cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


207
Views
0
Helpful
11
Replies

DMVPN HUB UNKNOWN

Hi All,

We have DMVPN configured with 2 HUB routers and 90 Branch spoke routers.  

Few times i saw below messages on my HUB router when i issue #show DMVPN. They go away in few min. Not sure why they generated. ALL out branch router Tunnel IP start and ends from10.225.200.1 - 10.225.200.99. We don't have any IP's any where in network above 10.225.200.100.

I saw same messages on Both HUB's at same time.

 

Not sure how this was generated and looks like it some kind of broadcast or scan.

 

     0 UNKNOWN           10.225.200.99  NHRP    never    IX

     0 UNKNOWN          10.225.200.100  NHRP    never    IX

     0 UNKNOWN          10.225.200.101  NHRP    never    IX

     0 UNKNOWN          10.225.200.102  NHRP    never    IX

     0 UNKNOWN          10.225.200.103  NHRP    never    IX

     0 UNKNOWN          10.225.200.104  NHRP    never    IX

     0 UNKNOWN          10.225.200.105  NHRP    never    IX

     0 UNKNOWN          10.225.200.106  NHRP    never    IX

     0 UNKNOWN          10.225.200.107  NHRP    never    IX

     0 UNKNOWN          10.225.200.108  NHRP    never    IX

     0 UNKNOWN          10.225.200.109  NHRP    never    IX

     0 UNKNOWN          10.225.200.110  NHRP    never    IX

     0 UNKNOWN          10.225.200.111  NHRP    never    IX

     0 UNKNOWN          10.225.200.112  NHRP    never    IX

     0 UNKNOWN          10.225.200.113  NHRP    never    IX

     0 UNKNOWN          10.225.200.114  NHRP    never    IX

     0 UNKNOWN          10.225.200.115  NHRP    never    IX

     0 UNKNOWN          10.225.200.116  NHRP    never    IX

     0 UNKNOWN          10.225.200.117  NHRP    never    IX

 

 

 

11 REPLIES
VIP Mentor

Re: DMVPN HUB UNKNOWN

Hello,

 

can you post the output of 'show ip nhrp nhs detail' when this occurs ?

Re: DMVPN HUB UNKNOWN

Thanks for your reply George, But not sure when it will generate again.

Is there any way we can get the show dmvpn output to any external server.

I know we can configure some event manager , but never tried.

 

Regards,

Satya.M

VIP Mentor

Re: DMVPN HUB UNKNOWN

Hello,

 

do you see anything in the logs related to this ? If so, you could set up a simple EEM script that generates the output of 'show ip nhrp nhs detail' and puts it in the logging buffer...

Beginner

Re: DMVPN HUB UNKNOWN

Hello

We have this situation too. One incomplete entry is always persist in the show output. Others appear periodically with different addresses. The first one with the adres 10.120.37.1 always persist.

These addresses are not used at all

#show ip nhrp nhs detail  shows nothing. 

 

 

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:28,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 UNKNOWN 10.120.37.1 NHRP never IX
0 UNKNOWN 10.120.37.110 NHRP never IX
1 10.120.0.29 10.120.37.5 UP 23w5d D
1 10.121.0.1 10.120.37.6 UP 2w3d D
1 10.122.0.1 10.120.37.7 UP 23w5d D
1 10.123.0.1 10.120.37.8 UP 23w5d D
1 10.120.0.37 10.120.37.9 UP 20w5d D
1 10.120.0.177 10.120.37.10 UP 15w5d D
1 10.120.0.173 10.120.37.11 UP 15w5d D
1 10.120.0.69 10.120.37.12 UP 20w5d D
1 10.120.0.89 10.120.37.13 UP 20w5d D
1 10.120.0.161 10.120.37.14 UP 7w5d D
1 10.120.0.81 10.120.37.16 UP 23w5d D
1 10.120.0.65 10.120.37.17 UP 6w0d D
1 10.120.0.153 10.120.37.18 UP 20w5d D
1 10.120.0.141 10.120.37.19 UP 20w1d D
1 10.120.0.61 10.120.37.20 UP 23w5d D
1 10.120.0.33 10.120.37.21 UP 20w5d D
1 10.120.0.17 10.120.37.22 UP 20w5d D
1 10.120.0.13 10.120.37.23 UP 23w5d D
1 10.120.0.21 10.120.37.24 UP 20w5d D
1 10.120.0.25 10.120.37.25 UP 23w5d D
1 10.120.0.93 10.120.37.26 UP 12w5d D
1 10.120.0.73 10.120.37.27 UP 23w5d D
1 10.120.0.41 10.120.37.28 UP 21w6d D
1 10.120.0.149 10.120.37.29 UP 9w5d D
1 10.120.0.181 10.120.37.30 UP 20w5d D
1 10.120.0.185 10.120.37.31 UP 6w0d D
1 10.120.0.109 10.120.37.32 UP 20w5d D

