06-24-2015 06:30 AM - edited 03-03-2019 07:54 AM
I am having an issue with a 3 site DMVPN. All Cisco 1841 routers. The spoke sites can communicate no problem to the hub site (ping hosts on the LAN), however the hub cannot ping hosts on either spoke LAN. Both sides have have identical ACL and firewall setup.
The hub is able to ping the tunnel interfaces of the spokes and it can even ping the internal LAN interface of the spokes. It just can't ping (or print) to any hosts on the LAN.
Anyone have thoughts as to why the communication is only one way?
06-24-2015 07:56 AM
are you advertising the tunnel and lan subnet into your igp on the spoke , can you post the config of the HUB and 1 spoke
06-24-2015 08:09 AM
Yes - using EIGRP to advertise local subent and tunnel.
HUB:
!
service password-encryption
!
hostname #####
!
!
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
aaa session-id common
!
ip cef
!
!
ip domain-lookup
ip name-server 8.8.8.8
ip name-server 64.71.255.198
!
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL smtp
no ipv6 cef
!
!
!
redundancy
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp key ######## address 0.0.0.0 0.0.0.0
-----------------------------------------------------------
SPOKE:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname #######
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret #######
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication ppp default none
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 8.8.8.8
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL smtp
ip inspect name FIREWALL ntp
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key ####### address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group VPN-ACCESS-GROUP
key #####
dns 192.168.0.254
pool VPN-Pool
acl 100
netmask 255.255.255.0
banner ^C
********************************************************************
Restricted Access! Only authorized ############ personnel are permitted.
*********************************************************************** ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN-ACCESS-GROUP
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set VPN-USER-SET esp-aes esp-sha-hmac
crypto ipsec transform-set OUR-SET esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set VPN-USER-SET
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile PROTECT-GRE
set transform-set OUR-SET
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool MAIN
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.254 8.8.8.8
default-router 192.168.0.254
lease 90
!
!
interface Loopback1
ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication #######
ip nhrp map multicast HUB.HUB.HUB.HUB
ip nhrp map 172.16.0.1 HUB.HUB.HUB
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip nhrp shortcut
no ip split-horizon
ip tcp adjust-mss 1360
tunnel source Dialer 0
tunnel mode gre multipoint
tunnel key ######
tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description Connection to LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer0
ip address negotiated
ip access-group POLICE in
ip mtu 1492
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ######
ppp chap password ######
ppp pap sent-username ###### password #####
ppp ipcp route default
!
router eigrp 123
network 192.168.0.0
network 172.16.0.0
no auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_CLIENTS interface Dialer0 overload
!
ip access-list extended NAT_CLIENTS
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended POLICE
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit udp any eq isakmp any
permit ahp any any
permit esp any any
permit udp any any eq domain
permit udp any any eq ntp
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq smtp
permit tcp any any eq 587
permit tcp any any eq 443
permit tcp any any eq 1723
permit gre any any
permit udp any eq bootps any eq bootpc
permit tcp any any eq telnet
deny ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner motd ^C
************************************************
DO NOT ENTER - ONLY AUTHORIZED LOGIN ALLOWED!!!
************************************************^C
!
line con 0
exec-timeout 30 0
logging synchronous
history size 15
line aux 0
line vty 0 4
exec-timeout 45 0
logging synchronous
terminal-type monit
transport input telnet ssh
!
scheduler allocate 20000 1000
end
06-24-2015 09:12 AM
That NAT does not look right at a glance , as a quick test if you remove it can you reach from lan to lan hub-spoke
reason i say is your natting anything from 192.168.0.0 to public ip but your also telling it to be part of the dmvpn tunnel for advertising
06-24-2015 11:04 AM
Thanks Mark. I understand your logic and may give that a try as at this point I've tried so much to no avail. However, the hub and spoke sites have the same NAT config and the hub has no problem responding to requests from the spokes.
06-25-2015 01:33 AM
This may help there are a few restrictions looking through this with dmvpn spoke nat
http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/dmvpn_dt_spokes_b_nat.html
07-10-2015 06:33 AM
Thanks everyone for your help with this issue. It appears the solution to the issue is including the command: ip nhrp registration no-unique on the spokes as the spokes have a dynamic public IP and subject to change. Spokes with a dynamic IP have to register with a no-unique NHRP flag on the hub.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide