Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1002
Views
0
Helpful
9
Replies

CSR1000v DMVPN still having issues

Richard Tapp
Level 1
Level 1

ā€Ž03-16-2023 05:06 AM

I have now got two CSR1000v's running and I am hitting the same issue on each one.

If they connect to the current DMVPN hub on our network, they are working fine. But we need to configure them to become the DMVPN hub once our physical DC is closed down.

When I connect up a spoke site to the AWS routers

On the spoke I get
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
35.177.x.x 81.150.x.x QM_IDLE 2181 ACTIVE

On the AWS I get
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.22.x.x 81.150.x.x QM_IDLE 1019 ACTIVE

Show dmvpn on the AWS does not show a tunnel, but on the spoke I get

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 35.177.x.x 10.100.x.x IKE 00:07:37 S

I just can not work out the missing pice to get these to work

Labels:
0 Helpful
9 Replies 9

Richard Tapp
Level 1
Level 1

ā€Ž03-16-2023 05:09 AM

I should have said the two AWS routers are.

1 with a single interface and 1 with dual interfaces on private and public sides

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž03-16-2023 05:10 AM

1 35.177.x.x 10.100.x.x IKE 00:07:37 S <<- it IKE not UP so there is issue with IPSec PhaseII, check the proposal matching between hub and spokes. 
if you can share it here I will make check.

0 Helpful

Richard Tapp
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-16-2023 05:22 AM

Here they are


AWS router
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set xxx-SET2 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile xxx-Global1
set security-association lifetime seconds 900
set transform-set xxx-SET2
!

!
interface Tunnel10

tunnel source GigabitEthernet1
tunnel mode gre multipoint

tunnel protection ipsec profile xxx-Global1 shared


spoke


crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!

crypto ipsec transform-set xxx-SET2 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile xxx-Global1
set security-association lifetime seconds 900
set transform-set xxx-SET2
!
!

!
interface Tunnel10

tunnel mode gre multipoint

tunnel protection ipsec profile xxx-Global1 shared

0 Helpful

Richard Tapp
Level 1
Level 1

ā€Ž03-16-2023 05:40 AM

 If I remove 'tunnel protection ipsec profile xxx-Global1 shared' from the spoke side, the tunnel comes up, but no ISA or IPSEC SA's

0 Helpful

MHM Cisco World
VIP
VIP
In response to Richard Tapp

ā€Ž03-16-2023 05:59 AM - edited ā€Ž03-16-2023 06:00 AM

Yes I check the config 
shared keyword not need here in your config, since you have only one tunnel per tunnel source. 
please keep tunnel profile and remove the shared keyword from profile in only Spoke. 

0 Helpful

Richard Tapp
Level 1
Level 1

ā€Ž03-16-2023 07:16 AM

I tried this and it did not make any difference

0 Helpful

MHM Cisco World
VIP
VIP
In response to Richard Tapp

ā€Ž03-16-2023 07:20 AM

are Spoke behind NAT ?

0 Helpful

Richard Tapp
Level 1
Level 1

ā€Ž03-16-2023 07:21 AM

Spoke is a public IP

0 Helpful

MHM Cisco World
VIP
VIP
In response to Richard Tapp

ā€Ž03-16-2023 09:15 AM

#show dmvpn detail <<- share this please 

0 Helpful
Customers Also Viewed These Support Documents