Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
4
Helpful
7
Replies

DMPVN Static routing question

Go to solution
Kiley
Beginner
Beginner

‎03-20-2023 12:55 AM

Hi there,

We have DMVPN set up with multiple spokes and a single hub.  Routing is eigrp. All has worked well until we needed to add the spoke sites to our monitoring tool.  A static route on the spokes was added pointing to the spoke tunnel (ip route x.x.x.x x.x.x.x tuxxx).  This started a barrage of "NHRP-3-PAKERROR received error indication from [hub ip], code: administratively prohibited (4)".  After going down a rabbit hole, I found that, by changing the static route to point to the tunnel ip address of the hub (ip route x.x.x.x x.x.x.x  x.x.x.x), the error messages stopped.  I validated the monitoring tool is polling the spoke.  My question is:  why would changing the static route to point to the hub tu ip address from the local tuxxx interface make a difference (ip route x.x.x.x x.x.x.x x.x.x.x vs ip route x.x.x.x x.x.x.x tuxxx)?  I thought it might have something to do with the ipsec over gre?

Appreciate anyone that can enlighten me!

Kiley

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert

‎03-20-2023 01:17 AM - edited ‎03-20-2023 02:11 AM

Hello

@Kiley wrote:

This started a barrage of "NHRP-3-PAKERROR received error indication from [hub ip], code: administratively prohibited (4)". 

Ive experienced this message myself troubleshooting DMVPN on new cat8000 rtrs, it suggests its a kind of nhrp recursive routing error message, adding that static route, must have changed the routing in such a way that now the nbma addressing of the DMVPN tunnels are bring seen through the tunnel themselves, 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert

‎03-20-2023 01:17 AM - edited ‎03-20-2023 02:11 AM

Hello

@Kiley wrote:

This started a barrage of "NHRP-3-PAKERROR received error indication from [hub ip], code: administratively prohibited (4)". 

Ive experienced this message myself troubleshooting DMVPN on new cat8000 rtrs, it suggests its a kind of nhrp recursive routing error message, adding that static route, must have changed the routing in such a way that now the nbma addressing of the DMVPN tunnels are bring seen through the tunnel themselves, 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ponzki
Beginner
Beginner

‎03-20-2023 02:30 AM

As @paul driver have mentioned, may be related to recursive routing issue. BTW, why do you need static routing on spokes? Not possible to advertise from hub to spoke thru dynamic routing, in your case EIGRP?

0 Helpful

Go to solution
Kiley
Beginner
Beginner
In response to ponzki

‎03-20-2023 03:11 AM

That's the next step - the monitor tool doesn't respond when I put its host address in eigrp:

 network x.x.x.0 0.0.0.255 (dmpvn network)
network x.x.x.x 0.0.0.3 (LAN to ISP link)

network x.x.x.x 0.0.0.0 (monitoring tool)

passive-interface default
no passive-interface Tunnelxxx
eigrp router-id x.x.x.x
eigrp stub connected summary

 

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Kiley

‎03-20-2023 04:06 AM

network x.x.x.x 0.0.0.3 (LAN to ISP link) <<- please explain this 

0 Helpful

Go to solution
Kiley
Beginner
Beginner
In response to MHM Cisco World

‎03-20-2023 04:09 AM

That's the crypto connection between spoke and hub

0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎03-20-2023 07:33 AM

Hub-Spoke 

this config if Hub  
network x.x.x.0 0.0.0.255 (dmpvn network)
network x.x.x.x 0.0.0.3 (LAN to ISP link)
network x.x.x.x 0.0.0.0 (monitoring tool) <<- this direct connect OR learn via other static or dynamic routing 
passive-interface default
no passive-interface Tunnelxxx
eigrp router-id x.x.x.x
eigrp stub connected summary <<- this allow you to only advertise the Connect within the summary address you config under tunnel interface or the auto-summary. 

Go to solution
Kiley
Beginner
Beginner
In response to MHM Cisco World

‎03-20-2023 07:57 AM

Thank you guys very much!  I appreciate your explanations !!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents