf "ADVPN"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end
    FG1 # show router bgp
    config router bgp
        set as 65000
        set router-id 192.168.168.1
        config neighbor-group
            edit "ADVPN-PEERS"
                set next-hop-self enable
                set remote-as 65000
                set route-reflector-client enable
            next
            edit "advpn_peers"
                set remote-as 65000
                set route-reflector-client enable
            next
        end
        config neighbor-range
            edit 1
                set prefix 192.168.168.0 255.255.255.0
                set neighbor-group "advpn_peers"
            next
        end
        config network
            edit 1
                set prefix 172.16.1.0 255.255.255.0
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end
    end

    FG1 config:
    FG2 # show vpn ipsec phase1-interface
    config vpn ipsec phase1-interface
        edit "ADVPN"
            set interface "port1"
            set peertype any
            set proposal des-sha1
            set add-route disable
            set auto-discovery-receiver enable
            set remote-gw 10.0.0.2
            set psksecret ENC FNK4++NEvtWwUFjS/Bhp+Ydq2ksWTr3mLyymWI3TAAtZ5Z7G/Q2Hgd8FfagXVXGwt6xX8mYeeKEjfifObuO82VxahVst0fTkQY1oqNL6WFSmmDwpYnmAqxMIh25/yDXabmkXzP+H1e9TVditfyeYwFPt26lHpUmVmgn7KT9pVvhGXgmsskOQd91AvlGQ/2QzKpe14Q==
        next
    end

    FG2 # show vpn ipsec phase2-interface
    config vpn ipsec phase2-interface
        edit "ADVPN-P2"
            set phase1name "ADVPN"
            set proposal des-sha1
        next
    end

    FG2 # show system interface ADVPN
    config system interface
        edit "ADVPN"
            set vdom "root"
            set ip 192.168.168.2 255.255.255.255
            set allowaccess ping
            set type tunnel
            set remote-ip 192.168.168.1 255.255.255.255
            set snmp-index 12
            set interface "port1"
        next
    end

    FG2 # show firewall policy
    config firewall policy
        edit 1
            set name "To Hub"
            set uuid 60ecb426-401c-51e8-24aa-89ea90a985e5
            set srcintf "port2"
            set dstintf "ADVPN"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
        edit 2
            set name "From Hub"
            set uuid 75551718-4158-51e8-57e5-aff965cea992
            set srcintf "ADVPN"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

    FG2 # show router bgp
    config router bgp
        set as 65000
        set router-id 192.168.168.2
        config neighbor
            edit "192.168.168.1"
                set next-hop-self enable
                set soft-reconfiguration enable
                set remote-as 65000
            next
        end
        config network
            edit 1
                set prefix 172.16.2.0 255.255.255.0
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end
    end


    FG2 config:
    FG3 # show vpn ipsec phase1-interface
    config vpn ipsec phase1-interface
        edit "ADVPN"
            set interface "port1"
            set peertype any
            set proposal des-sha1
            set add-route disable
            set auto-discovery-receiver enable
            set remote-gw 10.0.0.2
            set psksecret ENC YRsUl0Trdul0DnymG1mJQ+EwVUIIE4TQ2/XDTjEhpCs3vVghrom0DkrZQB2oJymrH9XgwrIvGTZxwD9lW4z9xgd5lEAHLF8zP3+DfL3MhWjyNURwaEKvIIuTUNFHU3BgnCRIbDfLNV3T3o/2qlijss7XyIDpdogx8pca74aX+ZGt+OVF8h5tFEG1zCx7cAX+3fwl2w==
        next
    end

    FG3 # show vpn ipsec phase2-interface
    config vpn ipsec phase2-interface
        edit "ADVPN-P2"
            set phase1name "ADVPN"
            set proposal des-sha1
        next
    end

    FG3 # show system interface ADVPN
    config system interface
        edit "ADVPN"
            set vdom "root"
            set ip 192.168.168.3 255.255.255.255
            set allowaccess ping
            set type tunnel
            set remote-ip 192.168.168.1 255.255.255.255
            set snmp-index 12
            set interface "port1"
        next
    end

    FG3 # show firewall policy
    config firewall policy
        edit 1
            set name "To Hub"
            set uuid fb380bec-401d-51e8-f59e-63e73c3ab1b0
            set srcintf "port2"
            set dstintf "ADVPN"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
        edit 2
            set name "From Hub"
            set uuid 86b97ca8-415b-51e8-aea9-a5d88890a600
            set srcintf "ADVPN"
            set dstintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

    FG3 # show router bgp
    config router bgp
        set as 65000
        set router-id 192.168.168.3
        config neighbor
            edit "192.168.168.1"
                set remote-as 65000
            next
        end
        config network
            edit 1
                set prefix 172.16.3.0 255.255.255.0
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
        config redistribute "isis"
        end
        config redistribute6 "connected"
        end
        config redistribute6 "rip"
        end
        config redistribute6 "ospf"
        end
        config redistribute6 "static"
        end
        config redistribute6 "isis"
        end
    end

    All tunnel are up. But hub can only receive bgp from first connected spoke.
    Please help me :)
    post edited by thanhletrung85 - 2018/04/15 21:06:50

    Attached Image(s)

    #5
    noother10
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/10 15:15:37
    • Status: offline
    Re: ADVPN - Only one tunnel works 2018/04/15 23:08:48 (permalink)
    0
    Test to see if you can ping between the tunnel interfaces (192.168.168.x). My issue was that while the tunnel connected, only the first connected tunnel could actually communicate over it, the other tunnel wouldn't allow anything.
     
    The fix was to:
    config vpn ipsec phase1-interface
    edit Hub
    set net-device enable
    end
    #6
    Jump to:
    © 2018 APG vNext Commercial Version 5.5