 

#show ip nhrp
10.120.37.1/32
Tunnel0 created 00:00:49, expire 00:02:15
Type: incomplete, Flags: negative
Cache hits: 6
10.120.37.5/32 via 10.120.37.5
Tunnel0 created 23w5d, expire 00:04:27
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.29
10.120.37.6/32 via 10.120.37.6
Tunnel0 created 2w3d, expire 00:04:14
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.121.0.1
10.120.37.7/32 via 10.120.37.7
Tunnel0 created 23w5d, expire 00:03:57
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.122.0.1
10.120.37.8/32 via 10.120.37.8
Tunnel0 created 23w5d, expire 00:04:25
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.123.0.1
10.120.37.9/32 via 10.120.37.9
Tunnel0 created 20w5d, expire 00:03:45
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.37
10.120.37.10/32 via 10.120.37.10
Tunnel0 created 15w5d, expire 00:03:51
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.177
10.120.37.11/32 via 10.120.37.11
Tunnel0 created 15w5d, expire 00:03:28
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.173
10.120.37.12/32 via 10.120.37.12
Tunnel0 created 20w5d, expire 00:03:21
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.69
10.120.37.13/32 via 10.120.37.13
Tunnel0 created 20w5d, expire 00:04:12
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.89
10.120.37.14/32 via 10.120.37.14
Tunnel0 created 7w5d, expire 00:03:55
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.161
10.120.37.16/32 via 10.120.37.16
Tunnel0 created 23w5d, expire 00:03:56
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.81
10.120.37.17/32 via 10.120.37.17
Tunnel0 created 6w0d, expire 00:04:37
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.65
10.120.37.18/32 via 10.120.37.18
Tunnel0 created 20w5d, expire 00:04:51
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.153
10.120.37.19/32 via 10.120.37.19
Tunnel0 created 20w1d, expire 00:03:21
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.141
10.120.37.20/32 via 10.120.37.20
Tunnel0 created 23w5d, expire 00:03:25
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.61
10.120.37.21/32 via 10.120.37.21
Tunnel0 created 20w5d, expire 00:04:29
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.33
10.120.37.22/32 via 10.120.37.22
Tunnel0 created 20w5d, expire 00:04:04
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.17
10.120.37.23/32 via 10.120.37.23
Tunnel0 created 23w5d, expire 00:04:18
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.13
10.120.37.24/32 via 10.120.37.24
Tunnel0 created 20w5d, expire 00:04:56
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.21
10.120.37.25/32 via 10.120.37.25
Tunnel0 created 23w5d, expire 00:04:13
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.25
10.120.37.26/32 via 10.120.37.26
Tunnel0 created 12w5d, expire 00:03:28
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.93
10.120.37.27/32 via 10.120.37.27
Tunnel0 created 23w5d, expire 00:04:05
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.73
10.120.37.28/32 via 10.120.37.28
Tunnel0 created 21w6d, expire 00:04:31
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.41
10.120.37.29/32 via 10.120.37.29
Tunnel0 created 9w5d, expire 00:04:39
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.149
10.120.37.30/32 via 10.120.37.30
Tunnel0 created 20w5d, expire 00:04:15
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.181
10.120.37.31/32 via 10.120.37.31
Tunnel0 created 6w0d, expire 00:04:44
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.185
10.120.37.32/32 via 10.120.37.32
Tunnel0 created 20w5d, expire 00:04:44
Type: dynamic, Flags: unique registered used nhop
NBMA address: 10.120.0.109

