MPLS BGP route push DMVPN rays

Similar Questions

• In BGP routing problem

  Hi guys,.

  I had a problem on set up a milling to let my 2.0/24 out to the external BGP cloud via a router 116.1. Here, I have attached the existing structure.

  How could I see 172.16.2.0/24 in my list of bgp?

  1, I have to let my 172.16.2.0./24 able to ping router 172.16.116.2 router?

  make 2, in 172.16.116.2, add the 172.16.2.0/24 network?

  Thank you

  the bgp router must have some sort of connection to the IGP domain.

  currently the BGP router doesnot know even where 172.16.2.0/24 is.

  You can run an igp between your router bgp and announce the road or you can put in a static route on the bgp.

  Once the bgo router will get to know the course, it will be displayed in the BGP table and will also start advertising it as well.

• local policy IP - router head DMVPN

  Hey guys,.

  On my head DMVPN router (3845 - 151 - 4.M2 running), I learn a default route to the inner core that I want to talk the distance learning via EIGRP (internet access is through the tunnel and thru head f / w).  And to avoid having a static route configured for remote public IP address, pointing to the internet router, I tried to use a local policy to set the next hop for all internet router-to-router VPN traffic.  However, when I delete the static electricity to the remote control, I lose the remote peer and it seems that local politics is not engaged.  Any help would be appreciated...

  interface Loopback0

  10.103.255.1 the IP 255.255.255.255

  !

  interface Tunnel10

  bandwidth 10000

  IP 10.103.254.1 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 1

  property intellectual PNDH authentication xxx

  dynamic multicast of IP PNDH map

  PNDH id network IP-100

  property intellectual PNDH holdtime 600

  the PNDH IP forwarding

  IP tcp adjust-mss 1360

  no ip split horizon eigrp 1

  source of tunnel GigabitEthernet0/1

  multipoint gre tunnel mode

  tunnel key 1234

  Tunnel ipsec DMVPN-PROFILE protection profile

  !

  interface GigabitEthernet0/0

  Routed to core description link

  IP 10.100.160.105 255.255.255.252

  automatic duplex

  automatic speed

  media type rj45

  !

  interface GigabitEthernet0/1

  Description link to outer segment

  1.1.1.4 IP address 255.255.255.0

  automatic duplex

  automatic speed

  media type rj45

  !

  Router eigrp 1

  Network 10.100.160.104 0.0.0.3

  Network 10.103.254.0 0.0.0.255

  Network 10.103.255.1 0.0.0.0

  passive-interface default

  no passive-interface Tunnel10

  no passive-interface GigabitEthernet0/0

  EIGRP router id 10.103.255.1

  !

  vpn-traffic extended IP access list

  allow an esp

  allow udp any any eq isakmp

  permit any any eq non500-isakmp udp

  route vpn-default allowed 10 map

  Default route description to the Internet for encrypted traffic

  vpn traffic game - ip address

  set ip next-hop 1.1.1.2

  !

  IP local policy default map route vpn

  Dave,

  I think we'll do the responsible thing here and separate the termination and the traffic tunneled in VRF (VRF-lite).

  You can put gig0/1 in a VRF and leave everything on a global scale (do not forget to add "tunnel vrf... "on the tunnel interface.

  Result - separation overlay and transport - you can have two default routes, one for connectivity to the rays, one for traffic to the tunnel.

  Marcin

• Complex BGP routing situation

  I have a site where I put a pair of routers, switches behind them linked together, and he made my head. One of the routers has a T1, and have all two LTE modems for backup. I want all the routes that have been advertised on the T1 as primary, but if it fails each router must advertise its own routes on the LTE and be back on the roads of the other router. So what I have to do advertising is something like this:

  R1

  T1-neighbor

  All the normal channels

  LTE-neighbor

  Added after R1 routes

  Prefixes twice R2 routes

  R2

  LTE-neighbor

  Added when R2 routes

  Prefixes twice R1 routes

  So, how I would write config to treat this? And how about what networks BGP on each router must look at when to advertise? Is it still possible?

  All leaving the roads of R2 will LTE all the time is not desirable, because the latency is a problem with the cameras on the site. Finally, R2 will get a T1 and the link between the networks is deleted, but that will probably be the month.

