Solved: Re: Show DMVPN unknown Peer NBMA Addr

psymonds7769 · ‎07-23-2023

I'm getting a ton of log messages from public IP's trying to establish dmvpn connections to my 1111 router, and also UNKNOWN source addresses "show dmvpn". I tried an ACL and applying it to the tunnel interface, but that's not effective as I have no idea what the source addresses that are trying to establish dmvpn connections. Any ideas on how to resolve this issue? Thanks!

#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override, B - BGP
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

I

Interface: Tunnel136, IPv4 NHRP Details
Type:Spoke, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
13 UNKNOWN 10.23.25.229 IKE never IX
0 UNKNOWN 10.23.56.153 IKE never IX
0 UNKNOWN 10.23.222.182 IKE never IX
0 UNKNOWN 10.23.249.108 IKE never IX
0 UNKNOWN 10.50.148.184 IKE never IX
0 UNKNOWN 10.50.148.190 IKE never IX
0 UNKNOWN 10.50.149.105 IKE never IX
0 UNKNOWN 10.65.2.108 IKE never IX
0 UNKNOWN 10.72.4.10 IKE never IX
0 UNKNOWN 10.75.1.187 IKE never IX
0 UNKNOWN 10.87.9.11 IKE never IX
0 UNKNOWN 10.93.14.184 IKE never IX
0 UNKNOWN 10.93.27.111 IKE never IX

=====================================================================================================

Jul 23 21:26:35.737 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 70.182.204.215
*Jul 23 21:27:36.539 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 208.75.118.10
*Jul 23 21:28:36.707 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 216.174.146.27
*Jul 23 21:29:37.454 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 38.13.240.130
*Jul 23 21:30:38.745 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 207.195.124.60
*Jul 23 21:31:38.975 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 195.155.6.86
*Jul 23 21:32:39.159 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 187.174.169.180
*Jul 23 21:33:40.029 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 175.196.112.246
*Jul 23 21:34:40.164 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 173.197.107.58
*Jul 23 21:35:42.305 MDT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 173.233.173.147

tvotna · ‎07-24-2023

And of course you can apply an ACL to the physical interface to permit your valid UDP/500 and UDP/4500 sources and drop all other UDP/500 and UDP/4500.

View solution in original post

tvotna · ‎07-24-2023

You should rather block public IPs in the ACL applied to the physical interface. If it is possible to list them all.

psymonds7769 · ‎07-24-2023

That's the problem, is that there seem to be a never ending list of them, over 150 at last count. No easier way to do this, no way to specify that I only want DMVPN with 2 source addresses?

MHM Cisco World · ‎07-24-2023

No DDoS nor anything else

Can I see ipsec config of Hub and Spokes.

psymonds7769 · ‎07-24-2023

The spoke is as follows:

crypto isakmp policy 1
encryption aes 256
hash sha256
group 21
!
crypto isakmp policy 2
encryption aes
authentication pre-share
group 14
crypto isakmp key SYRINGASIMP address 181.119.161.10
crypto isakmp profile PRIMARY-ISAKMP-PROFILE
match identity address 0.0.0.0 ISP1
initiate mode aggressive
local-address BDI921
crypto isakmp profile BACKUP-ISAKMP-PROFILE
match identity address 0.0.0.0 ISP2
initiate mode aggressive
local-address Cellular0/2/0
!
!
crypto ipsec transform-set SD-WAN esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile BACKUP-IPSEC-PROFILE
set transform-set SD-WAN
set pfs group21
set isakmp-profile BACKUP-ISAKMP-PROFILE
!
crypto ipsec profile PF
set transform-set TS
!
crypto ipsec profile PRIMARY-IPSEC-PROFILE
set transform-set SD-WAN
set pfs group21
set isakmp-profile PRIMARY-ISAKMP-PROFILE
!

