Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
6
Replies

DMVPN issue - One way communication only

josiah138
Level 1
Level 1

‎06-24-2015 06:30 AM - edited ‎03-03-2019 07:54 AM

I am having an issue with a 3 site DMVPN. All Cisco 1841 routers. The spoke sites can communicate no problem to the hub site (ping hosts on the LAN), however the hub cannot ping hosts on either spoke LAN. Both sides have have identical ACL and firewall setup.

The hub is able to ping the tunnel interfaces of the spokes and it can even ping the internal LAN interface of the spokes. It just can't ping (or print) to any hosts on the LAN.

Anyone have thoughts as to why the communication is only one way?

Labels:
0 Helpful
6 Replies 6

Mark Malone
VIP Alumni
VIP Alumni

‎06-24-2015 07:56 AM

are you advertising the tunnel and lan subnet into your igp on the spoke , can you post the config of the HUB and 1 spoke

0 Helpful

josiah138
Level 1
Level 1
In response to Mark Malone

‎06-24-2015 08:09 AM

Yes - using EIGRP to advertise local subent and tunnel.

 

HUB:

!
service password-encryption
!
hostname #####
!
!
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
aaa session-id common
!
ip cef
!
!
ip domain-lookup
ip name-server 8.8.8.8
ip name-server 64.71.255.198
!
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL smtp
no ipv6 cef
!
!
!
redundancy
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!       
crypto isakmp key ######## address 0.0.0.0 0.0.0.0 

!
crypto isakmp client configuration group VPN-ACCESS-GROUP
key #######
dns 192.168.123.3
pool IPSEC-Pool
acl 100
netmask 255.255.255.0
banner ^C******************************************************************************
Restricted Access! Only authorized ########## personnel are permitted.
****************************************************************************************^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN-ACCESS-GROUP
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set OUR-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec transform-set VPN-USER-SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set VPN-USER-SET
set isakmp-profile ciscocp-ike-profile-1
!        
crypto ipsec profile PROTECT-GRE
set transform-set OUR-SET
!
!
!
interface Loopback1
ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication #######
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect
no ip split-horizon
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key #######
tunnel protection ipsec profile PROTECT-GRE
!
!
interface FastEthernet0/0
description WAN CONNECTION
ip address HUB.HUB.HUB.HUB 255.255.255.248
ip access-group POLICE in
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1    
ip address 192.168.123.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!        
router eigrp 123
network 192.168.123.0
network 172.16.0.0
no auto-summary

ip route 0.0.0.0 0.0.0.0 G.G.G.G

ip local pool IPSEC-Pool 192.168.123.160 192.168.123.169
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
ip nat inside source list NAT_CLIENTS interface FastEthernet0/0 overload
!
ip access-list extended NAT_CLIENTS
permit ip 192.168.123.0 0.0.0.255 any
ip access-list extended POLICE
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit udp any eq isakmp any
permit ahp any any
permit esp any any
permit udp any any eq domain
permit udp any any eq ntp
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq smtp
permit tcp any any eq 587
permit tcp any any eq 443
permit tcp any any eq 1723
permit gre any any
permit udp any eq bootps any eq bootpc
permit tcp any any eq telnet
deny   ip any any
!
access-list 100 remark VPN_GROUP
access-list 100 permit ip 192.168.123.0 0.0.0.255 any
!
!
control-plane
!
!
alias exec s sho ip int bri
alias exec c conf t
banner motd ^CCC
*********************************************
DO NOT ENTER!! UNAUTHORIZED ACCESS PROHIBITED!
*********************************************^C
!
line con 0
exec-timeout 30 0
logging synchronous
history size 15
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 45 0
logging synchronous
terminal-type monit
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
 

-----------------------------------------------------------

SPOKE:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname #######
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret #######
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication ppp default none
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 8.8.8.8
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL smtp
ip inspect name FIREWALL ntp
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pppoe
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key ####### address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group VPN-ACCESS-GROUP
key #####
dns 192.168.0.254
pool VPN-Pool
acl 100
netmask 255.255.255.0
banner ^C
********************************************************************
Restricted Access! Only authorized ############ personnel are permitted.
*********************************************************************** ^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN-ACCESS-GROUP
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set VPN-USER-SET esp-aes esp-sha-hmac
crypto ipsec transform-set OUR-SET esp-aes 256 esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set VPN-USER-SET
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile PROTECT-GRE
set transform-set OUR-SET
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool MAIN
   network 192.168.0.0 255.255.255.0
   dns-server 192.168.0.254 8.8.8.8
   default-router 192.168.0.254
   lease 90
!
!
interface Loopback1
ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication #######
ip nhrp map multicast HUB.HUB.HUB.HUB
ip nhrp map 172.16.0.1 HUB.HUB.HUB
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip nhrp shortcut
no ip split-horizon
ip tcp adjust-mss 1360
tunnel source Dialer 0
tunnel mode gre multipoint
tunnel key ######
tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description Connection to LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer0
ip address negotiated
ip access-group POLICE in
ip mtu 1492
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ######
ppp chap password ######
ppp pap sent-username ###### password #####
ppp ipcp route default
!
router eigrp 123
network 192.168.0.0
network 172.16.0.0
no auto-summary
!

ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_CLIENTS interface Dialer0 overload
!
ip access-list extended NAT_CLIENTS
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended POLICE
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit udp any eq isakmp any
permit ahp any any
permit esp any any
permit udp any any eq domain
permit udp any any eq ntp
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq smtp
permit tcp any any eq 587
permit tcp any any eq 443
permit tcp any any eq 1723
permit gre any any
permit udp any eq bootps any eq bootpc
permit tcp any any eq telnet
deny   ip any any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run

!
!
!
!
!
!
control-plane
!
!
banner motd ^C
************************************************
DO NOT ENTER - ONLY AUTHORIZED LOGIN ALLOWED!!!
************************************************^C
!
line con 0
exec-timeout 30 0
logging synchronous
history size 15
line aux 0
line vty 0 4
exec-timeout 45 0
logging synchronous
terminal-type monit
transport input telnet ssh
!
scheduler allocate 20000 1000
end

 

 

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to josiah138

‎06-24-2015 09:12 AM

That NAT does not look right at a  glance  , as a quick test if you remove it can you reach from lan to lan hub-spoke

reason i say is your natting anything from 192.168.0.0 to public ip but your also telling it to be part of the dmvpn tunnel for advertising

0 Helpful

josiah138
Level 1
Level 1
In response to Mark Malone

‎06-24-2015 11:04 AM

Thanks Mark. I understand your logic and may give that a try as at this point I've tried so much to no avail. However, the hub and spoke sites have the same NAT config and the hub has no problem responding to requests from the spokes.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to josiah138

‎06-25-2015 01:33 AM

This may help there are a few restrictions looking through this with dmvpn spoke nat

http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/dmvpn_dt_spokes_b_nat.html

0 Helpful

josiah138
Level 1
Level 1
In response to Mark Malone

‎07-10-2015 06:33 AM

Thanks everyone for your help with this issue. It appears the solution to the issue is including the command: ip nhrp registration no-unique on the spokes as the spokes have a dynamic public IP and subject to change. Spokes with a dynamic IP have to register with a no-unique NHRP flag on the hub.

0 Helpful
Customers Also Viewed These Support Documents