Solved: Re: DMPVN Static routing question

Kiley · ‎03-20-2023

Hi there,

We have DMVPN set up with multiple spokes and a single hub. Routing is eigrp. All has worked well until we needed to add the spoke sites to our monitoring tool. A static route on the spokes was added pointing to the spoke tunnel (ip route x.x.x.x x.x.x.x tuxxx). This started a barrage of "NHRP-3-PAKERROR received error indication from [hub ip], code: administratively prohibited (4)". After going down a rabbit hole, I found that, by changing the static route to point to the tunnel ip address of the hub (ip route x.x.x.x x.x.x.x x.x.x.x), the error messages stopped. I validated the monitoring tool is polling the spoke. My question is: why would changing the static route to point to the hub tu ip address from the local tuxxx interface make a difference (ip route x.x.x.x x.x.x.x x.x.x.x vs ip route x.x.x.x x.x.x.x tuxxx)? I thought it might have something to do with the ipsec over gre?

Appreciate anyone that can enlighten me!

Kiley

paul driver · ‎03-20-2023

Hello

@Kiley wrote:

This started a barrage of "NHRP-3-PAKERROR received error indication from [hub ip], code: administratively prohibited (4)".

Ive experienced this message myself troubleshooting DMVPN on new cat8000 rtrs, it suggests its a kind of nhrp recursive routing error message, adding that static route, must have changed the routing in such a way that now the nbma addressing of the DMVPN tunnels are bring seen through the tunnel themselves,

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎03-20-2023

Hello

@Kiley wrote:

This started a barrage of "NHRP-3-PAKERROR received error indication from [hub ip], code: administratively prohibited (4)".

Ive experienced this message myself troubleshooting DMVPN on new cat8000 rtrs, it suggests its a kind of nhrp recursive routing error message, adding that static route, must have changed the routing in such a way that now the nbma addressing of the DMVPN tunnels are bring seen through the tunnel themselves,

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ponzki · ‎03-20-2023

As @paul driver have mentioned, may be related to recursive routing issue. BTW, why do you need static routing on spokes? Not possible to advertise from hub to spoke thru dynamic routing, in your case EIGRP?

Kiley · ‎03-20-2023

That's the next step - the monitor tool doesn't respond when I put its host address in eigrp:

network x.x.x.0 0.0.0.255 (dmpvn network)
network x.x.x.x 0.0.0.3 (LAN to ISP link)

network x.x.x.x 0.0.0.0 (monitoring tool)

passive-interface default
no passive-interface Tunnelxxx
eigrp router-id x.x.x.x
eigrp stub connected summary

MHM Cisco World · ‎03-20-2023

network x.x.x.x 0.0.0.3 (LAN to ISP link) <<- please explain this

Kiley · ‎03-20-2023

That's the crypto connection between spoke and hub

MHM Cisco World · ‎03-20-2023

Hub-Spoke

this config if Hub
network x.x.x.0 0.0.0.255 (dmpvn network)
network x.x.x.x 0.0.0.3 (LAN to ISP link)
network x.x.x.x 0.0.0.0 (monitoring tool) <<- this direct connect OR learn via other static or dynamic routing
passive-interface default
no passive-interface Tunnelxxx
eigrp router-id x.x.x.x
eigrp stub connected summary <<- this allow you to only advertise the Connect within the summary address you config under tunnel interface or the auto-summary.

Kiley · ‎03-20-2023

Thank you guys very much! I appreciate your explanations !!!!