06-15-2016 12:33 AM - edited 03-12-2019 07:22 AM
Hi Experts,
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key NET123 address 0.0.0.0
!
!
crypto ipsec transform-set xform esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set xform
set pfs group5
!
interface Loopback0
ip address 192.168.204.1 255.255.255.0
!
interface Loopback1
ip address 192.168.101.101 255.255.255.0
!
interface Tunnel0
ip address 172.16.200.12 255.255.255.0
no ip redirects
ip nhrp map multicast 52.40.101.226
ip nhrp map 172.16.200.11 52.40.101.226
ip nhrp network-id 1
ip nhrp nhs 172.16.200.11
ip nhrp shortcut
ip nhrp redirect
tunnel source GigabitEthernet1
tunnel mode gre multipoint
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
ip-172-31-20-75# debug nhrp
NHRP protocol debugging is on
ip-172-31-20-75#ter
ip-172-31-20-75#terminal mon
ip-172-31-20-75#terminal monitor
ip-172-31-20-75#
*Jun 15 00:18:47.304: NHRP: Setting retrans delay to 64 for nhs dst 172.16.200.11
*Jun 15 00:18:47.304: NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 172.16.200.11
*Jun 15 00:18:47.304: NHRP: Send Registration Request via Tunnel0 vrf global(0x0), packet size: 92
*Jun 15 00:18:47.304: src: 172.16.200.12, dst: 172.16.200.11
*Jun 15 00:18:47.304: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Jun 15 00:18:47.304: shtl: 4(NSAP), sstl: 0(NSAP)
*Jun 15 00:18:47.304: pktsz: 92 extoff: 52
*Jun 15 00:18:47.304: (M) flags: "unique nat ", reqid: 456
*Jun 15 00:18:47.304: src NBMA: 172.31.20.75
*Jun 15 00:18:47.304: src protocol: 172.16.200.12, dst protocol: 172.16.200.11
*Jun 15 00:18:47.305: (C-1) code: no error(0)
*Jun 15 00:18:47.305: prefix: 32, mtu: 9976, hd_time: 7200
*Jun 15 00:18:47.305: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
*Jun 15 00:18:47.305: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 52.40.101.226
*Jun 15 00:18:47.305: NHRP: 116 bytes out Tunnel0
HUB-CSR-AWS:
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key NET123 address 0.0.0.0
!
!
crypto ipsec transform-set xform esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set xform
set pfs group5
!
interface Loopback0
ip address 192.168.5.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.200.11 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source GigabitEthernet1
tunnel mode gre multipoint
!
interface GigabitEthernet1
ip address dhcp
ip access-group 100 in
negotiation auto
!
Applied ACL with log option to capture packet if its coming from any spoke but unable to see any.
Extended IP access list 100
10 permit ip any any log (1140 matches)
!
interface GigabitEthernet1
ip address dhcp
ip access-group 100 in
negotiation auto
end
ip-172-31-33-28#show logging
*Jun 15 00:14:43.965: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 221.194.44.218(35660) -> 172.31.33.28(22), 16 packets
*Jun 15 00:15:07.092: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 121.18.238.10(42605) -> 172.31.33.28(22), 1 packet
*Jun 15 00:15:32.731: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 121.18.238.10
*Jun 15 00:18:14.063: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 121.18.238.22(42659) -> 172.31.33.28(22), 15 packets
*Jun 15 00:20:13.981: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 121.18.238.10(42605) -> 172.31.33.28(22), 5 packets
*Jun 15 00:21:33.865: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 121.18.238.31(37599) -> 172.31.33.28(22), 1 packet
*Jun 15 00:21:59.334: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 73.220.149.55(57991) -> 172.31.33.28(22), 1 packet
*Jun 15 00:23:16.522: %FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list 100 permitted tcp 221.194.44.219(47765) -> 172.31.33.28(22), 1 packet
No NHRP REQUEST COMING TO HUB FROM SPOKE OR NO REPLY FROM HUB TO SPOKE
ip-172-31-33-28(config)#
ip-172-31-33-28(config-if)#shu
ip-172-31-33-28(config-if)#
ip-172-31-33-28(config-if)#no s
*Jun 15 00:31:04.940: NHRP: if_admindown: Tunnel0
*Jun 15 00:31:04.940: NHRP: if_down: Tunnel0 proto NHRP_IPv4
*Jun 15 00:31:04.940: NHRP: if_down: Tunnel0 proto NHRP_IPv4hu
ip-172-31-33-28(config-if)#no shutdown
ip-172-31-33-28(config-if)#
*Jun 15 00:31:06.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Jun 15 00:31:06.940: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