 

HUB:

# sh run int tun0
Building configuration...

Current configuration : 348 bytes
!
interface Tunnel0
description DMVPN 10.120.37.0/24
ip address 10.120.37.15 255.255.255.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip nhrp authentication cisco37
ip nhrp map multicast dynamic
ip nhrp network-id 37
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source 10.120.0.198
tunnel mode gre multipoint
tunnel key 37
end

 

SPOKE:

#sh run int tun 0
Building configuration...

Current configuration : 355 bytes
!
interface Tunnel0
ip address 10.120.37.10 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco37
ip nhrp map multicast 10.120.0.198
ip nhrp map 10.120.37.15 10.120.0.198
ip nhrp network-id 37
ip nhrp holdtime 300
ip nhrp nhs 10.120.37.15
ip tcp adjust-mss 1360
tunnel source 10.120.0.177
tunnel destination 10.120.0.198
tunnel key 37
end

 

VIP Mentor

Re: DMVPN HUB UNKNOWN

Hello,

 

issue a 'clear ip nhrp' and then post the output of:

 

debug dmvpn

debug nhrp error

debug nhrp condition

Beginner

Re: DMVPN HUB UNKNOWN

Thank you for your participation.

Equipment in production now. How noisy is debug output?

 

Beginner

Re: DMVPN HUB UNKNOWN

# sh deb

NHRP:
NHRP protocol debugging is on
NHRP activity debugging is on
NHRP detail debugging is on
NHRP extension processing debugging is on
NHRP cache operations debugging is on
NHRP routing debugging is on
NHRP rate limiting debugging is on
NHRP errors debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
Crypto secure socket events debugging is on

 

IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
IKEv2 packet hexdump debugging is on
IKEv2 internal debugging is on
Tunnel Protection Debugs:
Generic Tunnel Protection debugging is on
DMVPN:
DMVPN error debugging is on
DMVPN UP/DOWN event debugging is on
DMVPN detail debugging is on
DMVPN packet debugging is on
DMVPN all level debugging is on

 

#cle ip nhrp 10.120.37.1

 

Debug output in attached file.

 

Thank You

VIP Mentor

Re: DMVPN HUB UNKNOWN

This looks like a DMVPN Phase 1 configuration on the spoke tunnel. Are all spokes configured that way ? What if you change the spoke tunnel to a Phase 2 configuration ?

 

interface Tunnel0
ip address 10.120.37.10 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco37
ip nhrp map multicast 10.120.0.198
ip nhrp map 10.120.37.15 10.120.0.198
ip nhrp network-id 37
ip nhrp holdtime 300
ip nhrp nhs 10.120.37.15
ip tcp adjust-mss 1360
tunnel source 10.120.0.177
--> no tunnel destination 10.120.0.198
--> tunnel mode gre multipoint
tunnel key 37
end

Beginner

Re: DMVPN HUB UNKNOWN

Yes its all phase 1. There is no possibility to change to phase 2 for verification in near future. Just need phase1 anyway.

Nevertheless you think that this is somehow related to phases?

 

Thank You

 

Highlighted
VIP Mentor

Re: DMVPN HUB UNKNOWN

Hello,

 

the config looks good actually, and I assume all other spokes are configured identical. Can you post the full config of the spoke including the ipsec and isakmp ?

 

One thing you could try is replace the actual IP address of the tunnel source with the interface, e.g.:

 

--> no tunnel source 10.120.0.177

tunnel source GigabitEthernet0/0

Beginner

Re: DMVPN HUB UNKNOWN

We don't use crypto at all. And yes spokes config almost identical.  In meantime I can't change config due possible work disruption. But in the maintainance schedule window i'll change source from numerical IP to Interface name. But I don't think it issue... although, who knows.

 

Thank You

CreatePlease to create content
Ask the Expert- Introduction to Network Design