  Adding to my previous comment. This is only an example based on what I see in your post.

  R1

  IP-list of prefixes R1 - ip seq 5 permit 217.217.1.0/24
  IP-list of prefixes R2 - ip seq 5 permit 218.218.1.0/24

  allowed my-ip-to-LTE route map 10
  match ip-list of prefixes R1 - ip address
  defined as the path to precede 500

  allowed my-ip-to-LTE route map 20
  address for correspondence ip-R2 - ip prefix list
  defined as the path to precede 500 500

  out of my-ip-to-LTE-route neighbor 200.200.200.1

  allowed my-ip-to-T1 route map 10
  match ip-list of prefixes R1 - ip address
  address for correspondence ip-R2 - ip prefix list

  out of my-ip-to-T1-route neighbor 100.100.100.1

  on R2

  IP-list of prefixes R1 - ip seq 5 permit 217.217.1.0/24
  IP-list of prefixes R2 - ip seq 5 permit 218.218.1.0/24

  allowed my-ip-to-LTE route map 10
  address for correspondence ip-R2 - ip prefix list
  defined as the path to precede 500

  allowed my-ip-to-LTE route map 20
  match ip-list of prefixes R1 - ip address
  defined as the path to precede 500 500

  out of my-ip-to-LTE neighbor XXX1-route map

  It will be useful,

  Masoud

• two DMVPN rays behind the ASA made hide NAT for Internet

  This scenario requires that the particular configuration of the ASA? Until now, the installation program does not work, we face the following problem:

  The nodal point DMVPN shows an error "invalid SPI", because the two rays to come with the same IP address (ASA hide-NAT) to the DMVPN hub.

  THX

  Holger

  Using an IP address for the two rays?  This is not going to work

• Wireless router + internet = blu - ray player?

  Is it possible?
  I use the Belkin router 54 + existing as a bridge/access point wireless and get a new N Router for the internet.
  It is possible to configure the wireless ap/bridge G router and connect it with a cable ethernet for the BDV-E370?

  I am answering my own question.
  It is possible.
  I loaded the dd - wrt firmware on both routers and I configured the router that is connected to the Sony Reader as a client bridge or Repeater (acts as an Extender of signal with half of the speed + wap).
  YouTube is a very good video on dd - wrt Repeater bridge Setup.
  http://www.YouTube.com/watch?v=UD-Hq3kgvk4
  I had a router Belkin F5D7231-4, but I've upgraded to a router n, Linksys E2000, which is the Repeater on 5 GHz bridge (main router is a Linksys WRT610n-v2). Both work very well.
  I bought the rebuilt a little more than for ($65+$ 32) then the Sony usb adapter, but at the same time, I upgraded my network 2.4 ghz + 5 ghz n too. So basically I have two simultaneous networs in my house.
  If you use only a router that you add to your existing wireless network, it is much cheaper then buying the Sony adapter and at the same time that you can extend your wireless signal too.

• BGP, OSPF with default route

  Hello

  My branch becomes internet through seat & connected through lease line and ospf is running. a static route id 0.0.0.0 set to HO.

  Now an additional link is added to our extensive network of MPLS link redundancy & EBGP is running.

  My question is how to configure ospf route (my internal network) to bgp & default (for internet) route for connectivity?

  Please help with examples.

  Thank you

  For the internet, you need a default route. I am assuming that you will get by default route of MPLS as well so leased will remain DEFAULT road get MPLS BGp inject into LAN by this command that I already added to your config file.

  router ospf xxx

  default information are created

  !

  Also if you connect line Lased and MPLS on the same router then router chooses MPLS as the main path as favorite eBGP and ospf. If you ave to change AD BGP routes to ospf will get better than BGP. Use in config for leased line primary and secondary MLP.

  router bgp xxx

  BGP distance 200 200 200

  !

• DMVPN versus MPLS

  Hello world

  An interesting question for the community.

  If a router is configured with a DMVPN (or simply a VPN) tunnel and at the same time has an ethernet MPLS even remote desktop connection which route is a priority and why?