ip-172-31-33-28(config-if)#
*Jun 15 00:31:07.034: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
*Jun 15 00:31:07.034: NHRP: Registration with Tunnels Decap Module succeeded
*Jun 15 00:31:07.034: NHRP: Adding all static maps to cache
*Jun 15 00:31:08.033: NHRP: Unable to send Registration - no NHSes configured
*Jun 15 00:31:09.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 15 00:31:09.034: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
*Jun 15 00:31:09.035: NHRP: Registration with Tunnels Decap Module succeeded
*Jun 15 00:31:09.035: NHRP: Adding all static maps to cache
*Jun 15 00:31:09.036: NHRP: Unable to send Registration - no NHSes configured
*Jun 15 00:31:09.036: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
*Jun 15 00:31:10.034: NHRP: Unable to send Registration - no NHSes configured
*Jun 15 00:31:06.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Jun 15 00:31:06.940: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
*Jun 15 00:31:07.034: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
*Jun 15 00:31:07.034: NHRP: Registration with Tunnels Decap Module succeeded
*Jun 15 00:31:07.034: NHRP: Adding all static maps to cache
*Jun 15 00:31:08.033: NHRP: Unable to send Registration - no NHSes configured
*Jun 15 00:31:09.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 15 00:31:09.034: NHRP: if_up: Tunnel0 proto 'NHRP_IPv4'
*Jun 15 00:31:09.035: NHRP: Registration with Tunnels Decap Module succeeded
*Jun 15 00:31:09.035: NHRP: Adding all static maps to cache
*Jun 15 00:31:09.036: NHRP: Unable to send Registration - no NHSes configured
*Jun 15 00:31:09.036: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
*Jun 15 00:31:10.034: NHRP: Unable to send Registration - no NHSes configured
ip-172-31-33-28#show access-lists
Extended IP access list 100
10 permit gre any any log
20 permit 54 any any log
30 permit ip any any (22 matches)
ip-172-31-33-28#
SPOKE-CSR-AZURE:
================
PUBLIC IP:40.112.213.43
CSR1000V-AZURE#show configuration | beg crypto
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key NET123 address 0.0.0.0
!
!
crypto ipsec transform-set xform esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set xform
set pfs group5
!
interface Tunnel0
ip address 172.16.200.13 255.255.255.0
no ip redirects
ip nhrp map multicast 52.40.101.226
ip nhrp map 172.16.200.11 52.40.101.226
ip nhrp network-id 1
ip nhrp nhs 172.16.200.11
ip nhrp shortcut
ip nhrp redirect
tunnel source GigabitEthernet1
tunnel mode gre multipoint
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!
*Jun 15 00:35:49.512: NHRP: Setting retrans delay to 64 for nhs dst 172.16.200.11
*Jun 15 00:35:49.512: NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 172.16.200.11
*Jun 15 00:35:49.512: NHRP: Send Registration Request via Tunnel0 vrf global(0x0), packet size: 92
*Jun 15 00:35:49.512: src: 172.16.200.13, dst: 172.16.200.11
*Jun 15 00:35:49.512: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Jun 15 00:35:49.512: shtl: 4(NSAP), sstl: 0(NSAP)
*Jun 15 00:35:49.512: pktsz: 92 extoff: 52
*Jun 15 00:35:49.512: (M) flags: "unique nat ", reqid: 15
*Jun 15 00:35:49.512: src NBMA: 10.10.0.4
*Jun 15 00:35:49.512: src protocol: 172.16.200.13, dst protocol: 172.16.200.11
*Jun 15 00:35:49.512: (C-1) code: no error(0)
*Jun 15 00:35:49.512: prefix: 32, mtu: 9976, hd_time: 7200
*Jun 15 00:35:49.512: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
*Jun 15 00:35:49.512: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 52.40.101.226
*Jun 15 00:35:49.512: NHRP: 116 bytes out Tunnel0
Regards
Syed.
06-15-2016 03:53 AM
Enabled tunnel protection on spokes and hub but still seeing not communication b/w CSR-SPOKE-AZURE and CSR-AWS-HUB.
After removing the tunnel protection atlas NHRP b/w CSR-AWS-Spoke and CSR-AWS-HUB is working but not with CSR-AZURE-Spoke.
OUTPUTS FROM CSR-AWS-HUB:
ip-172-31-33-28#show logging
*Jun 15 08:36:57.032: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 54.191.183.223
*Jun 15 08:36:57.032: NHRP: 156 bytes out Tunnel0
*Jun 15 08:37:13.656: NHRP: Checking for delayed event NULL/172.16.200.12 on list (Tunnel0 vrf: global(0x0))
*Jun 15 08:37:13.656: NHRP: No delayed event node found.
