Georg,

Sorry for the delayed response. Here the configs for the hub and spoke.

When I take the protection off the tunnel1 I get the original post and no connection with protection I get nhrp as the status under sh DMVPN

thanks,

M

HUB

!
hostname A&M-_RT

!
multilink bundle-name authenticated
!
!
!
!
spanning-tree portfast bpduguard

!
crypto keyring ccp-dmvpn-keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key Private
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ansbacher
 key ansbachersti01x
 dns 10.4.1.12
 wins 10.4.1.12
 pool SDM_POOL_1
 acl 100
!
crypto isakmp client configuration group ansbacher1
 key Private
 dns 10.4.1.10
 pool SDM_POOL_1
 acl 106
crypto isakmp profile sdm-ike-profile-1
   match identity group ansbacher
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ansbacher1
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0
   qos-group 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA1
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA2
 set isakmp-profile ccp-dmvpn-isakmprofile
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 7200
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000 11000 12000
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel0
 description $FW_INSIDE$
 bandwidth 100000
 ip address 11.11.11.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 no ip route-cache cef
 ip tcp adjust-mss 1440
 no ip split-horizon eigrp 100
 no clns route-cache
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Tunnel1
 description BACKUP
 bandwidth 24000
 ip address 11.11.12.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 100
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 360
 ip tcp adjust-mss 1400
 no ip split-horizon eigrp 100
 delay 1001
 no clns route-cache
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface FastEthernet0
 description COMCAST FIBER
 ip address x.x.x.163 255.255.255.248
 ip verify unicast reverse-path
 ip inspect CCP_LOW out
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 duplex auto
 speed auto
!
interface FastEthernet1
 description $FW_OUTSIDE$
 ip address y.y.y.125 255.255.255.248
 ip access-group 112 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect CCP_LOW out
 ip virtual-reassembly
 duplex auto
 speed auto

!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
 description $FW_INSIDE$
 ip unnumbered FastEthernet1
 ip access-group 108 in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
 description $FW_INSIDE$
 ip unnumbered FastEthernet1
 ip access-group 109 in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 100.10.10.2 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
i
!
router eigrp 100
 redistribute static
 network 11.11.11.0 0.0.0.255
 network 11.11.12.0 0.0.0.255
 no auto-summary
 neighbor 11.11.11.3 Tunnel0
 neighbor 11.11.11.2 Tunnel0
 neighbor 11.11.12.2 Tunnel1
!
ip local pool SDM_POOL_1 192.168.50.1 192.168.50.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.235.49.161
ip route 10.4.1.0 255.255.255.0 100.10.10.1
ip route 10.5.1.0 255.255.255.0 11.11.11.2
ip route 10.6.1.0 255.255.255.0 11.11.11.3
ip route 10.7.1.0 255.255.255.0 11.11.11.4
ip route 172.20.2.0 255.255.255.0 11.11.11.3
ip route 192.168.10.0 255.255.255.0 11.11.11.3
ip route 192.168.12.0 255.255.255.0 11.11.11.2
ip route 192.168.12.0 255.255.255.0 11.11.12.2 200
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool comcast x.x.x.125 173.165.198.125 netmask 255.255.255.248

SPOKE

!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!

ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!

crypto keyring ccp-dmvpn1-keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key private
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key private address x.x.x.163
crypto isakmp keepalive 30 5
!
crypto isakmp client configuration group ansbacher
 key ansbachersti01x
 pool SDM_POOL_1
 acl 100
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ansbacher
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 3600
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA2
!
!

 class class-default
!
!
!
!
interface Tunnel0
 bandwidth 200000
 ip address 11.11.11.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 11.11.11.1 50.235.49.163
 ip nhrp map multicast 50.235.49.163
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 11.11.11.1
 ip nhrp registration no-unique
 ip tcp adjust-mss 1440
 tunnel source FastEthernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Tunnel1
 bandwidth 24000
 ip address 11.11.12.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 11.11.12.1 50.235.49.163
 ip nhrp map multicast 50.235.49.163
 ip nhrp network-id 2
 ip nhrp holdtime 360
 ip nhrp nhs 11.11.12.1
 ip nhrp registration no-unique
 ip tcp adjust-mss 1400
 delay 1001
 tunnel source FastEthernet1
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface FastEthernet0
 description $ETH-WAN$
 ip address y.y.y.153 255.255.255.248
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip policy route-map tunnel0
 duplex auto
 speed auto
 service-policy output CCP-QoS-Policy-1
!
interface FastEthernet1
 ip address z.z.z.185 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 ip policy route-map tunnel1
 duplex auto
 speed auto

 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 ip address 10.5.1.1 255.255.255.0
 ip helper-address 10.4.1.12
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan10
 ip address 192.168.12.1 255.255.255.0
 ip helper-address 10.4.1.12
 ip nat inside
 ip virtual-reassembly
!
!
router eigrp 100
 redistribute static
 network 10.5.1.0 0.0.0.255
 network 11.11.11.0 0.0.0.255
 network 11.11.12.0 0.0.0.255
 no auto-summary
 neighbor 11.11.11.1 Tunnel0
 neighbor 11.11.12.1 Tunnel1
!
ip local pool SDM_POOL_1 172.20.2.1 172.20.2.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.94.49.154
ip route 0.0.0.0 0.0.0.0 99.14.166.190 20
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip nat inside source static tcp 10.5.1.253 8000 interface FastEthernet0 8000
ip nat inside source static tcp 10.5.1.253 8554 interface FastEthernet0 8554
ip nat inside source route-map att interface FastEthernet1 overload
ip nat inside source route-map comcast interface FastEthernet0 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 2 permit 11.11.11.0 0.0.0.255
access-list 3 permit 11.11.12.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.4.1.0 0.0.0.255 any
access-list 100 permit ip 10.5.1.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=256
access-list 110 permit udp any any range 6000 6036
no cdp run

!
!
!
!
route-map 10 permit 10
!
route-map tunnel0 permit 10
 match ip address 2
 match interface FastEthernet0
 set ip next-hop 99.14.166.190
!
route-map tunnel1 permit 10
 match ip address 3
 match interface FastEthernet1
 set ip next-hop 99.14.166.160
!
route-map att permit 10
 match ip address 1
 match interface FastEthernet1
!
route-map comcast permit 10
 match ip address 1
 match interface FastEthernet0
!

Hello,

you have the same IPSec profile configured for both tunnel interfaces. Try and add the keyword 'shared':

tunnel protection ipsec profile CiscoCP_Profile2 shared

to all the tunnel protection configuration lines.

Both tunnels came up and tunnel1 was the primary. I want tunnel0 to be primary. When I did a shut/no shut on tunnle1 both tunnels are stuck on IKE at the sh DMVPM

This the sh dmvpn on the hub

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2         0.0.0.0      11.11.11.2  NHRP    never    IX
     0         0.0.0.0      11.11.11.4  NHRP    never    IX
     1   x.x.x.x      11.11.11.3    UP 18:54:10     D

Interface: Tunnel1, IPv4 NHRP Details
Type:Unknown, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         0.0.0.0      11.11.12.2  NHRP    never    IX

Hello,

I am labbing this in GNS3...what are the IP addresses of the FastEthernet interfaces ?

 spoke
int f0
 ip address 96.94.49.153 255.255.255.248
int f1
ip address 99.14.166.185 255.255.255.248

hub
 int f0
ip address 50.235.49.163 255.255.255.248

Hello,

try and add:

ip nhrp redirect

and

ip nhrp shortcut

on both sides (hub and spoke). 

Georg,

With just those commands it did not work. I did do a shut/no shut on tunnel1 on the spoke and that brought the tunnel up.

Also how do I control the nhrp tunnel check time? After I shut inf f0 on the spoke the hub still showed tunnel0 and 1 as up even though they were not.

Thanks,

M 

Hello,

try and set the isakmp keepalive on both ends:

crypto isakmp keepalive 10 5

Still not working, tunnel1 is not stable. a lot of int tunnel shut/no shut to get going.

Thanks,

M

Hello,

can you remove:

neighbor 11.11.11.1 Tunnel0
neighbor 11.11.12.1 Tunnel1

from the hub configuration ? Since your advertised networks include the tunnels, the neighbor statements are unnecessary. They cause unicast traffic to flow between the neighbors, I am not sure what effect that has...

I am back to tunnel1 doesn't connect. I have removed all the changes after the post were you posted config with modifications trying to get back to were tunnels connected. I did remove the neighbor statement from eirgp.

Also if shut down any of the tunnels both reset. and I shut/no shut tunnel1 tunnle0 resets and doesn't connect until I do a shut/no shut on tunnel0.

Thanks,

M

Marley,

your config has multiple other parameters on top of the basic DMVPN tunnel setup. What IOS version are you running ? I can check for bugs, that's always a possibility...