interface Tunnel136
description CUST to ATM/TDM vrf CUST/ISP1
vrf forwarding CUST
ip address 10.255.12.204 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication VPN
ip nhrp network-id 136
ip nhrp nhs 10.255.12.1 nbma 66.232.64.83 multicast
ip nhrp nhs 10.255.12.2 nbma 66.232.64.82 multicast
ip tcp adjust-mss 1360
load-interval 30
tunnel source BDI921
tunnel mode gre multipoint
tunnel key 136
tunnel vrf ISP1
tunnel protection ipsec profile PRIMARY-IPSEC-PROFILE shared

#show dm

Interface: Tunnel136, IPv4 NHRP Details
Type:Spoke, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
17 UNKNOWN 10.23.25.229 IKE never IX
0 UNKNOWN 10.23.222.182 IKE never IX
0 UNKNOWN 10.23.249.108 IKE never IX
0 UNKNOWN 10.50.148.181 IKE never IX
0 UNKNOWN 10.50.148.184 IKE never IX
0 UNKNOWN 10.50.148.190 IKE never IX
0 UNKNOWN 10.50.151.127 IKE never IX
0 UNKNOWN 10.50.152.103 IKE never IX
0 UNKNOWN 10.50.155.108 IKE never IX
0 UNKNOWN 10.50.157.124 IKE never IX
0 UNKNOWN 10.50.158.104 IKE never IX
0 UNKNOWN 10.65.2.108 IKE never IX
0 UNKNOWN 10.72.4.10 IKE never IX
0 UNKNOWN 10.75.1.187 IKE never IX
0 UNKNOWN 10.87.9.11 IKE never IX
0 UNKNOWN 10.93.14.184 IKE never IX
0 UNKNOWN 10.93.27.111 IKE never IX
1 66.232.64.83 10.255.12.1 UP 00:04:54 S
1 66.232.64.82 10.255.12.2 UP 00:04:54 S

2 hubs, both the same config:

crypto isakmp policy 1
encryption aes 256
hash sha256
group 21
!
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set SD-WAN esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN-PKI-IPSEC-PROFILE
set transform-set SD-WAN
set pfs group21
!

interface Tunnel136
bandwidth 1000000
vrf forwarding CUST
ip address 10.255.12.1 255.255.252.0
no ip redirects
ip mtu 1400
ip nhrp authentication VPN
ip nhrp network-id 136
ip nhrp holdtime 360
no ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source Loopback10
tunnel mode gre multipoint
tunnel key 136
tunnel protection ipsec profile DMVPN-PKI-IPSEC-PROFILE shared

MHM Cisco World · ‎07-24-2023

You have SD-WAN and you use DMVPN? Why you not use hub spoke sd-wan ?

psymonds7769 · ‎07-24-2023

Not sure, I didn't actually engineer this build, I'm just looking to try and resolve this issue.

MHM Cisco World · ‎07-24-2023

Sd-wan use Ipsec by defualt' you run sd-wan in cEdge router and run dmvpn'

This make dmvpn refuse sd-wan ipsec tunnel.

You need deep dive.

psymonds7769 · ‎07-24-2023

I think I might have mis-stated the issue. The configuration is currently working, we have the tunnels up that we need to be up, I didn't include those in the output of show dmvpn. The issue is that I see all these other "unknown" attempts, and would like to be able to filter or block those, or just specify the only 2 dmvpn peers that we need to come up. I don't understand where these other attempts are coming from, and would like them to be filtered.

MHM Cisco World · ‎07-24-2023

these other is coming from vSmart of SD-WAN, if you apply filter I think you will make SD-WAN drop.
so only check SD-WAN, see if the public IP appear is also appear under vSmart OMP or NOT

tvotna · ‎07-24-2023

Those IKE sessions do not come up, because peers try IKE Aggressive Mode and your DMVPN setup is using Main Mode. Hence NHRP doesn't come up too and you don't see peer NBMA addresses.

This looks like a DDoS attempt or something. You can ignore it or implement DDoS protection in front of the router (non-Cisco).

tvotna · ‎07-24-2023

And of course you can apply an ACL to the physical interface to permit your valid UDP/500 and UDP/4500 sources and drop all other UDP/500 and UDP/4500.