*Jun 15 08:40:49.064: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 31 packets
*Jun 15 08:45:49.074: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 30 packets
*Jun 15 08:50:49.084: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 30 packets
*Jun 15 08:55:49.094: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 30 packets
*Jun 15 09:00:49.104: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 30 packets
*Jun 15 09:05:49.114: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 31 packets
*Jun 15 09:10:49.135: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 29 packets
*Jun 15 09:14:12.905: NHRP: Receive Registration Request via Tunnel0 vrf global(0x0), packet size: 92
*Jun 15 09:14:12.906: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Jun 15 09:14:12.906: shtl: 4(NSAP), sstl: 0(NSAP)
*Jun 15 09:14:12.906: pktsz: 92 extoff: 52
*Jun 15 09:14:12.906: (M) flags: "unique nat ", reqid: 472
*Jun 15 09:14:12.906: src NBMA: 172.31.20.75
*Jun 15 09:14:12.906: src protocol: 172.16.200.12, dst protocol: 172.16.200.11
*Jun 15 09:14:12.906: (C-1) code: no error(0)
*Jun 15 09:14:12.906: prefix: 32, mtu: 9976, hd_time: 7200
*Jun 15 09:14:12.906: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
*Jun 15 09:14:12.906: NHRP: Tunnels gave us pak src: 54.191.183.223
*Jun 15 09:14:12.906: NHRP: Adding Tunnel Endpoints (VPN: 172.16.200.12, NBMA: 54.191.183.223)
*Jun 15 09:14:12.906: NHRP: NHRP subblock already exists for Tunnel Endpoints (VPN: 172.16.200.12, NBMA: 54.191.183.223)
*Jun 15 09:14:12.906: NHRP: Peer capability:0
*Jun 15 09:14:12.906: NHRP: Cache already has a subblock node attached for Tunnel Endpoints (VPN: 172.16.200.12, NBMA: 54.191.183.223)
*Jun 15 09:14:12.906: NHRP: Adding Tunnel Endpoints (VPN: 172.16.200.12, NBMA: 54.191.183.223)
*Jun 15 09:14:12.906: NHRP: NHRP subblock already exists for Tunnel Endpoints (VPN: 172.16.200.12, NBMA: 54.191.183.223)
*Jun 15 09:14:12.906: NHRP: Peer capability:0
*Jun 15 09:14:12.906: NHRP: Cache already has a subblock node attached for Tunnel Endpoints (VPN: 172.16.200.12, NBMA: 54.191.183.223)
*Jun 15 09:14:12.906: NHRP: nhrp_subblock_check_for_map() - Map Already Exists
*Jun 15 09:14:12.906: NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 172.16.200.12
*Jun 15 09:14:12.906: NHRP: Send Registration Reply via Tunnel0 vrf global(0x0), packet size: 132
*Jun 15 09:14:12.906: src: 172.16.200.11, dst: 172.16.200.12
*Jun 15 09:14:12.906: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Jun 15 09:14:12.906: shtl: 4(NSAP), sstl: 0(NSAP)
*Jun 15 09:14:12.906: pktsz: 132 extoff: 52
*Jun 15 09:14:12.906: (M) flags: "unique nat ", reqid: 472
*Jun 15 09:14:12.906: src NBMA: 172.31.20.75
*Jun 15 09:14:12.906: src protocol: 172.16.200.12, dst protocol: 172.16.200.11
*Jun 15 09:14:12.906: (C-1) code: no error(0)
*Jun 15 09:14:12.906: prefix: 32, mtu: 9976, hd_time: 7200
*Jun 15 09:14:12.906: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
*Jun 15 09:14:12.906: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 54.191.183.223
*Jun 15 09:14:12.906: NHRP: 156 bytes out Tunnel0
*Jun 15 09:15:49.133: %FMANFP-6-IPACCESSLOGNP: F0: fman_fp_image: list 100 permitted 47 54.191.183.223 -> 172.31.33.28, 33 packets
ip-172-31-33-28#
ip-172-31-33-28# show ip nhrp
172.16.200.12/32 via 172.16.200.12
Tunnel0 created 00:43:32, expire 01:54:21
Type: dynamic, Flags: unique registered used nhop
NBMA address: 54.191.183.223
(Claimed NBMA address: 172.31.20.75)
ip-172-31-33-28#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==============================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 54.191.183.223 172.16.200.12 UP 00:43:05 DN
ip-172-31-33-28#
ip-172-31-33-28#show ip nhrp traffic
Tunnel0: Max-send limit:10000Pkts/10Sec, Usage:0%
Sent: Total 2
0 Resolution Request 0 Resolution Reply 0 Registration Request
2 Registration Reply 0 Purge Request 0 Purge Reply
0 Error Indication 0 Traffic Indication 0 Redirect Suppress
Rcvd: Total 2
0 Resolution Request 0 Resolution Reply 2 Registration Request
0 Registration Reply 0 Purge Request 0 Purge Reply
0 Error Indication 0 Traffic Indication 0 Redirect Suppress
ip-172-31-33-28#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 172.31.33.28 YES DHCP up up
Loopback0 192.168.5.1 YES NVRAM up up
Tunnel0 172.16.200.11 YES manual up up
ip-172-31-33-28#
ip-172-31-33-28#ping 172.16.200.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
OUTPUT FROM CSR-AWS-SPOKE:
==========================
ip-172-31-20-75#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==============================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 52.40.101.226 172.16.200.11 UP 00:50:24 S
ip-172-31-20-75#show ip nhrp brief
******************************
NOTE: Link-Local, No-socket and Incomplete entries are not displayed
******************************
Legend: Type --> S - Static, D - Dynamic
Flags --> u - unique, r - registered, e - temporary, c - claimed
a - authoritative, t - route
==============================
Intf NextHop Address NBMA Address
Target Network T/Flag
-------- ------------------------------
Tu0 172.16.200.11 52.40.101.226
ip-172-31-20-75#show ip nhrp static
172.16.200.11/32 via 172.16.200.11
Tunnel0 created 00:53:25, never expire
Type: static, Flags: used
NBMA address: 52.40.101.226
ip-172-31-20-75#show ip nhrp traffic
Tunnel0: Max-send limit:10000Pkts/10Sec, Usage:0%
Sent: Total 11
0 Resolution Request 0 Resolution Reply 11 Registration Request
0 Registration Reply 0 Purge Request 0 Purge Reply
0 Error Indication 0 Traffic Indication 0 Redirect Suppress
Rcvd: Total 2
0 Resolution Request 0 Resolution Reply 0 Registration Request
2 Registration Reply 0 Purge Request 0 Purge Reply
0 Error Indication 0 Traffic Indication 0 Redirect Suppress
ip-172-31-20-75#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 172.31.20.75 YES DHCP up up
Loopback0 192.168.204.1 YES manual up up
Loopback1 192.168.101.101 YES manual up up
Tunnel0 172.16.200.12 YES manual up up
ip-172-31-20-75#ping 172.16.200.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/13 ms
ip-172-31-20-75#show ip nhrp nhs
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
172.16.200.11 RE priority = 0 cluster = 0
ip-172-31-20-75#
06-16-2016 03:59 PM
Hi Syed, did you enable UDP4500 and 500 in the security group?
Please refer to configuration here: http://www.cisco.com/c/dam/en/us/products/collateral/routers/cloud-services-router-1000v-series/csr-in-aws-cvd.pdf
This applies to Azure as well.
Thanks,
Fan
06-16-2016 09:45 PM
Thanks Fan for looking into it and i have allowed every traffic from any source and every protocol in security group from the beginning .I even tried with Single CSR Hub in AWS to spoke in Azure and it not working although i am seeing Azure send NHRP request and getting reply but status on Hub is like this.
HUB:
=====
ip-172-31-20-75# show version
Cisco IOS XE Software, Version 03.16.02.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-
Technical Support: http://www.cisco.com/
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 09-Feb-16 07:03 by mcpre
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key NET123 address 0.0.0.0
!
!
crypto ipsec transform-set xform esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set xform
set pfs group5
!
ip-172-31-20-75#show run interface tunnel1
Building configuration...
Current configuration : 286 bytes
!
interface Tunnel1
ip address 172.16.200.12 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 10
ip nhrp shortcut
ip nhrp redirect
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile DMVPN
end
ip-172-31-20-75#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==============================
Interface: Tunnel1, IPv4 NHRP Details
Type:Unknown, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 UNKNOWN 172.16.200.11 NHRP never IX
ip-172-31-20-75#
ip-172-31-20-75#show cr
ip-172-31-20-75#show crypto ip
ip-172-31-20-75#show crypto ipsec sa
ip-172-31-20-75#
ip-172-31-20-75#
ip-172-31-20-75#show cry
ip-172-31-20-75#show crypto is
ip-172-31-20-75#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.31.20.75 13.88.15.55 QM_IDLE 1282 ACTIVE
172.31.20.75 13.88.15.55 MM_NO_STATE 1281 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
ip-172-31-20-75#deb
ip-172-31-20-75#debug nh
ip-172-31-20-75#debug nhrp
NHRP protocol debugging is on
ip-172-31-20-75#ter
ip-172-31-20-75#terminal mon
ip-172-31-20-75#terminal monitor
ip-172-31-20-75#
*Jun 16 11:24:44.758: NHRP: NHRP could not map 172.16.200.11 to NBMA, cache entry not found
*Jun 16 11:24:44.758: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 10
*Jun 16 11:24:44.758: NHRP: Checking for delayed event NULL/172.16.200.11 on list (Tunnel1 vrf: global(0x0))
*Jun 16 11:24:44.758: NHRP: No delayed event node found.
*Jun 16 11:24:52.758: NHRP: NHRP could not map 172.16.200.11 to NBMA, cache entry not found
*Jun 16 11:24:52.758: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 10
*Jun 16 11:24:52.758: NHRP: Checking for delayed event NULL/172.16.200.11 on list (Tunnel1 vrf: global(0x0))
*Jun 16 11:24:52.758: NHRP: No delayed event node found.