  Thank you

  Tom

  Hello

  the link I provided above described the idea how this is possible, if you are looking for the MPLS cloud and cloud DMVPN using EIGRP, then I suggest you do the following

  in each router configure two EIGRP (AS) autonomous systems to be used on MPLS and the other to be used on DMVPN and follow the recommendations below

  -to advertise networks in each AS EIGRP that should be available through (assuming that the same networks will be announced on both)

  -do not redistribute between these two EIGRP AS

  -use EIGRP offset-list of roads through the DMVPN tunnel interface make which the metric is higher and less preferred see below link to eigrp offset-list configuration

  http://www.Cisco.com/en/us/Tech/tk365/technologies_tech_note09186a00800c2d96.shtml#modifycompositemetric

  -You can use other methods other than delay llike ofset-list

  for the other config design and recommendations please refer to the example of design in the previous post

  If have any question just after her here

  HTH

  pls note the useful messages

• DMVPN or GETVPN

  Team - we have a client that runs GET VPN over MPLS link to DC to rays.  They are heading for a refresh of the network.    We thought in suggesting IWAN to them.  DMVPN is one of the 4 pillars of IWAN.  Can ask the customer to go to DMVPN instead of GetVPN.  Or should we do it any other way.  Against, please highlight.

  Thank you

  bijbalaktn,

  When you say 'updating of the network', which implies? We will always use MPLS as our transportation network?

  GETVPN or DMVPN is a solution in an MPLS network. Two benefits of GETVPN include a little less overhead of encapsulation (as it is just the ESP without GRE encapsulation) and the lack of accountability for an overlay routing protocol. That said, when comparing DMVPN and GETVPN, most of the people are much more comfortable with DMVPN which is an advantage in and of itself. In addition, if you are considering a solution IWAN DMVPN is a requirement by the CVD IWAN.

  In short, a solution should work and it's really up to you; personally, I'm a big fan of both. If you are uncomfortable with GETVPN and it worked for you, it may be better to stay with that. However, DMVPN is expected to function properly for you as well.

  HTH,

  Frank

• DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X

  Hello world

  After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came.

  Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session " on the shelf often solves the problem. So, it seems that the question has something to do with IPSEC.

  When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub:

   Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):purging node 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:41 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP: set new node 3442686097 to QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 3442686097 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3442686097, sa = 0x7F72986867D0 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): DPD/R_U_THERE_ACK received from peer , sequence 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):deleting node 3442686097 error FALSE reason "Informational (in) state 1" Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:42 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A438 Jun 25 10:01:42 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:42 SUMMERT: ISAKMP:(46580):purging node 1111296046 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 928225319 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing SA payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Checking IPSec proposal 1 Jun 25 10:01:44 SUMMERT: ISAKMP: transform 1, ESP_AES Jun 25 10:01:44 SUMMERT: ISAKMP: attributes in transform: Jun 25 10:01:44 SUMMERT: ISAKMP: encaps is 2 (Transport) Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in seconds Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (basic) of 3600 Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in kilobytes Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 25 10:01:44 SUMMERT: ISAKMP: authenticator is HMAC-SHA Jun 25 10:01:44 SUMMERT: ISAKMP: key length is 256 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):atts are acceptable. Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local  /255.255.255.255/0, remote  /255.255.255.255/0, prot 47, ifc Tu3300 Jun 25 10:01:44 SUMMERT: IPSEC(recalculate_mtu): reset sadb_root 7F7292E64990 mtu to 1500 Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending Socket Ready message Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NONCE payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):QM Responder gets spi Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer  Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating profile-shared Tunnel3300 ident 7F7298B2BF80 with lookup_oce 7F7296BF5440 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x14F40C56(351538262), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27873 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x3B4731D7(994521559), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27874 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Received IPSec Install callback... proceeding with the negotiation Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Successfully installed IPSEC SA (SPI:0x14F40C56) on Tunnel3300 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 1979798297 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 1979798297 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 351538262, message ID = 1979798297, sa = 0x7F72986867D0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): deleting spi 351538262 message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 928225319 error TRUE reason "Delete Larval" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):peer does not do paranoid keepalives. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x3B4731D7) Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 1979798297 error FALSE reason "Informational (in) state 1" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:44 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A340 Jun 25 10:01:44 SUMMERT: IPSEC(key_engine_delete_sas): delete SA with spi 0x3B4731D7 proto 50 for  Jun 25 10:01:44 SUMMERT: IPSEC(update_current_outbound_sa): updated peer  current outbound sa to SPI 0 Jun 25 10:01:44 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending request for CRYPTO SS CLOSE SOCKET

   #sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112

  In addition, after you run "logging dmvpn rate-limit 20' on the hub

   %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:  NBMA: )

  On the talks both the following can be seen debugging as well:

   *Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.884: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.884: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Jun 25 09:17:26.884: ISAKMP:(1032):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Jun 25 09:17:26.940: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032): processing HASH payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032): processing SA payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032):Checking IPSec proposal 1 *Jun 25 09:17:26.940: ISAKMP: transform 1, ESP_AES *Jun 25 09:17:26.940: ISAKMP: attributes in transform: *Jun 25 09:17:26.940: ISAKMP: encaps is 2 (Transport) *Jun 25 09:17:26.940: ISAKMP: SA life type in seconds *Jun 25 09:17:26.940: ISAKMP: SA life duration (basic) of 3600 *Jun 25 09:17:26.940: ISAKMP: SA life type in kilobytes *Jun 25 09:17:26.940: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 25 09:17:26.940: ISAKMP: authenticator is HMAC-SHA *Jun 25 09:17:26.940: ISAKMP: key length is 256 *Jun 25 09:17:26.940: ISAKMP:(1032):atts are acceptable. *Jun 25 09:17:26.940: IPSEC(ipsec_process_proposal): proxy identities not supported *Jun 25 09:17:26.940: ISAKMP:(1032): IPSec policy invalidated proposal with error 32 *Jun 25 09:17:26.940: ISAKMP:(1032): phase 2 SA policy not acceptable! (local  remote ) *Jun 25 09:17:26.940: ISAKMP: set new node -1745931191 to QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 834718720, message ID = 2549036105 *Jun 25 09:17:26.940: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.940: ISAKMP:(1032):purging node -1745931191 *Jun 25 09:17:26.940: ISAKMP:(1032):deleting node 1599359281 error TRUE reason "QM rejected" *Jun 25 09:17:26.940: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 25 09:17:26.940: ISAKMP:(1032):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1 *Jun 25 09:17:34.068: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:34.068: ISAKMP: set new node 1021264821 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032): processing HASH payload. message ID = 1021264821 *Jun 25 09:17:34.072: ISAKMP:(1032): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1021264821, sa = 0x32741028 *Jun 25 09:17:34.072: ISAKMP:(1032):deleting node 1021264821 error FALSE reason "Informational (in) state 1" *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:34.072: ISAKMP:(1032):DPD/R_U_THERE received from peer , sequence 0x64B2279D *Jun 25 09:17:34.072: ISAKMP: set new node 716440334 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 834719464, message ID = 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032): seq. no 0x64B2279D *Jun 25 09:17:34.072: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:34.072: ISAKMP:(1032):purging node 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:35.356: ISAKMP:(1032):purging node 206299144

  Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken?

  Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug?

  The configuration of the hub looks like this:

   crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 3 periodic crypto isakmp nat keepalive 10 crypto isakmp profile ISP1-DMVPN keyring ISP1-DMVPN match identity address 0.0.0.0 ISP1-DMVPN keepalive 10 retry 3 crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile ISP1-DMVPN set transform-set AES256-SHA AES256-SHA-TRANSPORT set isakmp-profile ISP1-DMVPN vrf definition ISP1-DMVPN description DMVPN-Outside-ISP1 rd 65527:10 ! address-family ipv4 exit-address-family ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.71 description VPN;ISP1-DMVPN;Outside;VLAN71 encapsulation dot1Q 71 vrf forwarding ISP1-DMVPN ip address  255.255.255.128 no ip proxy-arp ip access-group acl_ISP1-DMVPN_IN in ! ip route vrf ISP1-DMVPN 0.0.0.0 0.0.0.0  name ISP1;Default ip access-list extended acl_ISP1-DMVPN_IN permit icmp any any permit esp any host  permit gre any host  permit udp any host  eq isakmp permit udp any host  eq non500-isakmp deny ip any any vrf definition 2010  description CUSTA - Customer A  rd 65527:2010 route-target export 65527:2010 route-target import 65527:2010 ! address-family ipv4 exit-address-family ! ! interface Tunnel2010 description CUSTA;DMVPN;Failover-secondary vrf forwarding 2010 ip address 10.97.0.34 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map multicast dynamic ip nhrp network-id 2010 ip nhrp holdtime 120 ip nhrp server-only ip nhrp max-send 1000 every 10 ip tcp adjust-mss 1340 tunnel source TenGigabitEthernet0/0/0.71 tunnel mode gre multipoint tunnel key 2010 tunnel vrf ISP1-DMVPN tunnel protection ipsec profile ISP1-DMVPN shared router bgp 65527 ! address-family ipv4 vrf 2010 redistribute connected metric 10 redistribute static metric 15 neighbor 10.97.0.39 remote-as 65028 neighbor 10.97.0.39 description spokerouter;Tunnel1 neighbor 10.97.0.39 update-source Tunnel2010 neighbor 10.97.0.39 activate neighbor 10.97.0.39 soft-reconfiguration inbound neighbor 10.97.0.39 prefix-list EXPORT-IVPN-VRF2010 out neighbor 10.97.0.39 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.39 maximum-prefix 5000 80 default-information originate exit-address-family

  Configuring spoke:

   crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp invalid-spi-recovery crypto isakmp profile DMVPN01 keyring DMVPN01 match identity address 0.0.0.0 keepalive 10 retry 3 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN01 set transform-set AES256-SHA-TRANSPORT set isakmp-profile DMVPN01 vrf definition inside rd 65028:1 route-target export 65028:1 route-target import 65028:1 ! address-family ipv4 exit-address-family ! interface Tunnel1 description DMVPN to HUB vrf forwarding inside ip address 10.97.0.39 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map 10.97.0.33  ip nhrp map multicast  ip nhrp map 10.97.0.34  ip nhrp map multicast  ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 10.97.0.33 ip nhrp nhs 10.97.0.34 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1340 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 2010 tunnel protection ipsec profile DMVPN01 shared router bgp 65028 ! address-family ipv4 vrf inside bgp router-id 172.28.5.137 network 10.97.20.128 mask 255.255.255.128 network 10.97.21.0 mask 255.255.255.0 network 10.97.22.0 mask 255.255.255.0 network 10.97.23.0 mask 255.255.255.0 network 172.28.5.137 mask 255.255.255.255 neighbor 10.97.0.33 remote-as 65527 neighbor 10.97.0.33 description HUB1;Tunnel2010 neighbor 10.97.0.33 update-source Tunnel1 neighbor 10.97.0.33 timers 10 30 neighbor 10.97.0.33 activate neighbor 10.97.0.33 send-community both neighbor 10.97.0.33 soft-reconfiguration inbound neighbor 10.97.0.33 prefix-list IROUTE-EXPORT out neighbor 10.97.0.33 maximum-prefix 5000 80 neighbor 10.97.0.34 remote-as 65527 neighbor 10.97.0.34 description HUB2;tunnel2010 neighbor 10.97.0.34 update-source Tunnel1 neighbor 10.97.0.34 timers 10 30 neighbor 10.97.0.34 activate neighbor 10.97.0.34 send-community both neighbor 10.97.0.34 soft-reconfiguration inbound neighbor 10.97.0.34 prefix-list IROUTE-EXPORT out neighbor 10.97.0.34 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.34 maximum-prefix 5000 80 exit-address-family 

  If more information is needed, please say so.

  Any help or advice would be greatly appreciated!

  Thank you!

  It is possible that you touch it--the failure of negotiations of phase 2:

  https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr

  [Too little detail to say with certainty:]

  M.

• Original Site BGP attribute

  Dear friends,

  I tried to get a good understanding of the Site of origin of BGP attribute (not so EIGRP). I understand his idea and its impact, but there is a problem that I couldn't wrap my head around yet.

  Quoting RFC 4364, Section 8:

                       We add one more restriction on the distribution of    routes from PE to CE: if a route's Site of Origin attribute    identifies a particular site, that route must never be redistributed    to any CE at that site. 

  My understanding of this statement is that a site must be identifiable by a given value of the attribute of so, or in other words, there should be a way to assign a specific value of the attribute so to the entire site. Then, knowing the value of the so for the entire site, a route once appeared on this site should never be announced to him.

  This is where my problems start. We know that there is not a strict mapping one to one between a site and a VRF. A site can consist of one or several VRF and is not actually represented by a single object in the IOS - it's rather a simple collection of VRF who share routing information in such a way that for mutual communication, the use of the vertebral column is not required. There is no representation of the site as a single object in the IOS and there is therefore no way to assign a particular site so as a whole. In addition, the attribute so is not yet configured on a basis of by-VRF, instead, it is pushed on the individual courses from USING a road map or a per neighbor configuration. What is so attribute on a given prefix from, then? I simply do not see how a whole VRF or an entire site is assigned its own value of so unique for comparison purposes, in a manner similar to the assignment of identifiers of road or road of targets based on per VRF.

  So my question is: If the attribute so is pushed on routes from one THIS and these routes are announced to an another EP on the same site, how is the EP another knows the correct value of the site of the so so that it can compare to the so on prefixed receipt and not advertise routes to the site they came from? The VRF simply "inherits" the individual itineraries so as they are received and processed by a road-map set- ting so?

  Any help and clarification is appreciated!

  Best regards

  Peter

  Hi Peter,.

  So for BGP is "related" to THAT neighbor. Thus, when a prefix must be announced to a neighbor, we check the so of the prefix with the so of the BGP neighbor. For anything else, he is bound to the interface.

  The configuration can be done in four different ways (the setting of the so and the verification of the so is related to that):

  (1) ' road-map in ' on what neighboring BGP command

  (2) directly on the order of CE BGP neighbor

  (3) plan of the site on the interface of the VRF and redistribution of the (static) IGP into BGP routes and (static), IGP point to this interface

  (4) plan of the site on the command interface and network VRF

  General principle (but you know it):

  http://www.Cisco.com/en/us/partner/docs/iOS/ios_xe/iproute_bgp/configuration/guide/irg_neighbor_soo_xe.html

  With the help of a roadmap and setting different for different prefixes from the same neighbor BGP SoO doesn't make much sense, so I guess that we were never bothered by possible nonuniqueness in the configuration when you look at what a 'site' is.

  Thank you

  Luke

• Metric IGP into BGP MED copied.

  Hi all

  I have a problem of BGP that inherits from my IGP metric value in its attribute MED. I have an EBGP peering with my client. I send only specific to my counterpart ebgp routers using network commands in BGP.i receive the prefixes by ospf in my table.i itinerary not to redistribute these routes to bgp, but network command allows to advertise in BGP.

  My question is when these prefixes are to be sent to my EBGP peer, he takes the metric value of the IGP and fasten it as value MED. This is an impact on the choice of the route of my client which is in a MPLS cloud. Is this a normal behavior... or how to stop the BGP will send this MED value.

  Kind regards

  Jean-Pierre

  Discovering that you send to an eBGP neighbor, drugs even if you never wanted, can be a surprise, but it happens. If the injected into BGP route (either using 'network' or 'redistribute' order) comes from an IGP, MED is derived from the IGP metric, and the road was announced to a neighboring eBGP with this med. Guiseppe has already provided a solution for your problem. Another option is to inject routes into BGP using the command 'aggregate-address', in which case MED is not defined. Personally, I prefer the configuration command "network" combined with the solution that Giuseppe suggested.

• BGP removing the best path

  Hello.

  I have a problem where the best path to a particular destination is removed by BGP.

  To explain.

  Site A has 2 links to site B. 1 via a peer eBGP on MPLS, 2 via an iBGP during a backup VPN peer.

  I configured the ebgp with a higher weight counterpart so that it is preferred.

  The problem is the following.

  When the ebgp peer link goes down, the connection via the ibgp peer is preferred.

  When the link via the ebgp peer returns to the top, the path of the ebgp peer doesn't come back in the BGP table (in fact it dates back to a second and is then removed).

  Could someone help me on this one.

  Thank you

  Lee

  It would go something like this:

  Country:

  router bgp 65500

  nearby MPLS map route setMed out

  setMed allowed 10 route map

  corresponds to the ip address 1

  set 2 med

  setMed allowed 20 route map

  med game 1

  permit access-list 1

  RtrC:

  router bgp 65500

  nearby MPLS map route setMed out

  setMed allowed 10 route map

  corresponds to the ip address 1

  set 2 med

  setMed allowed 20 route map

  med game 1

  permit access-list 1

  Let me know if you have any questions,

• BGP path selection

  Hello

  in my bgp table, I have two paths to the defaultroute:

  65052:420:0.0.0.0/0, version 4803 BGP routing table entry

  Paths: (2 available, excellent #2, table vkb)

  Not announced in any position

  Local

  172.16.24.2 (98 metric) of 172.16.24.2 (172.16.24.62)

  Incomplete 755968, metrics, localpref 100 original, valid, internal

  Community: RT:65052:420 0 x 8800: 0:8212 0 x 8801: 100:131072 0 x 8802: 65283:624896 0 x 8803: 65281:1500 0 x 8804: 0:2886794964 0 x 8805: 3:0,.

  label MPLS/exit nolabel/1602

  Local

  172.16.24.1 (99 metric) of 172.16.24.1 (172.16.24.61)

  Incomplete metric, original 755712, localpref 100, valid, internal, best

  Community: RT:65052:420 0 x 8800: 0:8211 0 x 8801: 100:130816 0 x 8802: 65282:624896 0 x 8803: 65299:1500 0 x 8804: 0:2886794963 0 x 8805: 3:0,.

  label MPLS/exit nolabel/1410

  Why is the way to selected 172.16.24.1 even if the igp metric to 172.16.24.2 is 98 and 172.16.24.1 is 99!

  so the way to 172.16.24.2 is better (98).

  I am a redistribution of eigrp to the mpls backbone

  thx for the answer

  Hello

  MED for the preferred route is lower than the other. MED is regarded as to the cost of the IGP for the advertising router.

  HTH.

  -Rob

• DMVPN and INTERNET VIA HUB RENTAL ISSUES

  Hello everyone,

  I really wish you can help me with the problem I have.

  I explain. I test a double Hub - double DMVPN Layout for a client before we set it up in actual production.
  The client has sites where routers are behind some ISP routers who do NAT.

  

  How things are configured:

  -All rays traffic must go through the location of the hub if no local internet traffic on the rays.
  -Hub 1 and 2 hub sends a default route to rays through EIGRP. But only Hub 1 is used.
  -Hub 1 is the main router to DMVPN. In case of connection / hardware failure of the Internet Hub 2 become active for DMVPN and Internet.
  -Hub 1 and 2 hub are both connected to an ISP and Internet gateway for rays.
  -Hub 1 and 2 hub are configured with IOS Firewall.
  -On the shelves I used VRF for separate DMVPN routning Global routning table so I could receive a default route of 1 Hub and Hub 2 to carry the traffic of rays to the Internet via the location of the hub

  What works:

  -All rays can have access to the local network to the location of the hub.
  -All the rays can do talk of talk
  -Working for DMVPN failover
  -Rais NOT behind the router NAT ISP (i.e. the public IP address) directly related to their external interface can go Internet via hub location and all packages are inspected properly by the IOS and Nat firewall properly
   
  What does not work:

  -Rays behind the NAT ISP router can not access Internet via Hub location. They can reach a local network to the location of the hub and talk of talks.
  IOS Firewall Router hub shows packages from rays of theses (behind a NAT) with a source IP address that is the router og PSI of public IP address outside the interface. Not the private address LAN IP back spoke.
  In addition, the packets are never natted. If I do some captge on an Internet Server, the private source IP is the IP LAN to the LAN behind the rays. This means that the hub, router nat never these packages.

  How to solve this problem?

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  Well I don't know that's why I need your help/advice :-)

  I don't know that if I have to configure a VRF on the location of the hub gets also like things might mess upward.

  The problem seems to be NAT - T the rays that are not behind a NAT, among which go over the Internet through a Hub and inspection of Cisco IOS and NAT are trying to find.

  I tested today with the customer at the start them talking behind nat could ping different server on the Internet but not open an HTTP session. DNS was to find work. The IOS Firewall has been actually

  inspection of packages with private real IP address. Then I thought it was a MTU issue, so I decided to do a ping on the Internet with the largest MTU size and suddenly the pings were no more.

  I could see on the router Hub1 IOS Firewall was inspecting the public IP of the ISP NAT router again alongside with rays and not more than the actual IP address private. Really strange!

  Attached files:

  I attach the following files: a drawing of configuration called drawing-Lab - Setup.jpeg | All files for HUB1, BRANCH1 and BRANCH2 ISP-ROUTER configs, named respectively: HUB1.txt, BRANCH1.txt, BRANCH2.txt and ISP - ROUTER .txt

  Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch2 (behind the NAT ISP router):

  Branch2 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
  Packet sent with a source address of 192.168.110.1
  .....
  Success rate is 0% (0/5)

  * 06:04:51.017 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (110.10.10.2:8) - answering machine (200.200.200.200:0)

  If the IOS Firewall does not inspect the true private source IP address that can be, in this case: 192.168.110.2. He sess on the public IP address.

  HUB1 #sh ip nat translations
  Inside global internal local outside global local outdoor Pro
  ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
  ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
  UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

  There is no entry for packets of teas present NAT

  Captge on Tunnel 1 on Hub1 interface (incoming packets in):

  7 7.355997 192.168.110.1 200.200.200.200 request ICMP (ping) echo
  So that the firewall controllable IOS to the 110.10.10.2:8 public IP sniffing capture said that the package come from private real IP address

  Inhalation of vapours on the server (200.200.200.200) with wireshark:

  114 14.123552 192.168.110.1 200.200.200.200 request ICMP (ping) echo

  If the private IP address of source between local network of BRANCH2 is never natted by HUB1

  If the server sees the address source IP private not natted although firewall IOS Hub1 inspect the public IP address 110.10.10.2:8

  Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch1 (not behind the NAT ISP router):

  Branch1 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
  Packet sent with a source 192.168.100.1 address
  !!!!!

  * 06:05:18.217 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (192.168.100.1:8) - answering machine (200.200.200.200:0)

  This is so the firewall sees the actual private IP which is 192.168.100.1

  HUB1 #sh ip nat translations
  Inside global internal local outside global local outdoor Pro
  ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
  ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
  UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500
  ICMP 80.10.10.2:22 192.168.100.1:22 200.200.200.200:22 200.200.200.200:22

  The real private source IP address is also find natted 1 Hub outside the public IP address

  Captge on Tunnel 1 on Hub1 interface (incoming packets in):

  8 7.379997 192.168.100.1 200.200.200.200 request ICMP (ping) echo

  Real same as inspected by IOS Firewall so all private IP address is y find.

  Inhalation of vapours on the server (200.200.200.200) with wireshark:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  67 10.441153 80.10.10.2 200.200.200.200 request ICMP (ping) echo

  So, here's all right. The address is natted correctly.

  __________________________________________________________________________________________

  Best regards

  Laurent

  Hello

  Just saw your message, I hope this isn't too late.

  I don't know what your exact problem, but I think we can work through it to understand it.

  One thing I noticed was that your NAT ACL is too general. You need to make it more

  specific.  In particular, you want to make sure that it does not match the coming of VPN traffic

  in to / out of the router.

  For example you should not really have one of these entries in your NAT translation table.

  HUB1 #sh ip nat translations
  Inside global internal local outside global local outdoor Pro
  ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
  ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
  UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500

  Instead use:

  Nat extended IP access list
  deny ip any 192.168.0.0 0.0.255.255 connect
  allow an ip
  deny ip any any newspaper

  If you can use:

  Nat extended IP access list
  deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
  IP 192.168.0.0 allow 0.0.255.255 everything
  deny ip any any newspaper

  Also, I would be very careful with the help of the "log" keyword in an ACL, NAT.

  I saw problems.

  What are the IOS versions do you use?

  Try to make changes to the NAT so that you no longer see the entries of translation NAT

  for packages of NAT - T (UDP 4500) in the table of translation NAT on the hub. It may be

  This puts a flag on the package structure, that IOS Firewall and NAT is

  pick up on and then do the wrong thing in this case.

  If this does not work then let me know.

  Maybe it's something for which you will need to open a TAC case so that we can

  This debug directly on your installation.

  Mike.