Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
3
Replies

DMVPN EIGRP tunnel flap only with more then one spoke

bob1980
Level 1
Level 1

‎02-12-2015 11:59 AM - edited ‎03-05-2019 12:47 AM

Trying to setup DMVPN with EIGRP


HUB and Spoke setup


Spokes get overloaded NAT to internet public IP 144.144.144.144 to reach the HUB across the internet that has another public IP 155.155.155.155

 

When I just have one spoke, the tunnel stays up

When I add another spoke, the tunnel flaps on the second spoke

On the trouble spoke, it shows it sending EIGRP packets but not receiving them.

 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
  2 144.144.144.144   142.158.63.3    UP 01:13:37    DN
                                   142.158.63.4    UP 01:02:02    DN

Im assuming it cause the HUB doesn't know how to reply with EIGRP to the spoke that using the same IP? Is that correct? Is there something else that I need to setup here?

 

HUB

crypto isakmp policy 5
 authentication pre-share
 group 2
crypto isakmp key test address 0.0.0.0       
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
 mode transport
!
!
crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
!
!
!
!
!
interface Tunnel0
 ip address 142.158.63.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hold-time eigrp 10 35
 no ip next-hop-self eigrp 10
 no ip split-horizon eigrp 10
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 105600
 ip nhrp holdtime 600
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 10000
 tunnel protection ipsec profile dmvpnprof
!
!
interface GigabitEthernet0/0
 ip address 155.155.155.155 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 ntp disable
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 142.158.39.42 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip tcp adjust-mss 1300
 load-interval 30
 duplex auto
 speed auto
!
!
interface Ethernet0/0/0
 no ip address
 shutdown
!
!
router eigrp 10
 network 142.158.39.42 0.0.0.0
 network 142.158.63.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 155.155.155.155 name DEFAULT-ROUTE

 

 

 

 

 

 

Spoke

crypto isakmp policy 5
 authentication pre-share
 group 2
crypto isakmp key test address 155.155.155.155
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile dmvpnprof
 set transform-set dmvpnset
!
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Tunnel0
 ip address 142.158.63.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hold-time eigrp 10 35
 ip nhrp authentication test
 ip nhrp map 142.158.63.1 155.155.155.155
 ip nhrp map multicast 155.155.155.155
 ip nhrp network-id 105600
 ip nhrp holdtime 600
 ip nhrp nhs 142.158.63.1
 ip nhrp registration timeout 120

 ip tcp adjust-mss 1360
 tunnel source FastEthernet4
 tunnel mode gre multipoint
 tunnel key 10000
 tunnel protection ipsec profile dmvpnprof
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 duplex auto
 speed auto
!        
interface Vlan1
 no ip address
!
router eigrp 10
 network 142.158.63.0 0.0.0.255
 no auto-summary
 eigrp stub connected
!
ip forward-protocol nd
ip route 155.155.155.155 255.255.255.255 dhcp
!

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2015 03:17 PM

You may understand this a lot better than me but I'm not sure how the ISP overloading is working.

Do you know how it is working and more importantly why it needs to be done ie. why can't each spoke have it's own public IP ?

Edit - by the way your configuration is not hub and spoke as the tunnel would have a tunnel destination IP if it was although I doubt changing that will make any difference.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2015 03:23 PM

Could you also post a "sh ip nhrp" from the hub ?

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-13-2015 03:31 AM

I did a bit of testing on this and I could not get even one tunnel to work behind a PAT device which is what I expected as there are no ports in a GRE header.

The tunnel was up but the EIGRP adjacency kept going up and down and no routes were exchanged.

Can you try something out.

Stop the second spoke from trying to connect and just have the one spoke.

Then when the tunnel is up can you post a "sh ip eigrp neighbors" from both the hub and the spoke.

I will have another look to see if there are any commands that might enable this to work but I am not too hopeful.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card