*Jun 16 11:24:57.352: NHRP: Checking for delayed event NULL/172.16.200.11 on list (Tunnel1 vrf: global(0x0))
*Jun 16 11:24:57.352: NHRP: No delayed event node found.
*Jun 16 11:24:57.352: NHRP: There is no VPE Extension to construct for the request
*Jun 16 11:24:57.352: NHRP: Sending NHRP Resolution Request for dest: 172.16.200.11 to nexthop: 172.16.200.11 using our src: 172.16.200.12 vrf:global(0x0)
*Jun 16 11:24:57.352: NHRP: Attempting to send packet through interface Tunnel1 via DEST dst 172.16.200.11
*Jun 16 11:24:57.352: NHRP: IP route lookup(idb netid match) yielded Tunnel1, nhop 172.16.200.11 for 172.16.200.11 vrf global(0x0) netid: 10 intf: 0
*Jun 16 11:24:57.352: NHRP: Send Resolution Request via Tunnel1 vrf global(0x0), packet size: 72
*Jun 16 11:24:57.352: src: 172.16.200.12, dst: 172.16.200.11
*Jun 16 11:24:57.352: NHRP: NHRP could not map 172.16.200.11 to NBMA, cache entry not found
*Jun 16 11:24:57.352: NHRP: Encapsulation failed for destination 172.16.200.11 out Tunnel1
*Jun 16 11:25:17.690: NHRP: NHRP could not map 172.16.200.11 to NBMA, cache entry not found
*Jun 16 11:25:17.690: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 10
*Jun 16 11:25:17.690: NHRP: Checking for delayed event NULL/172.16.200.11 on list (Tunnel1 vrf: global(0x0))
*Jun 16 11:25:17.690: NHRP: No delayed event node found.
*Jun 16 11:25:19.691: NHRP: NHRP could not map 172.16.200.11 to NBMA, cache entry not found
*Jun 16 11:25:19.691: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 10
*Jun 16 11:25:19.691: NHRP: Checking for delayed event NULL/172.16.200.11 on list (Tunnel1 vrf: global(0x0))
*Jun 16 11:25:19.691: NHRP: No delayed event node found.
ip-172-31-20-75#un
*Jun 16 11:25:23.691: NHRP: NHRP could not map 172.16.200.11 to NBMA, cache entry not found
*Jun 16 11:25:23.691: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 10
*Jun 16 11:25:23.691: NHRP: Checking for delayed event NULL/172.16.200.11 on list (Tunnel1 vrf: global(0x0))
*Jun 16 11:25:23.691: NHRP: No delayed event node found.de
ip-172-31-20-75#undebug all
Parameter map cws-tunnel global not configured
All possible debugging has been turned off
ip-172-31-20-75#ter
ip-172-31-20-75#terminal no mon
ip-172-31-20-75#terminal no monitor
ip-172-31-20-75#debug crypto ipsec
Crypto IPSEC debugging is on
ip-172-31-20-75#ter
ip-172-31-20-75#terminal mon
ip-172-31-20-75#terminal monitor
ip-172-31-20-75#debug crypto isakmp
Crypto ISAKMP debugging is on
ip-172-31-20-75#
*Jun 16 11:26:10.110: ISAKMP-PAK: (1282):received packet from 13.88.15.55 dport 4500 sport 4500 Global (R) QM_IDLE
*Jun 16 11:26:10.110: ISAKMP: (1282):set new node 3047695688 to QM_IDLE
*Jun 16 11:26:10.110: ISAKMP: (1282):processing HASH payload. message ID = 3047695688
*Jun 16 11:26:10.110: ISAKMP: (1282):processing SA payload. message ID = 3047695688
*Jun 16 11:26:10.110: ISAKMP: (1282):Checking IPSec proposal 1
*Jun 16 11:26:10.110: ISAKMP: (1282):transform 1, ESP_3DES
*Jun 16 11:26:10.110: ISAKMP: (1282): attributes in transform:
*Jun 16 11:26:10.110: ISAKMP: (1282): encaps is 3 (Tunnel-UDP)
*Jun 16 11:26:10.110: ISAKMP: (1282): SA life type in seconds
*Jun 16 11:26:10.110: ISAKMP: (1282): SA life duration (basic) of 3600
*Jun 16 11:26:10.110: ISAKMP: (1282): SA life type in kilobytes
*Jun 16 11:26:10.110: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 16 11:26:10.110: ISAKMP: (1282): authenticator is HMAC-MD5
*Jun 16 11:26:10.110: ISAKMP: (1282): group is 5
*Jun 16 11:26:10.110: ISAKMP: (1282):atts are acceptable.
*Jun 16 11:26:10.110: IPSEC(validate_proposal_
*Jun 16 11:26:10.110: IPSEC(validate_proposal_
(key eng. msg.) INBOUND local= 172.31.20.75:0, remote= 13.88.15.55:0,
local_proxy= 54.191.183.223/255.255.255.
remote_proxy= 10.0.0.4/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 16 11:26:10.110: map_db_find_best did not find matching map
*Jun 16 11:26:10.110: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jun 16 11:26:10.110: ISAKMP-ERROR: (1282):IPSec policy invalidated proposal with error 32
*Jun 16 11:26:10.112: ISAKMP-ERROR: (1282):phase 2 SA policy not acceptable! (local 172.31.20.75 remote 13.88.15.55)
*Jun 16 11:26:10.112: ISAKMP: (1282):set new node 965403232 to QM_IDLE
*Jun 16 11:26:10.112: ISAKMP: (1282):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 139698569958680, message ID = 965403232
*Jun 16 11:26:10.112: ISAKMP-PAK: (1282):sending packet to 13.88.15.55 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jun 16 11:26:10.112: ISAKMP: (1282):Sending an IKE IPv4 Packet.
*Jun 16 11:26:10.112: ISAKMP: (1282):purging node 965403232
*Jun 16 11:26:10.112: ISAKMP-ERROR: (1282):deleting node 3047695688 error TRUE reason "QM rejected"
*Jun 16 11:26:10.113: ISAKMP: (1282):Node 3047695688, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun 16 11:26:10.113: ISAKMP: (1282):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jun 16 11:26:10.401: %SYS-4-LOGGING_PERSISTENT_
*Jun 16 11:26:30.110: ISAKMP: (1282):purging node 3119898482
ip-172-31-20-75#
ip-172-31-20-75#
ip-172-31-20-75#und
ip-172-31-20-75#undebug all
Parameter map cws-tunnel global not configured
All possible debugging has been turned off
ip-172-31-20-75#
*Jun 16 11:27:00.112: ISAKMP: (1282):purging node 3047695688ter
ip-172-31-20-75#terminal no mon
ip-172-31-20-75#terminal no monitor
ip-172-31-20-75#
ip-172-31-20-75#
ip-172-31-20-75#
SPOKE-AZURE:
============
CSR1000V-NEW#show running-config interface tunnel0
Building configuration...
Current configuration : 312 bytes
!
interface Tunnel0
ip address 172.16.200.13 255.255.255.0
no ip redirects
ip nhrp network-id 10
ip nhrp nhs 172.16.200.12 nbma 54.191.183.223 multicast
ip nhrp shortcut
ip nhrp redirect
tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile DMVPN
end
CSR1000V-NEW#show dm
CSR1000V-NEW#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==============================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 54.191.183.223 172.16.200.12 IKE 01:25:24 S
CSR1000V-NEW#
CSR1000V-NEW#show cry
CSR1000V-NEW#show crypto ip
CSR1000V-NEW#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.0.0.4
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.4/255.255.255.255/47/0
remote ident (addr/mask/prot/port): (54.191.183.223/255.255.255.
current_peer 54.191.183.223 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 81, #recv errors 0
local crypto endpt.: 10.0.0.4, remote crypto endpt.: 54.191.183.223
plaintext mtu 1472, path mtu 1472, ip mtu 1472, ip mtu idb Tunnel0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
CSR1000V-NEW#
CSR1000V-NEW#show cr
CSR1000V-NEW#show crypto is
CSR1000V-NEW#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
54.191.183.223 10.0.0.4 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
CSR1000V-NEW#show ip nhr
CSR1000V-NEW#show ip nhrp br
CSR1000V-NEW#show ip nhrp brief
******************************
NOTE: Link-Local, No-socket and Incomplete entries are not displayed
******************************
Legend: Type --> S - Static, D - Dynamic
Flags --> u - unique, r - registered, e - temporary, c - claimed
a - authoritative, t - route
==============================
Intf NextHop Address NBMA Address
Target Network T/Flag
-------- ------------------------------
Tu0 172.16.200.12 54.191.183.223
CSR1000V-NEW#terminal monitor
CSR1000V-NEW#
*Jun 16 11:33:48.435: NHRP: Setting retrans delay to 64 for nhs dst 172.16.200.12
*Jun 16 11:33:48.435: NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 172.16.200.12
*Jun 16 11:33:48.435: NHRP: Send Registration Request via Tunnel0 vrf global(0x0), packet size: 92
*Jun 16 11:33:48.435: src: 172.16.200.13, dst: 172.16.200.12
*Jun 16 11:33:48.435: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 54.191.183.223
*Jun 16 11:33:48.435: NHRP: 120 bytes out Tunnel0
*Jun 16 11:34:48.919: NHRP: Setting retrans delay to 64 for nhs dst 172.16.200.12
*Jun 16 11:34:48.920: NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 172.16.200.12
*Jun 16 11:34:48.920: NHRP: Send Registration Request via Tunnel0 vrf global(0x0), packet size: 92
*Jun 16 11:34:48.920: src: 172.16.200.13, dst: 172.16.200.12
*Jun 16 11:34:48.920: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 54.191.183.223
*Jun 16 11:34:48.920: NHRP: 120 bytes out Tunnel0
CSR1000V-NEW#
CSR1000V-NEW#deb
CSR1000V-NEW#debug nh
CSR1000V-NEW#debug cr
CSR1000V-NEW#debug crypto ip
CSR1000V-NEW#debug crypto ipse
CSR1000V-NEW#debug crypto ipsec
Crypto IPSEC debugging is on
CSR1000V-NEW#deb
CSR1000V-NEW#debug cr
CSR1000V-NEW#debug crypto is
CSR1000V-NEW#debug crypto isakmp
Crypto ISAKMP debugging is on
CSR1000V-NEW#
*Jun 16 11:35:18.924: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 10.0.0.4:0, remote= 54.191.183.223:0,
local_proxy= 10.0.0.4/255.255.255.255/47/0,
remote_proxy= 54.191.183.223/255.255.255.
*Jun 16 11:35:18.924: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.0.4:500, remote= 54.191.183.223:500,
local_proxy= 10.0.0.4/255.255.255.255/47/0,
remote_proxy= 54.191.183.223/255.255.255.
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jun 16 11:35:18.924: ISAKMP: (1005):set new node 0 to QM_IDLE
*Jun 16 11:35:18.924: ISAKMP: (1005):SA has outstanding requests (local 10.0.0.4 port 4500, remote 54.191.183.223 port 4500)
*Jun 16 11:35:18.924: ISAKMP: (1005):sitting IDLE. Starting QM immediately (QM_IDLE )
*Jun 16 11:35:18.924: ISAKMP: (1005):beginning Quick Mode exchange, M-ID of 2180219218
*Jun 16 11:35:18.930: ISAKMP: (1005):QM Initiator gets spi
*Jun 16 11:35:18.930: ISAKMP-PAK: (1005):sending packet to 54.191.183.223 my_port 4500 peer_port 4500 (I) QM_IDLE
*Jun 16 11:35:18.930: ISAKMP: (1005):Sending an IKE IPv4 Packet.
*Jun 16 11:35:18.930: ISAKMP: (1005):Node 2180219218, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jun 16 11:35:18.930: ISAKMP: (1005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jun 16 11:35:18.956: ISAKMP-PAK: (1005):received packet from 54.191.183.223 dport 4500 sport 4500 Global (I) QM_IDLE
*Jun 16 11:35:18.956: ISAKMP: (1005):set new node 3743091958 to QM_IDLE
*Jun 16 11:35:18.956: ISAKMP: (1005):processing HASH payload. message ID = 3743091958
*Jun 16 11:35:18.956: ISAKMP: (1005):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3253136007, message ID = 3743091958, sa = 0x7F6B2537D888
*Jun 16 11:35:18.956: ISAKMP: (1005):deleting spi 3253136007 message ID = 2180219218
*Jun 16 11:35:18.956: ISAKMP-ERROR: (1005):deleting node 2180219218 error TRUE reason "Delete Larval"
*Jun 16 11:35:18.956: ISAKMP: (1005):deleting node 3743091958 error FALSE reason "Informational (in) state 1"
*Jun 16 11:35:18.957: ISAKMP: (1005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 16 11:35:18.957: ISAKMP: (1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 16 11:35:38.968: ISAKMP: (1005):purging node 3533558883
*Jun 16 11:35:38.969: ISAKMP: (1005):purging node 1824754001
*Jun 16 11:35:39.231: NHRP: Setting retrans delay to 64 for nhs dst 172.16.200.12
*Jun 16 11:35:39.231: NHRP: Attempting to send packet through interface Tunnel0 via DEST dst 172.16.200.12
*Jun 16 11:35:39.231: NHRP: Send Registration Request via Tunnel0 vrf global(0x0), packet size: 92
*Jun 16 11:35:39.232: src: 172.16.200.13, dst: 172.16.200.12
*Jun 16 11:35:39.232: NHRP: Encapsulation succeeded. Sending NHRP Control Packet NBMA Address: 54.191.183.223
*Jun 16 11:35:39.232: NHRP: 120 bytes out Tunnel0
*Jun 16 11:35:48.923: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 10.0.0.4:0, remote= 54.191.183.223:0,
local_proxy= 10.0.0.4/255.255.255.255/47/0,
remote_proxy= 54.191.183.223/255.255.255.
*Jun 16 11:36:08.956: ISAKMP: (1005):purging node 2180219218
*Jun 16 11:36:08.956: ISAKMP: (1005):purging node 3743091958
CSR1000V-NEW#
CSR1000V-NEW#ter
CSR1000V-NEW#terminal no mon
CSR1000V-NEW#terminal no monitor
CSR1000V-NEW#undeb
CSR1000V-NEW#undebug all
Parameter map cws-tunnel global not configured
All possible debugging has been turned off
CSR1000V-NEW#
I found this bug could u take a look is it some how related to my issue.
Regards
syed
06-17-2016 11:32 AM
Hi Syed,
Did you try shut/unshut the tunnel interface on both side?
Can you paste "show crypto session detail" on both side?
Thanks,
Fan
06-17-2016 11:53 AM
Thanks Fan ,
I tried last night if i use transport mode its working fine but tunnel mode is not working .Is there any known issue or restriction ?
AWS-SPOKE--------AWS-HUB-----AZURE-SPOKE.
So tunnel mode works fine b/w csr to car in AWS but in order to bring AZURE to this dmvpn i need to use Transport mode.
Regards
Syed.
06-21-2016 08:50 AM
Hi Syed,
Both are supported, and we recommend transport mode.
06-21-2016 11:23 AM
Fan can take a look and let me know what i am missing with respect to configuration or what exactly is the problem that tunnel mode which is default is not working ?
Regards
Syed
06-21-2016 12:08 PM
hi Syed, can you paste the config and "show crypto session detail"? thanks!
06-25-2016 01:40 AM
Hi Fan,
Here is the requested output and if i simple change it to transport mode it will start working.
SPOKE:
======
ip-172-31-20-75#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Tunnel0
Session status: DOWN
Peer: 52.34.117.175 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 172.31.20.75 host 52.34.117.175
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 21 life (KB/Sec) 0/0
Interface: Tunnel0
Session status: DOWN
Peer: 23.99.6.254 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 172.31.20.75 host 23.99.6.254
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 21 life (KB/Sec) 0/0
Interface: Tunnel0
Session status: UP-IDLE
Peer: 23.99.6.254 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.0.4
Desc: (none)
Session ID: 0
IKEv1 SA: local 172.31.20.75/4500 remote 23.99.6.254/4500 Active
Capabilities:N connid:1201 lifetime:23:57:06
Interface: Tunnel0
Session status: UP-IDLE
Peer: 52.34.117.175 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 172.31.16.49
Desc: (none)
Session ID: 0
IKEv1 SA: local 172.31.20.75/4500 remote 52.34.117.175/4500 Active
Capabilities:N connid:1200 lifetime:23:54:46
ip-172-31-20-75#
HUB:
=====
ip-172-31-16-49#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Tunnel0
Session status: DOWN
Peer: 23.99.6.254 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 172.31.16.49 host 23.99.6.254
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: GigabitEthernet1
Session status: UP-IDLE
Peer: 104.45.227.118 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 10.10.0.4
Desc: (none)
Session ID: 0
IKEv1 SA: local 172.31.16.49/4500 remote 104.45.227.118/4500 Active
Capabilities:N connid:1065 lifetime:23:56:40
Interface: GigabitEthernet1
Session status: UP-IDLE
Peer: 54.191.183.223 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 172.31.20.75
Desc: (none)
Session ID: 0
IKEv1 SA: local 172.31.16.49/4500 remote 54.191.183.223/4500 Active
Capabilities:N connid:1063 lifetime:23:53:35
Interface: GigabitEthernet1
Session status: UP-IDLE
Peer: 23.99.6.254 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.0.4
Desc: (none)
Session ID: 0
IKEv1 SA: local 172.31.16.49/4500 remote 23.99.6.254/4500 Active
Capabilities:N connid:1064 lifetime:23:55:39
ip-172-31-16-49#
Regards
Syed
06-27-2016 12:21 PM
Hi Fan ,
Please let me know if this is the output u are looking for i can share the setup with configuration on webex as well if u want.
Regards
Syed
3165738704
06-29-2016 09:31 AM
Hi Syed, let me try on my end and get back to you soon. Thanks! - Fan
06-29-2016 04:05 PM
Thanks Fan.
Regards
Syed
07-04-2016 04:36 PM
hi Syed,
To get the tunnel mode to work here with VTI, it needs to use only IPSec (not IPSec+GRE), so need to configure "tunnel mode ipsec ipv4" under the tunnel interface.
I remember you mentioned when taking the crypto off on the DMVPN, AWS-AWS tunnel is up, but not AWS-Azure, that's because Azure doesn't support GRE. (only AWS support GRE)
Here are more info regarding DMVPN: http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/dmvpn_design_guide.pdf
Thanks,
Fan
07-04-2016 09:03 PM
Thanks Fan for ur reply and will check but if u are using IPSEC then even Azure support GRE or not it will be encapsulated in IPSEC and i have configured DMVPN with AWS and AZURE and its NHRP(MGRE) + IPSEC with Transport mode and its working perfect but only tunnel mode is not working will try to change to to mode ipsec and will c if tunnel mode is working or not.
Regards
Syed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: